I have to send a request from GC ML Engine to GC AppEngine. Also, I've configured the firewall in the AppEngine and it does not allow IPs except IPs from the whitelist. I can't find a way to know GC ML Engine static IP. Actually, is it exists? If not - could you please can help me find another way to configure security on the GC AppEngine?
Thanks in advance
Related
I've just renewed our self-managed SSL certificate (now all validated), but I'm having trouble getting it into the google cloud platform. Our website was built using the compute engine. I did see an area in the app engine where I could create a SSL certificate and upload my certificate & key and figured that should work. I guess my concern is, if I activate the app engine and do the SSL that way, will it erase what has already been set up in the compute engine? We have a google domain too.
Our site is down while I'm trying to get this resolved so any info is greatly appreciated.
Google App Engine (GAE) and Google Compute Engine (GCE) are different services. If you have linked your custom domain via GCE, then you should be doing your SSL certificate through GCE. If on the other hand you linked your custom domain via GAE, then you configure your SSL via GAE.
I have a Google App Engine application (node) connecting to a Google SQL Cloud DB. Everything works fine.
We want to force SSL connections so anyone accessing the DB requires certs. Even though GAE connections to SQL cloud are already encrypted, enforcing SSL connections seems to also force GAE applications to have the certs as well.
This is the configuration page I'm talking about:
The problem is that GAE doesn't have any persistent local file system and as such I don't have an obvious place to store the certs.
...so what is the recommended approach to providing GAE applications with SSL certs for the purpose of connecting to a SQL Cloud instance? I can put the cert in Google secret manager, but that's inconvenient for a number of reasons.
How are other people addressing this problem?
(I know this is similar to Google App Engine + MongoDB (w/ SSL Certificate), but I was hoping that better options would have been provided in the years since that question was asked or that the fact that I was only inside the GCP ecosystem would provide a better option for me.)
The documentation from Google is not really clear about it.
Here ( https://cloud.google.com/compute/docs/vpn/overview ) it says
Google Cloud VPN securely connects your existing network to your Google Cloud Platform (GCP) network through an IPsec VPN connection
Considering that Both Google App Engine (GAE) and Google Compute Engine (GCE) are part of Google Cloud Platform (GCP), it would mean that Google Cloud VPN works for both GAE and GCE.
Also, the section for Cloud VNP is at the same level than GAE and GCE in the project console :
But the documentation is located in /compute/docs which should not obviously be compatible with /appengine/docs
And here is a graph describing the tunnel, which talks only about GCE, which could exclude GAE :
So, is GAE compatible with Cloud VPN or is it restricted to GCE only ?
Google Cloud VPN securely connects your existing network to your Google Cloud Platform (GCP) network through an IPsec VPN connection. Therefore, only resources that are connected to GCP networks can communicate through Cloud VPN tunnels.
App Engine Flexible Environment is based on Google Compute Engine and consequently can connect to your remote network via Cloud VPNs. As described in this article, you can specify network settings in your app.yaml configuration file of your GAE Flexible application.
EDIT Rodrigo Torres has pointed out that this is NOW possible.
(Leaving up the old post below. It is now WRONG!!!)
OLD POST:
Google App Engine standard CAN'T use VPN directly, however the new Flexible Google App Engine (now officially released, no longer in beta) CAN use it directly. Just set up google cloud VPN and your network from the console and make sure to include the network in your app.yaml file.
Flexible App Engine is be the easiest way for new applications to utilize VPN connections since there won't be any migration headaches.
For a standard app engine application that can't be ported over to flexible for whatever reason, you CAN still use a VPN connection - however, it requires a service to be running on flexible app engine (or compute engine), and your app will need to interface with it somehow. This may be the simplest method, as migrating from standard to flexible is not the simplest of tasks. I know - I've done it.
Google Compute Engine instances can be secured behind a firewall that allows you to open the instance by ports and/or IP addresses.
Google App Engine doesn't use a single IP address.
I have a Compute Engine server running Nginx that I would like to completely lock down so the only way to access it is through an application on Google App Engine, is this possible?
If not, is there a simple way to send a POST request with a string of characters to Nginx, that if not present, the Nginx server would send people to a 404?
Use HTTP authentication as per the question Dan has linked to. There is no viable network/IP/firewall mechanism to restrict access.
The HTTP authentication works just fine!
TLDR;
Are there any updates about this question?
Google App Engine communicate with Compute Engine over internal network
--
It is possibile to enable HTTP traffic between App Engine and Compute Engine instances that are in the same Cloud Project?
Obviously denying all HTTP traffic from other sources.
Between AWS EC2/RDS/Beanstalk this is possibile with "security groups".
I think the best you can currently do is managed VMs (https://developers.google.com/cloud/managed-vms, early access right now). It's essentially managed VMs running custom code in the app engine project. I did not check if the managed VMs will be able to run together with other gce VMs in the same network - if they did one could just connect to the internal addresses of the other instances. There does not appear to be a configuration option to define a network so I'm leaning to guess that they won't be able to see each other on the network like that.
But as an answer to the general question, I don't think there is any way of referencing app engine runtimes as sources in gce network ACLs currently.
As of now In 2016 as google cloud has launched google cloud flexible environment appengine/docs/flexible/. So yes it is possible now because now both app engine and compute engine are present in same network and therefore using app engine you can access compute engine by using their internal Ip, also remember to delete all external firewall rules for your compute engines if you only want to allow access from app engine.
there isn't way to reference App Engine resource within GCE. If you are trying to access GCE only from App Engine app, then you could define ACL in GCE to let traffic only from your AppEngine external IP.