We want to access some services on Google Kubernetes Engine from a Google App Engine standard via http(s). We don't want to expose the services to external networks because of security.
app engine flexible can use private network with an internal loadbalancer or vpc(post). How about app engine standard?
2 years ago, we could not do it. (post)
We can set rules about IP addresses, but an IP address for an app engine standard is not static.
What is the best solution?
Thanks for your help.
app engine flexible can use private network with an internal loadbalancer or vpc(post). How about app engine standard?
Not really as per this:
"A VPC network, sometimes just called a “network,” is a virtual version of a physical network, like a data center network. It provides connectivity for your Compute Engine virtual machine (VM) instances, Kubernetes Engine clusters, App Engine Flex instances, and other resources in your project."
We can set rules about IP addresses, but an IP address for an app engine standard is not static.
Yes. They are always changing. The recommendation here is to their Static IP range combined with:
Instead, we suggest that you take a defense in depth approach using OAuth and Certs.
You could also look at things like Cloud Armor (in alpha as of this writing), or a Virtual WAF. Longer term it would make more sense to move your workloads from Google App engine into GKE.
Related
I have a web app/Api which is currently running on a google app engine resource. As the calculations of the API are very computing intensive, i have outsourced the computational part to a managed auto-scaling google compute engine group, with a HTTP load balancer in the front end (to maintain a single IP address and balance load accross the several engines that are dynamically spawning).
Currently, i just make an HTTP call to the load balancer IP address from the app engine. As the GAE and GCE are in the same region, this however feels highly innefficient (i am aware that the app engine and compute engines are still in two physically seperated data centers). This also poses a security threat as I am constently receiving calls from random IP bots trying to exploit potential security loopholes. Additionally, i am only verfying API token validity at the app engine level, as i do not want to give user database access to the compute engine (security reasons), so this means that there is no verification beeing done between app engine and compute engine, so that the latter answers all calls that it gets.
Is there a way to establish a private connection between the app engine and cloud engine?
My goal would be to not have to open the GCE to the whole internet, bearing in mind that it is only receiving calls from one IP adress/resource
I have tried whitelisting only the app engines IP addresses, but this unforthunately is a large block of adresses, is very cumbersome to retrieve and changes dynamically. The app engine also cannot use the private IP of the compute engine/ google SQL servers.
Other creative ideas are highly welcome!
It appears that Serverless VPC Access may be a potential solution. The following is taken from the overview:
Serverless VPC Access enables you to connect from the App Engine
standard environment and Cloud Functions directly to your VPC network.
This connection makes it possible for your App Engine standard
environment apps and Cloud Functions to access resources in your VPC
network via internal (private) IP addresses. Using internal IP
addresses improves the latency of communication between your Google
Cloud Platform services and avoids exposing internal resources to the
public internet.
Serverless VPC Access only allows your app or function to send
requests to resources in your VPC network and receive responses to
those requests. Communication in the opposite direction, where a VM
initiates a request to an app or function, requires you to use the
public address of the app or function.
I have CouchDB server on a Google Compute Engine via Bitnami.
I want my API (Google App Engine) to be able to talk to Compute Engine but I really don't want anyone else to be able to for security purposes.
I'm open to using App Engine Flexible if that's what needs to happen.
It says here that google app engine can't be assigned a static IP but I was wondering if anyone had any other suggestions of restricting outside access to the static ip I've assigned my compute engine to only allow incoming connections made to my Projects/My app engine, etc.
You are requiring to use Virtual Private Cloud (VPC), since this option allows you to configure firewall rules in order to provide a controlled access to your Cloud resources and allow then to interact in a safe environment.
You can give a look to the VPC overview to have a better understanding of the capabilities and options offered by Google Cloud (https://cloud.google.com/vpc/docs/vpc) and also you will find useful information on how to use the VPC over the different services in the docs (https://cloud.google.com/vpc/docs/private-access-options). By the way, you would need to move your API to App Engine Flex.
On google cloud I have created an app engine on one project and have some auto scaled(server spinup/spindown according to traffic) compute engines on different project. I have a task for allowing traffic to app engine only from those auto scaled compute engines.
Problem with the auto scaled environment we can't guess the server public IP, where as we can get private subnet IP's.
Please let me know how can I solve this issue.
For connecting through a private IP, you need your app engine and compute engine instances to be in the same network. App Engine standard environment is on a different network than the Compute Engine instances and don't have private IP access to each other currently.
You can't achieve that with app engine standard, you will need to consider app engine flex for this (see here how to set the network of your app engine flex instances).
You will have to connect using the external IP address of the service running on your Compute Engine instance by setting up your firewalls.
I achieved this by doing as follow:
Let's say you have Project A and Project B, and a service running in Project A that wants to connect to a compute engine running in Project B.
You need two VPC in A and B with no IP collision.
Create a VPC Network peering From A to B and from B to A.
Create a VPC serverless access connector in project A.
Config your service to use the new connector.
vpc_access_connector:
name: "projects/PROJECT_ID/locations/REGION/connectors/CONNECTOR_NAME"
We want to use an app engine flexible process to update our ElasticSearch index, which is on Google Kubernetes Engine. We need to connect to ElasticSearch via a http(s) address. What's the recommended way to do this? We don't want to expose the cluster to the external networks since we don't have authentication in front of it.
I've seen this SO post but both k8s and AE have changed a lot in the 2 years since the question/answer.
Thanks for your help!
The post you linked to was about App Engine Standard. App Engine Flex is built on top of the same Google Cloud networking that is used by Google Compute Engine virtual machines and Google Kubernetes Engine clusters. As long as you put the App Engine flex application into the same VPC as the Google Kubernetes Engine cluster you should be able to communicate between them using internal networking.
On the other hand, to expose a Kubernetes service to anything running outside of the cluster will require you to modify the service for Elastic search because by default Kubernetes services are only reachable from inside of the cluster (due to the way that the service IPs are allocated and reached via IPTables magic). You need to "expose" the service, but rather than exposing it to the internet via an external load balancer, you expose it to the VPC using an internal load balancer. See https://cloud.google.com/kubernetes-engine/docs/how-to/internal-load-balancing.
in addition to Robert's answer, make sure that app engine and GKE are in the same region,
because Internal load balancers are not usable from other region.
check this https://issuetracker.google.com/issues/111021512
TLDR;
Are there any updates about this question?
Google App Engine communicate with Compute Engine over internal network
--
It is possibile to enable HTTP traffic between App Engine and Compute Engine instances that are in the same Cloud Project?
Obviously denying all HTTP traffic from other sources.
Between AWS EC2/RDS/Beanstalk this is possibile with "security groups".
I think the best you can currently do is managed VMs (https://developers.google.com/cloud/managed-vms, early access right now). It's essentially managed VMs running custom code in the app engine project. I did not check if the managed VMs will be able to run together with other gce VMs in the same network - if they did one could just connect to the internal addresses of the other instances. There does not appear to be a configuration option to define a network so I'm leaning to guess that they won't be able to see each other on the network like that.
But as an answer to the general question, I don't think there is any way of referencing app engine runtimes as sources in gce network ACLs currently.
As of now In 2016 as google cloud has launched google cloud flexible environment appengine/docs/flexible/. So yes it is possible now because now both app engine and compute engine are present in same network and therefore using app engine you can access compute engine by using their internal Ip, also remember to delete all external firewall rules for your compute engines if you only want to allow access from app engine.
there isn't way to reference App Engine resource within GCE. If you are trying to access GCE only from App Engine app, then you could define ACL in GCE to let traffic only from your AppEngine external IP.