I have a Google Cloud project which has the following resources:
App Engine Standard Environment, which hosts the frontend (basically react-app).
A private Google Cloud function
Now, I though of the following scenarios to call the function from the react-app
Set Allow only internal traffic to Cloud function: Only App Engine flexible environments can call the function, so ruled out
Authentication using CORS: The clients can still call the function.
making the cloud function public: Would let everyone invoke the function, which is not recommended for private API
Invoking function using Google Cloud API: This would expose my Google Cloud API keys in the frontend.
So is there a work around to call a Cloud function from an App Engine Standard environment
You can't call a Cloud Functions (or Cloud Run) with ingress = internal only with App Engine. See my answer here
To secure your cloud functions, you can rely on the IAM service. If your App Engine service call your cloud functions (I mean you have backend code that run on App Engine, not static JS file that run in the user browser), you can grant only the App Engine service account (you can now customize the service account to run with your App Engine service) the permission to call your cloud function.
Of course, your cloud functions is publicly exposed but only the authenticated and authorised traffic will be routed to your Cloud Functions. All the bad traffic (from internet or from other unauthorised services) will be rejected automatically by GFE (Google Front End) and before invoking your Cloud Functions. Therefore you will pay only for the valid traffic, all the bad traffic is discarded by google.
If the code runs on the user browser (because your App Engine serves only static files), you can use a proxy layer to add security filtering, like API Gateway.You can have a look to this answer
Related
I have standard app engine which makes an api call to another app engine within same shared VPC and project but the response is 403 forbidden error. Also the standard app engine to which i am making api call as gcloud app services update service-name --ingress=internal-only but as soon as i updated the configuration of the appEngine as gcloud app services update service-name --ingress=all. All the API calls are successfull.
Note : as required by gcp a serverless connector as been created and it is being used.
Questions
1 . How to communicate between Standard AppEngine to another Standard AppEngine within shared VPC?
2 . How can i communicate between AppEngnies with gcloud app services update service-name --ingress=internal-only configuration.
When you set the ingress to internal, you tell to App Engine: accept the traffic only coming from the VPCs of this project.
Thus, you need to tell to your other App Engine services: Reach this (App Engine) service only through the VPC else you will be forbidden.
Firstly, when you deploy on serverless environment, App Engine, Cloud Run or Cloud Functions, you are on the Google Cloud VPC, not on your project VPC.
Therefore, you have to set the egress to your App Engine to use the VPC. You need to plug a VPC connector to make this bridge between the GOOGLE serverless VPC world and your VPC.
However, it won't work. Indeed, when you set that on App Engine, only the traffic to the private IP use the serverless VPC connector, but not the public IPs. You haven't the capacity to set the VPC egress to all to route all the traffic through the VPC, public and private (as you can do with Cloud Functions and Cloud Run)
Thus, the App Engine, with serverless VPC connector or not, will contact the internal App Engine service through internet and not through the VPC and you will get a 403 every time.
In conclusion, you can't do that with App Engine, have a look to Cloud Run or Cloud Functions for this type of set up. You can also review your security design and don't rely on the origine of the traffic (from the VPC) but on the authentication of the traffic (use identity token and IAM service to ensure the communication security).
This is now possible to reach other App Engine services (configured with internal traffics only) thanks to Serverless VPC.
In app.yaml add to all the services which need to talk to each others (in and/or out connection):
vpc_access_connector:
name: projects/PROJECT_ID/locations/LOCATION/connectors/CONNECTOR
egress_setting: all-traffic
The doc : https://cloud.google.com/appengine/docs/standard/go/connecting-vpc.
Is it possible to make Google App Engine services only available on a Google Cloud internal network, and if so, how? I have some microservices that shouldn't be publicly available (for use by other services only).
I know you can configure firewalls, however:
The app engine firewalls apply to all services
I have no idea what IP range to allow for app engine services with the VPC, since app engine works with domains only, and doesn't specify what range it uses.
If you're using standard environment services you might be able to use the app ID to validate requests in such services. From Asserting identity to other App Engine apps:
If you want to determine the identity of the App Engine app that is
making a request to your App Engine app, you can use the request
header X-Appengine-Inbound-Appid. This header is added to the
request by the URLFetch service and is not user modifiable, so it
safely indicates the requesting application's ID, if present.
In order for this header to be added to the request, the app making
the request must tell the URLFetch service to not follow redirects.
That is, it must set the fetch follow_redirects parameter to
False. App Engine will then automatically add the header to the HTTP
response.
In your application handler, you can check the incoming ID by reading
the X-Appengine-Inbound-Appid header and comparing it to a list of
IDs allowed to make requests.
**Note:** The **X-Appengine-Inbound-Appid** header is only set if the call
is made to the **appspot.com** domain. If the app has a custom domain,
this header will not be set.
If however you're using the flex environment this approach doesn't work, see App Engine Flexible + App Identity (Python)
Using authentication with the app's own service account could be another thing to look at for the flex environment - but I didn't try it yet. See Service Account for the App Engine Flexible Environment.
Related questions:
How to do authentication check in Python library from Google Cloud Endpoints on GAE standard
How to check service-to-service authentication in Google Cloud Endpoints?
I have an App Engine Standard (Python) environment (using webapp2) that will be making calls to a Cloud Endpoint (no user authentication required, but the calls must be service-to-service secured) and I would like some clarification on how to do this using the Cloud Endpoint Framework for App Engine Standard.
If I go about the method described in (2) above, does this mean I would have to manual edit the openapi.json file that is generated from lib/endpoints/endpointscfg.py get_openapi_spect with the security definitions? The documentation seemed geared more towards GCE and App Engine Flex environments that are using the Cloud Endpoints for OpenApi so it was confusing whether I had to edit my #endpoints.api configurations.
Or, given that I am making a call from App Engine Standard environment, would I just be able to use urlfetch and AppIdentity: https://cloud.google.com/appengine/docs/standard/python/appidentity/ and assert identity to the endpoint? If so, what would the configurations look like?
In App Engine I'd like to make http fetch calls to a web server running on an Compute Engine instance, created within the same Google cloud project, and I'm wondering if I can make such calls to the instance without enabling an external IP for it? Are App Engine and Compute Engine instances, from the same project, within the same network and can I call a Compute Engine instance by name from App Engine?
The best way to solve that in the short/medium term is to deploy the VM as a VM-based backend (we are accepting TT applications). You can deploy the VM backend as a different App Engine module of the app. Then you can urlfetch "mymodule.myapp.appspot.com" from the frontend and it will hit your VM without going through the public IP.
You can also serve your app straight from the VM backend. There you can load classes that are blocked by the normal App Engine sandbox (and well as have full access to all App Engine APIs!). The downside with VM backends is that we don't have auto-scaling yet.
This is currently unsupported. Communication between App Engine and GCE must go through the URLFetch API and use a public IP.
I am looking to use Google Cloud Storage services outside of launching a google app engine application. My application is designed for running on a hosted server of our own, and I would like to still use the cloud storage service.
I've written a dev app that did this, and ran it with dev_appserver.py in the python GAE framework. It seems the dev_appserver.py is necessary as it fills in how to perform the RPC functions the cloud storage provides.
Is there a way to easily use google cloud storage service without the rest of it?
There is gsutil command line tool:
https://developers.google.com/storage/docs/gsutil
There is an xml/json restful service all at:
https://developers.google.com/storage/index
You'll need to enable the google cloud storage on the google console at:
https://code.google.com/apis/console/ and get the necessary api keys.