Google App Engine Firewall: Restrict access to all

2019-02-17 04:30发布

问题:

I have a GAE project (flexible) consisting of 1 default and 2 subservices:

  • foo.appspot.com
  • service1.foo.appspot.com
  • service2.foo.appspot.com

Now I want to use foo.appspot.com as API proxy & auth gateway to the internal services service1 and service2. The proxy itself I wrote and it is working fine.

I am struggling with adjusting the GAE Firewall to forbid incoming world traffic to service1 and service2 because I would like force an API user to send requests to foo.appspot.com. Traffic to the default service foo should be allowed.

It seems I can just enter IPs in the Firewall settings but not service names. The docs says that it should work but does not show how.

Thanks for the help!

回答1:

App engine Flex environment is built on the Google Compute Engine and consequently, it supports the Virtual Private Cloud networking system. With the VPC networks, you can configure firewall rules that would use Instance Tags to determine the target or source component in a firewall rule. Hence, you simply have to configure the app.yaml files of the target service/version to use the appropriate instance tags.