I am setting up a server in google app engine and i have linked a custom domain to it also I can access it from the correct URL. I use this server to issue requests to a third party payment gateway where they whitelist the domain of requests.I cant access it because my requests are not coming from the custom domain i linked to the server .
I followed this documentation to map the custom domain
https://cloud.google.com/appengine/docs/flexible/nodejs/mapping-custom-domains
Is there an additional step to setup outgoing traffic's domain?
You cannot set the outgoing networking parameters in Google App Engine.
For something like that you probably need an IaaS product.
Related
I am building a microservice architecture and I need help with internal/external communication.
I have microservices which are deployed on GCP App Engine Flex and have GCP API Gateway that sits in front of them. API Gateway handles external communication authentication using a JWT token sent in request header signed via service account private key.
On App Engine, we have configured Ingress (Internal + Load Balancer), so the App Engine's appspot URL are blocked externally. Each service has load balancer on which IAP is enabled and only API Gateway's service account has IAP-Secured Web App User role to pass request to LB.
My questions are :
Should GCP API Gateway be used for internal service to service communication ?
Since we have ingress (Internal + Load Balancer) enabled on App Engine and appspot URL are only accessible inside GCP project, can these URL be used for internal service to service communication ? Is this secure / recommended approach ?
Which of the above 2 suits well for the architecture to manage secure communication. Also, if possible, please suggest some alternatives.
Update : Adding flow diagram for both approaches
If you use ingress internal + LB for internal communication that means only the traffic coming from the VPC (of the current project) or the traffic coming from LB (of the current project) will be able to reach the service. Keep in ming that even if you set your traffic to internal, the IP is ALWAYS publicly accessible. There is simply an additional check perform on the traffic origin.
If you have another service on App Engine flex in your project, it should use either the LB (possible) or the VPC (route the traffic to the VPC even if it's a public URL -> That latest case is possible with Cloud Functions Cloud Run and App Engine standard (egress control feature, route all the traffic to the serverless VPC connector), but you can't with flex environment.
In addition, API Gateway can only reach public URL, and therefore you can only use the LB to reach your App Engine flex, and not the "internal" VPC traffic.
I have a GAE app set up to use a custom domain, let's call it mycustomdomain. This naked domain is working fine over HTTP and HTTPS. I also have a service called api, it can be accessed successfully by going to http://api.mycustomdomain.com (custom domain convention).
However, I can't access the api service over HTTPS. I uploaded a SSL for mycustomdomain.com, but I got an error (site can't be reached) for trying to accessing the api service over HTTPS. My question is do I need to purchase the wildcard.mycustomdomain.com SSL in order to access the api service over HTTPS? I don't have much experience dealing with SSL certs and GAE custom domain, so any help would be greatly appreciated. Thank you!
Edit: updated information for GCP Console configurations.
My app setup in the Console contains the following:
Services: default, api
Custom domain setup: mycustomdomain.com
SSL uploaded: ultrahdlivewallpaper.com (NOT the wildcard version), api.ultrahdlivewallpaper.com (unable to be enabled for custom domain, none matching)
More detail: The problem is when I map both ultrahdlivewallpapers.com and api.ultrahdlivewallpapers.com, they are both mapped to the default service. I want api. to point to the API service. If I only map ultrahdlivewallpapers.com, that allows me to access api service at the api subdomain, but then the api SSL can't be applied to api. subdomain because it's not listed as a subdomain.
07/24/17 Update: I believe this is a limitation with the App Engine Settings after trying out several scenarios via GAE Console. We have a custom domain set up for ultrahdlivewallpapers.com and enabled the SSL cert for this domain. The domain is pointing to the default service. We have a second service set up called API. Google's routing rules for any service set up is via HTTP:// service-id.custom-domain, which in our case is api.ultrahdlivewallpapers.com. However, when I upload the SSL for the api subdomain, Console couldn't find matching domains because the api subdomain is not specified via the Console. Now if I set up api.ultrahdlivewallpapers.com as a custom domain, I'm able to enable the SSL for api subdomain. Problem then becomes api subdomain is now pointing to the default service instead of the api service. If I remove the api mapping, I'm able to browse to the api service again, but no HTTPS! I don't believe there is a way to get this set up correctly without a wildcard SSL enabled for all subdomains. Please let me know if I'm missing anything. I have tried everything I can think of via the Console. Thanks.
