I have CouchDB server on a Google Compute Engine via Bitnami.
I want my API (Google App Engine) to be able to talk to Compute Engine but I really don't want anyone else to be able to for security purposes.
I'm open to using App Engine Flexible if that's what needs to happen.
It says here that google app engine can't be assigned a static IP but I was wondering if anyone had any other suggestions of restricting outside access to the static ip I've assigned my compute engine to only allow incoming connections made to my Projects/My app engine, etc.
You are requiring to use Virtual Private Cloud (VPC), since this option allows you to configure firewall rules in order to provide a controlled access to your Cloud resources and allow then to interact in a safe environment.
You can give a look to the VPC overview to have a better understanding of the capabilities and options offered by Google Cloud (https://cloud.google.com/vpc/docs/vpc) and also you will find useful information on how to use the VPC over the different services in the docs (https://cloud.google.com/vpc/docs/private-access-options). By the way, you would need to move your API to App Engine Flex.
Related
I have a web app/Api which is currently running on a google app engine resource. As the calculations of the API are very computing intensive, i have outsourced the computational part to a managed auto-scaling google compute engine group, with a HTTP load balancer in the front end (to maintain a single IP address and balance load accross the several engines that are dynamically spawning).
Currently, i just make an HTTP call to the load balancer IP address from the app engine. As the GAE and GCE are in the same region, this however feels highly innefficient (i am aware that the app engine and compute engines are still in two physically seperated data centers). This also poses a security threat as I am constently receiving calls from random IP bots trying to exploit potential security loopholes. Additionally, i am only verfying API token validity at the app engine level, as i do not want to give user database access to the compute engine (security reasons), so this means that there is no verification beeing done between app engine and compute engine, so that the latter answers all calls that it gets.
Is there a way to establish a private connection between the app engine and cloud engine?
My goal would be to not have to open the GCE to the whole internet, bearing in mind that it is only receiving calls from one IP adress/resource
I have tried whitelisting only the app engines IP addresses, but this unforthunately is a large block of adresses, is very cumbersome to retrieve and changes dynamically. The app engine also cannot use the private IP of the compute engine/ google SQL servers.
Other creative ideas are highly welcome!
It appears that Serverless VPC Access may be a potential solution. The following is taken from the overview:
Serverless VPC Access enables you to connect from the App Engine
standard environment and Cloud Functions directly to your VPC network.
This connection makes it possible for your App Engine standard
environment apps and Cloud Functions to access resources in your VPC
network via internal (private) IP addresses. Using internal IP
addresses improves the latency of communication between your Google
Cloud Platform services and avoids exposing internal resources to the
public internet.
Serverless VPC Access only allows your app or function to send
requests to resources in your VPC network and receive responses to
those requests. Communication in the opposite direction, where a VM
initiates a request to an app or function, requires you to use the
public address of the app or function.
We want to use an app engine flexible process to update our ElasticSearch index, which is on Google Kubernetes Engine. We need to connect to ElasticSearch via a http(s) address. What's the recommended way to do this? We don't want to expose the cluster to the external networks since we don't have authentication in front of it.
I've seen this SO post but both k8s and AE have changed a lot in the 2 years since the question/answer.
Thanks for your help!
The post you linked to was about App Engine Standard. App Engine Flex is built on top of the same Google Cloud networking that is used by Google Compute Engine virtual machines and Google Kubernetes Engine clusters. As long as you put the App Engine flex application into the same VPC as the Google Kubernetes Engine cluster you should be able to communicate between them using internal networking.
On the other hand, to expose a Kubernetes service to anything running outside of the cluster will require you to modify the service for Elastic search because by default Kubernetes services are only reachable from inside of the cluster (due to the way that the service IPs are allocated and reached via IPTables magic). You need to "expose" the service, but rather than exposing it to the internet via an external load balancer, you expose it to the VPC using an internal load balancer. See https://cloud.google.com/kubernetes-engine/docs/how-to/internal-load-balancing.
in addition to Robert's answer, make sure that app engine and GKE are in the same region,
because Internal load balancers are not usable from other region.
check this https://issuetracker.google.com/issues/111021512
Is there a way to deploy "internal facing" applications in Google App Engine. AWS offers this capability as explained here and so does Azure as explained here.
What is the GCP equivalent for this? It appears App Engine Flexible Environment could be the answer but I could not find a clear documentation on whether Flexible Environment is indeed the way to host intranet facing applications. Is there someone from GCP who can advise?
Update
I tested the solution recommended by Dan recently. Listed below are my observations:
App Engine Flex allows deploying to a VPC and this allows VPN scenarios. The VPN scenarios however is for connections (originating) from App Engine to GCP VPCs or to other networks outside GCP which can be on-prem or in another cloud.
