I have an application running on Google Cloud's App Engine(flexible environment).
An external API that deals with finances requires us to have a static external IP address so that we may interact. I know App Engine doesn't have an external IP address feature.
I'm also aware that using Google Cloud's Compute Engine, a VM instance with a static IP can be set up.
Is there anyone that has run into this situation and figured out an efficient solution?
As the FAQ for Google App Engine says, App engine does not support static IP.
The only workaround is to use a VM with an static ip to be as a proxy. There is a discussion here.
Related
I want to set a static outbound IP address for my App Engine instance, hence I went through this documentation. I followed all the steps but I am not able to see any traffic logged in the Cloud NAT for the IP address I specified in step 5 (Reserve a static IP address). I realized that this documentation is applicable for App Engine Standard environment and I deploy the instances of my application in App Engine Flex Environment. Does this documentation apply to App Engine Flex Environment as well? If not, how should I setup outbound static IP address for my App Engine flex instances?
Google has documentation for setting up an external IP for App Engine Standard. However, I have a requirement to set up an external IP for App Engine Flex.
I have followed the tutorial and successfully created a subnetwork with a Cloud Router and Cloud NAT that is connected to an external static IP. I tested that the setup works by creating a VM instance in it, and seeing that all egress traffic does indeed originate from the reserved external static IP.
However, when I deploy the App Engine Flex app to this subnetwork, its requests are not routed through the reserved static IP, but appear to be using the shared IP address pool provided by Google. Everything works normally, and there are no deploy errors, just the reserved external IP is not used. The app is assigned to the subnetwork in app.yaml:
network:
name: default
subnetwork_name: app-engine-subnet
Any hints on getting this Flex instance to route its egress traffic through the reserved external IP? I am aware that this can be done using a VM instance as a proxy, but I'd prefer using Cloud NAT instead.
Per the Google Cloud NAT documentation, Cloud NAT cannot be used with VMs that have an external IP address. App Engine Flex does not support VMs with internal IPs only (Google App Engine documentation), so NAT will not work.
For anyone seeing this in 2023, there is a way to use a Static IP using Cloud NAT. In OP's case (subnetwork, Cloud Route, Cloud NAT and reserved external IP in place), the instance_ip_mode setting would have been added to the network: block with internal as its value, like so:
network:
name: default
subnetwork_name: app-engine-subnet
instance_ip_mode: internal
(https://cloud.google.com/appengine/docs/flexible/reference/app-yaml?tab=node.js#network_settings)
Also note that "Private Google Access" has to be enabled on the subnetwork, even though it's technically not a requirement since a Cloud NAT is configured, App Engine will not deploy if it is disabled.
Egress traffic for the service will now route through Cloud NAT, using the reserved static IP.
I have CouchDB server on a Google Compute Engine via Bitnami.
I want my API (Google App Engine) to be able to talk to Compute Engine but I really don't want anyone else to be able to for security purposes.
I'm open to using App Engine Flexible if that's what needs to happen.
It says here that google app engine can't be assigned a static IP but I was wondering if anyone had any other suggestions of restricting outside access to the static ip I've assigned my compute engine to only allow incoming connections made to my Projects/My app engine, etc.
You are requiring to use Virtual Private Cloud (VPC), since this option allows you to configure firewall rules in order to provide a controlled access to your Cloud resources and allow then to interact in a safe environment.
You can give a look to the VPC overview to have a better understanding of the capabilities and options offered by Google Cloud (https://cloud.google.com/vpc/docs/vpc) and also you will find useful information on how to use the VPC over the different services in the docs (https://cloud.google.com/vpc/docs/private-access-options). By the way, you would need to move your API to App Engine Flex.
We want to access some services on Google Kubernetes Engine from a Google App Engine standard via http(s). We don't want to expose the services to external networks because of security.
app engine flexible can use private network with an internal loadbalancer or vpc(post). How about app engine standard?
2 years ago, we could not do it. (post)
We can set rules about IP addresses, but an IP address for an app engine standard is not static.
What is the best solution?
Thanks for your help.
app engine flexible can use private network with an internal loadbalancer or vpc(post). How about app engine standard?
Not really as per this:
"A VPC network, sometimes just called a “network,” is a virtual version of a physical network, like a data center network. It provides connectivity for your Compute Engine virtual machine (VM) instances, Kubernetes Engine clusters, App Engine Flex instances, and other resources in your project."
We can set rules about IP addresses, but an IP address for an app engine standard is not static.
Yes. They are always changing. The recommendation here is to their Static IP range combined with:
Instead, we suggest that you take a defense in depth approach using OAuth and Certs.
You could also look at things like Cloud Armor (in alpha as of this writing), or a Virtual WAF. Longer term it would make more sense to move your workloads from Google App engine into GKE.
The documentation from Google is not really clear about it.
Here ( https://cloud.google.com/compute/docs/vpn/overview ) it says
Google Cloud VPN securely connects your existing network to your Google Cloud Platform (GCP) network through an IPsec VPN connection
Considering that Both Google App Engine (GAE) and Google Compute Engine (GCE) are part of Google Cloud Platform (GCP), it would mean that Google Cloud VPN works for both GAE and GCE.
Also, the section for Cloud VNP is at the same level than GAE and GCE in the project console :
But the documentation is located in /compute/docs which should not obviously be compatible with /appengine/docs
And here is a graph describing the tunnel, which talks only about GCE, which could exclude GAE :
So, is GAE compatible with Cloud VPN or is it restricted to GCE only ?
Google Cloud VPN securely connects your existing network to your Google Cloud Platform (GCP) network through an IPsec VPN connection. Therefore, only resources that are connected to GCP networks can communicate through Cloud VPN tunnels.
App Engine Flexible Environment is based on Google Compute Engine and consequently can connect to your remote network via Cloud VPNs. As described in this article, you can specify network settings in your app.yaml configuration file of your GAE Flexible application.
EDIT Rodrigo Torres has pointed out that this is NOW possible.
(Leaving up the old post below. It is now WRONG!!!)
OLD POST:
Google App Engine standard CAN'T use VPN directly, however the new Flexible Google App Engine (now officially released, no longer in beta) CAN use it directly. Just set up google cloud VPN and your network from the console and make sure to include the network in your app.yaml file.
Flexible App Engine is be the easiest way for new applications to utilize VPN connections since there won't be any migration headaches.
For a standard app engine application that can't be ported over to flexible for whatever reason, you CAN still use a VPN connection - however, it requires a service to be running on flexible app engine (or compute engine), and your app will need to interface with it somehow. This may be the simplest method, as migrating from standard to flexible is not the simplest of tasks. I know - I've done it.