You don't necessarily need a "wildcard" cert, per se. But, you do need to get a cert that covers all the subdomains. For example:
mycustomdomain.com
www.mycustomdomain.com
api.mycustomdomain.com
It's a standard solution, and not difficult to do. Certbot (Let's Encrypt) makes it easy.
If you choose to get a wildcard certificate installation is pretty straight forward:
You upload the certificate in the developer console (in App Engine -> Settings -> SSL Certificates -> Upload a new certificate). May require a bit of effort, see also Google App Engine SSL with Let's Encrypt "could not be inserted".
Once it's visible in the certificate table you can click on its name and you'll end up in the certificate edit screen where you can select which custom (sub)domains it applies to (from the list of all custom domains mapped in the app), looks like this:
Note: these are the corresponding custom domain mappings:
If you have another app (under the same admin account) which is also mapped to subdomains of the same domain you can activate the certificate on it as well in a similar manner (the console automatically shows the certificate in the list when you switch apps, no need to upload it again).
Am using google appengine to develop and send mails, using the sandbox domain from mail gun approved test domain, was working. Now, am moving to production added the domain to mail gun from the dashboard , followed the doc from https://cloud.google.com/compute/docs/tutorials/sending-mail/using-mailgun, followed the documentation but the domain is still unverified, and also observed the doc is to send using an instance, and my instance is in dynamic scaling mode can't access my endpoint instance as it is dynamic, a bit confused on how to go about the domain verification of mail gun with google appengine or where to set TXT or CNAME record or even do DNS settings
Mailgun verification is independent of Google App Engine. You need to go to the company that you bought the domain from and add the TXT CNAME and DNS settings a la https://help.mailgun.com/hc/en-us/articles/202052074-How-do-I-verify-my-domain-
If you are not using a custom domain, I don't think google allows you to access / edit the DNS records probably because the .appspot domains are intended for development and testing.
I have added two custom domains to Google Developers Console for a Google App Project. One, a naked domain with A and AAA records set on the third party DNS manager as specified by Google. Two, a www domain with a Cname record set on the third party DNS manager, as specified by Google.
The www is serving, but the naked domain is not! The A records ip addresses timeout on my local machine but I get results when using http://tools.pingdom.com/ping/
Obviously you can use more than one custom domain but is there something I'm missing here?
Update: custom naked domain mapping is now supported directly in GAE, see How to use Google app engine with my own naked domain (not subdomain)?.
[Old answer follows]
If it's acceptable for you to use custom domains through Google Apps then you can use the Google Admin console to:
map your naked domain to Google Apps
redirect the naked domain to a certain (sub)domain of your choice
I find several advantages of going this way:
you can change the naked domain redirect without any change in the
GAE apps domain configs
the direct domain mapping of GAE apps (without using Google Apps) is
still very young, documentation is far from exhaustive
you can use SSL with your custom domains, according to the docs:
"To add Secure Sockets Layer (SSL) encryption (i.e., an HTTPS
address) to your App Engine app, you must use the SSL service
provided with Google Apps".
I have registered a domain when I was registering Google App for business.
I'm just wondering if I could let that domain point to my server instead of Google site?
If not, how can I release the domain and register it(the same name) from some other domain name provider?
You can associate your purchased domain with your App Engine application. Go to the Admin Console and then Application Settings. You will see a Domain Setup section. Click on Add Domain and follow the steps. For further details, check out the instructions.
Yes, you can manage your DNS records even if you bought the domain as part of the Google Apps sign up. In case you don't want to host your website on Google App Engine or Google Sites you can access the DNS credentials for your assigned provider (Enom, GoDaddy) at Domains -> Advanced DNS Settings from there you should login to your provider console in order to change the settings.
https://support.google.com/a/answer/54693?hl=en
If you want to transfer to another provider, follow the standard procedure that each provider has, it usually requires so email confirmation back and forth. Also, make sure not to renew your domain automatically in the Google Apps admin console, otherwise you may be billed twice for the domain.
Now that Google is offering DNS-as-a-service in the Cloud Platform I wonder when they will end the partner DNS hosting and manage it themselves from end to end.