I have four services running within the same app on App Engine. I have a frontend SvelteKit application, and three backend services. If possible, I'd like to set up security in such a way that the backend services will only accept HTTP requests from the frontend application (which sends all API requests via its Node server).
Is there a way of doing this without spending a load of money on a Serverless VPC Access connector?
Ideally I want to keep these all within the same GCP project as well. So far the only solution I can come up with is to ship the services with a secret that they check against when receiving a request, but there must be a better way to do it.
Take a look at Identity Aware Proxy
Pay attention to the part of the above documentation that says
In order to make a resource publicly-accessible (while sibling resources are restricted), grant the IAP-secured Web App User role to allUsers or allAuthenticatedUsers.
Per your use case, your front-end application will be available to the public while your 3 backend services will only be available to the front-end application
Since your backend services are now secured (via IAP), you have to programmatically invoke them in your front end. See documentation on how to do that.
Related
I have several microservices hosted using GAE Stadard. Currently the UI communicates directly with each service. I'd like to setup an API gateway so the traffic will be routed to the correct service based on path. E.g. any requests starts with /products will go to service A, while /orders will go to service B.
Is it something can be done using Google Cloud, without having to develop a new routing service?
Thanks in advance
There is a New Feature in Beta for App Engine that allow you to setup and deploy an API gateway for your services, which is exactly what you want to do.
You can check details and a tasklist of how to set it up in this Documentation.
I have an application deployed to an app engine service. I have many services under the same app engine. How can I make the application available to certain white-listed IPs? In other words, I want this application to accept requests from certain IPs and deny all other request?
Can we do this by writing some configurations in app.yaml file?
Note: I just want to apply the rule to one service only so that other services will not be affected.
Applying this kind of restriction at a service level is, at the moment, not possible.
The best option would be to deploy the services you want to protect on a different project, and use the App Engine firewall there.
Is it possible to make Google App Engine services only available on a Google Cloud internal network, and if so, how? I have some microservices that shouldn't be publicly available (for use by other services only).
I know you can configure firewalls, however:
The app engine firewalls apply to all services
I have no idea what IP range to allow for app engine services with the VPC, since app engine works with domains only, and doesn't specify what range it uses.
If you're using standard environment services you might be able to use the app ID to validate requests in such services. From Asserting identity to other App Engine apps:
If you want to determine the identity of the App Engine app that is
making a request to your App Engine app, you can use the request
header X-Appengine-Inbound-Appid. This header is added to the
request by the URLFetch service and is not user modifiable, so it
safely indicates the requesting application's ID, if present.
In order for this header to be added to the request, the app making
the request must tell the URLFetch service to not follow redirects.
That is, it must set the fetch follow_redirects parameter to
False. App Engine will then automatically add the header to the HTTP
response.
In your application handler, you can check the incoming ID by reading
the X-Appengine-Inbound-Appid header and comparing it to a list of
IDs allowed to make requests.
**Note:** The **X-Appengine-Inbound-Appid** header is only set if the call
is made to the **appspot.com** domain. If the app has a custom domain,
this header will not be set.
If however you're using the flex environment this approach doesn't work, see App Engine Flexible + App Identity (Python)
Using authentication with the app's own service account could be another thing to look at for the flex environment - but I didn't try it yet. See Service Account for the App Engine Flexible Environment.
We need to migrate from one app engine project to another (due to the constraints put in place for changing region).
The ideal solution would just be to proxy all requests through to the new server however we are using Google Cloud Endpoints which are intercepted by the server and delivered as POST requests.
We can't redirect as we have mobile apps relying on the API.
Does anyone have a solution (rather than proxying every API method we have) to proxy to a new server?
I would write a ServletFilter on the old app that intercepts /_ah/spi/* and forwards it to the new app, also on /_ah/spi/*. Keep in mind that you'll have to keep the existing Endpoints code in place, or the proxy will delete your configuration and not forward anything.
I'm developing an Android app and am using Google App Engine as the back-end. I want to use Endpoints since it seems easy to set up and appears to make authentication easy, but I've seen that it doesn't support custom domains. I'd like to use a custom domain to allow users to log-in and make changes with a web client, though not through Endpoints.
What I want to know is what they mean when they say that custom domains aren't supported. Does that mean you can't use Endpoints at all in your project if you've set up a custom domain for it, or that you just can't make Endpoints API calls to a custom domain?
If it's the latter, I've written a utility class that both my Endpoints API class and servlets could call, so my web client doesn't need to interact with Endpoints at all, only the mobile clients do. I'd like Endpoints and the servlets to be part of the same project so they can both access the same data in the Datastore.
If anyone knows whether this is possible or if there's a better way of going about this, I'd appreciate it. Thanks.
I tried it out and found that it is possible to use Endpoints in a GAE project that uses a custom domain, so long as the custom domain is not used to call the Endpoints API. So when it says in the Endpoints documentation that custom domains are not supported, it simply means you can't make API calls to a custom domain, as I suspected.