Access (destined) to the app itself from a GCP or another network is always routed via the internet facing Public IPs. There is no option to access the app at a private IP at the moment.
If there's another update, I will update it here.
Update 28Oct2021
Google has now launched Serverless Network Endpoint Group(NEG)s. With this users can connect AppEngine, Cloud Run & Cloud Function endpoints to a LoadBalancer. However at the moment, you can only use Serverless NEGs with an external HTTP(S) load balancer. You cannot use serverless NEGs with regional external HTTP(S) load balancers or with any other load balancer types. Google documentation for Serverless NEGs is available here.
I'm not sure this meets your requirements, but it's possible to set up an App Engine Standard application (not certain about Flexible) such that it is only accessible to users logged into your G-Suite domain. This is the approach I've used for internal-facing applications in the past, but it only applies if your case involves an entity using G-Suite.
You can set this up under the App Engine application Settings, under Identity Aware Proxy.
In this scenario the application is still operating at a publicly accessible location, but only users logged into your G-Suite domain can access it.
It should be possible with the GAE flexible environment. From Advanced network configuration:
You can segment your Compute Engine network into subnetworks. This
allows you to enable VPN scenarios, such as accessing databases within
your corporate network.
To enable subnetworks for your App Engine application:
Create a custom subnet network.
Add the network name and subnetwork name to your app.yaml file, as specified above.
To establish a VPN, create a gateway and a tunnel for a custom subnet network.
The standard env GAE doesn't offer access to the networking layer to achieve such goal.
The documentation from Google is not really clear about it.
Here ( https://cloud.google.com/compute/docs/vpn/overview ) it says
Google Cloud VPN securely connects your existing network to your Google Cloud Platform (GCP) network through an IPsec VPN connection
Considering that Both Google App Engine (GAE) and Google Compute Engine (GCE) are part of Google Cloud Platform (GCP), it would mean that Google Cloud VPN works for both GAE and GCE.
Also, the section for Cloud VNP is at the same level than GAE and GCE in the project console :
But the documentation is located in /compute/docs which should not obviously be compatible with /appengine/docs
And here is a graph describing the tunnel, which talks only about GCE, which could exclude GAE :
So, is GAE compatible with Cloud VPN or is it restricted to GCE only ?
Google Cloud VPN securely connects your existing network to your Google Cloud Platform (GCP) network through an IPsec VPN connection. Therefore, only resources that are connected to GCP networks can communicate through Cloud VPN tunnels.
App Engine Flexible Environment is based on Google Compute Engine and consequently can connect to your remote network via Cloud VPNs. As described in this article, you can specify network settings in your app.yaml configuration file of your GAE Flexible application.
EDIT Rodrigo Torres has pointed out that this is NOW possible.
(Leaving up the old post below. It is now WRONG!!!)
OLD POST:
Google App Engine standard CAN'T use VPN directly, however the new Flexible Google App Engine (now officially released, no longer in beta) CAN use it directly. Just set up google cloud VPN and your network from the console and make sure to include the network in your app.yaml file.
Flexible App Engine is be the easiest way for new applications to utilize VPN connections since there won't be any migration headaches.
For a standard app engine application that can't be ported over to flexible for whatever reason, you CAN still use a VPN connection - however, it requires a service to be running on flexible app engine (or compute engine), and your app will need to interface with it somehow. This may be the simplest method, as migrating from standard to flexible is not the simplest of tasks. I know - I've done it.
TLDR;
Are there any updates about this question?
Google App Engine communicate with Compute Engine over internal network
--
It is possibile to enable HTTP traffic between App Engine and Compute Engine instances that are in the same Cloud Project?
Obviously denying all HTTP traffic from other sources.
Between AWS EC2/RDS/Beanstalk this is possibile with "security groups".
I think the best you can currently do is managed VMs (https://developers.google.com/cloud/managed-vms, early access right now). It's essentially managed VMs running custom code in the app engine project. I did not check if the managed VMs will be able to run together with other gce VMs in the same network - if they did one could just connect to the internal addresses of the other instances. There does not appear to be a configuration option to define a network so I'm leaning to guess that they won't be able to see each other on the network like that.
But as an answer to the general question, I don't think there is any way of referencing app engine runtimes as sources in gce network ACLs currently.
As of now In 2016 as google cloud has launched google cloud flexible environment appengine/docs/flexible/. So yes it is possible now because now both app engine and compute engine are present in same network and therefore using app engine you can access compute engine by using their internal Ip, also remember to delete all external firewall rules for your compute engines if you only want to allow access from app engine.
there isn't way to reference App Engine resource within GCE. If you are trying to access GCE only from App Engine app, then you could define ACL in GCE to let traffic only from your AppEngine external IP.