Google App Engine firewall and internal access and error 403 - google-app-engine

We have 2 app engine app (flex and standard) running on separate projects and we want project A to request project B with https to xxx.appspot.com URL.
Our firewall on both projects Denies all IPs(*) and whitelisted App Engine internal addresss (10.1.0.41, 0.1.0.40, 10.0.0.1 and 0.1.0.30) as explained in the doc.
Yet we receive a "403 error forbidden access" (which disappears when disabling the firewall).
This post is similar to mine but the responses didn't help me.
Is there anything else I can do ?
Did anyone got this to work ?
Thank you in advance.

As you may already know, GCP Projects represent a trust boundary within an organization. Hence, inter-project communication between App Engine services would require Public IP communication or using Shared VPC, which allows connecting between networks from different projects. There should be no internal communication between App Engine Services over different projects. Hence, whitelisting App Engine internal IP addresses might not be useful in this situation.
About using Public App Engine IP addresses, as illustrated in this document. App Engine hosts services on a dynamic public IP address of a Google load balancer. Due to that, the IP address can be changed any time and any Static IP can not be provided. For outbound services, a large pool of IP addresses are used which you can obtain as outlined in this document

Related

Cloud Run static outbound IP address does not go through Google App Engine firewall

I have a python (flask) application running on Google App Engine (flex); the application is protected by the GAE firewall where:
Default rule is 'Deny' all ingress
There is a whitelist of IP addresses from which traffic is allowed.
I have some microservices deployed on Cloud Run (fully managed) which:
Receive requests from the GAE app (e.g. for heavy duty tasks)
Send the results of whatever they process as http requests back to handlers/endpoints in the GAE app
Thus the GAE app is the main point of interaction with clients and a dispatcher of heavy tasks, while the processing of those tasks is carried out by the microservices. I have set up a static outbound IP address of the Cloud Run hosted service which verfiedly works and traffic is routed through the NAT gateway as required in the documentation. The respective NAT IP address is on the firewall whitelist.
The problem is that the firewall still does not let in the Cloud Run >>> GAE app requests which bounce back with 403 statuses (of course, if I change the default firewall rule to 'Allow', traffic goes through). If I host the same microservice in a docker container on a GCE VM with a static IP address like this everything works flawlessly. This makes me hypothesize that albeit Cloud Run outbound traffic is indeed routed through the static IP address when traffic is towards addressees outside GCP, when I try to ping an internal (project-wise) asset it still goes though some dynamically selected IP (i.e. the static IP solution simply does not work). Unfortunately the logs don't show the 403-ed attempt so I can't see from what IP addresses those request seem to come (from a GAE standpoint).
I would be very grateful for ideas how this can be fixed as it greatly diminishes the value of the otherwise wonderful idea to have static outbound IP addresses for Cloud Run.
First, thank you both for your help and suggestions, they are very helpful. I found the solution with some kind help from Google:
When the Cloud Run microservice and the GAE app are hosted in the same project traffic is still routed through internal channels and appears to come from IP address 0.0.0.0 which can be whitelisted (so it would work) as long as one considers this address encompasses GCP assets which are parts of other projects too (to the best of my understanding)
A more robust solution seems to be setting up an externally facing load balancer as described here and putting it in front of the GAE app; in such a case, Cloud Run will indeed consistently use its static outbound IP address as described in the documentation
You are correct saying that the static IP is not honoured when packets are routed internally to GCP.
I think this is what you want. You have to allow in the firewall one of the IPs mentioned there (not sure which one right now).
Just as you and #Ema mentioned, this is an expected behavior having in mind that the traffic from Cloud Run to App Engine is intern.
When you use Cloud Nat to send all traffic there, it does happen. If you create a container and ping, let's say to www.github.com. You will find that the traffic goes through the IP you set. On the other hand, if you ping to www.google.com, given that the traffic is intern, and the site to reach out is in the same infrastructure, the request doesn't even goes through public internet.
Additionally, just to keep in mind Static outbound IP address is still in Beta and it is not recommended to use Beta features/products in production environments.
As you mentioned and as it is stated in Allowing requests from your services:
Creating a rule for IP 0.0.0.0 will apply to all Compute Engine instances with Private Google Access enabled, not only the ones you own. Similarly, allowing requests from 0.1.0.40 or 10.0.0.1 will allow any App Engine app to make URL Fetch requests to your app.
This questions might be of your interest:
What are the outbound IP ranges for GCP managed Cloud Run?
Possible to get static IP address for Google Cloud Functions?

What is the best approch to setup custom domain with static IP for AppEngine

I had done an investigation on below
Adding custom domain through AppEngine settings - Doesn't seem to be static IP, it uses Google NS.
Setting up VM and run as a proxy - Seems to be convoluted method and security/maintenance overhead.
HTTPS load balancer with internet NEG I am still investigating and it said
You should do this when you want to serve content from an origin that is hosted outside of Google Cloud, and you want your external HTTP(S) load balancer to be the frontend.
Any suggesions/thoughts for this solution will be greatly appricated to chose right solution for this
Static IP for AppEngine/Cloud Functions can be achieved by HTTPS Load Balancer with "Serverless Network End Group" backend.
LB also helps multi-region serving for AppEngine and other serverless components.
This is similar to Internet NEG with HTTPS LB, serverless NEG can be mapped to Google internal services like Cloud run/CF, AppEngine. It was also possible to map multiple AppEngine services from the same GCP project.
I was able to gain early access to serverless NEG on my project and test on my side. I will update this post when Serverless NEG available for public access.
Edit (7/7/2020): Serverless NEG is available in Beta now and is available for everyone to access, See
Serverless network endpoint groups overview
Setting up serverless NEGs
As you can see at this documentation, "App Engine does not currently provide a way to map static IP addresses to an application. In order to optimize the network path between an end user and an App Engine application, end users on different ISPs or geographic locations might use different IP addresses to access the same App Engine application". So, there is no way to set a static IP address to App Engine but you can use a use a pool of IP address. In the shared link, you can find the way to use ranges of IP address in App Engine. This other link, explain a bit more how to do it.

How to restrict public access to google app engine flexible environment?

I have many microservices in app engine only for internal use. But, by default, app engine opens service-project.appspot.com domain to public, and anyone can access them via http or https.
Is there a way to restrict access only for certain IP address?
The trivial way i can think of is checking source IP address in application code.
Or, I can create custom docker image with nginx configuration which checks source ip address. But, these are not quite clean solutions because access control is actually independent from application, and I don't want to hard code static IP address inside the container.
I assumed there is a way to setup firewall rule for app engine, but I could not find it. Identity-Aware Proxy seems like another option, but it is not available for app engine flex.
I know this is cold comfort, but we're working on re-enabling App Engine flex support for IAP. It's going to be more than just a few days, though.
https://cloud.google.com/appengine/docs/flexible/java/migrating#users has some options that might be more palatable than hardcoding IPs. You won't be able to use GCE firewall rules because the appspot.com traffic is coming through Cloud HTTP Load Balancer, so the GCE instance firewall only sees the IP of the load balancer. If you do want to verify IPs within your app, use X-Forwarded-For as described at https://cloud.google.com/compute/docs/load-balancing/http/#components .
Hope this helps! --Matthew, Cloud IAP engineer

IP pool in google app engine

Our applications very often have IP addresses which are banned in our country. Some site in our IP pool in GAE have braken a law and so we have ban with this site.
How can I select for our application another pool of IP? Is there another solution.
Unfortunately one of the biggest strengths in GAE is that it scales without you having to get involved, so basic GAE apps have a completely transparent IP assignment.
Your only chance of getting a fixed IP is to host your app in a compute engine instance which gets a fixed IP you can validate with your ISP or whoever is banning the IPs.
As #Dmitry Sadonvchyi states if you already have a GAE app you can move that to a Managed VM which basically allows you to run GAE applications outside the standard "sandbox" and into a VM you control.

Static IP / IP Range for Site hosted on Google App Engine

Our site is hosted on Google App Engine which means we do not have a server farm with dedicated IP addresses that can be contacted “directly”. It is an elastic farm that spins up with load.
But our client is looking for static ips to route it through firewall and provide suitable access for this site:
"Proxy does not support any voice and video, hence I have to know all the Ip used for this portals so that I can route this via Firewall."
Is there anyway to list all the IP used for a site hosted on Google App engine?
regards,
Kanchan
The best you can achieve is this:
App Engine's current range of outgoing IP addresses are encoded in the
sender policy framework (SPF) record of
_cloud-netblocks.googleusercontent.com. You may need to recursively perform DNS SPF lookups to resolve the entire list of IP ranges. Start
by resolving _cloud-netblocks.googleusercontent.com
https://cloud.google.com/appengine/kb/general#static-ip
You could of course do it the other way round and only allow access to your application from a specific IP range.
Trying to keep track of GAE ip addresses is not a very good idea. They will most likely change over time without any announcements or heads ups.
You will be better of with a proxy. This project https://github.com/TellusTalk/Node_Proxy is one way to accomplish this.

Resources