I have an application deployed to an app engine service. I have many services under the same app engine. How can I make the application available to certain white-listed IPs? In other words, I want this application to accept requests from certain IPs and deny all other request?
Can we do this by writing some configurations in app.yaml file?
Note: I just want to apply the rule to one service only so that other services will not be affected.
Applying this kind of restriction at a service level is, at the moment, not possible.
The best option would be to deploy the services you want to protect on a different project, and use the App Engine firewall there.
Related
I would like to set separate permissions for different applications that run on GCP AppEngine.
I think, that the way to do this is by using specialized service accounts for each application.
As far as I understand, all applications run with the AppEngine default service account project#appspot.gserviceaccount.com
Is there a way to explicitly set a service account for an application which is running on AppEngine in GCP? Then I would be able to create separate service accounts with fine access restrictions.
tldr; you can do gcloud beta app deploy --service-account=<your_service_account> app.yaml
AppEngine app's identity are not restricted to the AppEngine default service account anymore. You can deploy with custom service account for each AppEngine app now by following https://cloud.google.com/appengine/docs/standard/python/user-managed-service-accounts#app.yaml.
This works for both AppEngine Standard and Flexible.
I am assuming you mean App Engine Standard. You only have one App Engine Standard per project.
You can have multiple services under App Engine.
You will need to create a service account and then load the service account inside your code. You can then change the default service account to have the minimum permissions required to function. Make sure you research what you are doing before changing permissions. You can break App Engine by being too restrictive.
However, that brings up security issues on how you manage and distribute the service account keys.
If you mean App Engine Flexible. Google does not even show the Flexible service account in the console as Google does not want you to modify it.
You have to just add the following code in your app.yaml file
service_account: {SERVICE_ACCOUNT_YOU_WANT_TO_USE_TO_ACCESS_APP_ENGINE}
We are looking to use Google App Engine for one of our low latency service. We are required to provide low latency service across the globe. Since Google App Engine is a regional service and there is no straight forward way to deploy it multi-regional. So, looking at Google Load Balancer to route at DNS level, but that also does not seems to be possible as load balancer not supporting App Engine as a backend service. Is there any other way to achieve GeoDNS routing in GCP for App Engine service.
There is not an direct way to achieve GeoDNS routing since App Engine is a regional service, as you said.
Read this feature request to have further insight on this. In the second comment they state the two possible workarounds, useful for both standard and flexible environments:
The workaround is how you mentioned, using a single project with a load balancer to route requests to Compute Engine instances in
different regions. Then have each Compute Engine instance act as
proxies to an App Engine project in each of the different regions
(where you would copy your code to each App Engine project).
It may be easier in the meantime to use Google Kubernetes Engine instead of App Engine for multi-regional application serving.
You could star the FR to support it.
I am writing a web application using Google App Engine, and to promote it (and give more information about it), I will also have a web site. For ease of deployments, it makes sense to have the web site separate from the application itself. I would like to be able to make changes to the web site independent of the application. I would think that making a change to the web site would NOT mean a re-deployment of the application.
I would like to have a domain, and for the purpose of this question, let's call it www.example.com.
App Engine allows for multi-tenancy, and it makes sense to use sub-domains. For this question, let's assume www.org1.example.com / www.org2.example.com, etc.
Given this scenario, how is this done in the enterprise world on GAE? Do companies:
have the web site and application all as one?
use their hosting provider to redirect sub-domain requests to their application?
have completely separate domains for the web site and application?
something else?
Thanks in advance,
If you want to be able to independently deploy the web app and the web site they need to be at least in separate GAE services/modules, which offer complete code isolation.
Yes, it's not a problem to have the separate services mapped under different subdomains of the same domain. I'm not very sure if it'd work with the sub-domain split you proposed and with wildcard SSL certificates. From App Engine support for SSL certificates:
Wildcard certificates only support one level of subdomain.
So I didn't even try such subdomains. But I am using a wildcard certificate like *.example.com with subdomains like these, each mapped to a different service:
www-org1.example.com
www-org2.example.com
I'm also using a dispatch.yaml file to route each domain to the respective service.
Now about the multi-tenancy, I'm unsure if it's what you actually need, because it's offering just data isolation, not code isolation. You still need to address code isolation if you want to deploy them independently. From About multitenancy:
Multitenancy is the name given to a software architecture in which one instance of an application, running on a remote server, serves
many client organizations (also known as tenants).
I am going to build an API for my mobile app using GAE. I am looking for a way to separate the whole application into separate services, trying out the microservice architecture.
The problem is there seems to be no information about any VPN or private network between GAE apps. Therefore, based on my understanding, when one of the GAE apps sends HTTP requests to other GAE apps in same account, its traffic will be treated as Internet traffic and therefore I will be charged for outbound bandwidth.
Am I correct?
Yes.
App Engine applications/Cloud Platform projects are isolated from each other by default, even if they were created using the same Google account.
Consider looking into Modules (link for Java) to implement individual services of your application.
TLDR;
Are there any updates about this question?
Google App Engine communicate with Compute Engine over internal network
--
It is possibile to enable HTTP traffic between App Engine and Compute Engine instances that are in the same Cloud Project?
Obviously denying all HTTP traffic from other sources.
Between AWS EC2/RDS/Beanstalk this is possibile with "security groups".
I think the best you can currently do is managed VMs (https://developers.google.com/cloud/managed-vms, early access right now). It's essentially managed VMs running custom code in the app engine project. I did not check if the managed VMs will be able to run together with other gce VMs in the same network - if they did one could just connect to the internal addresses of the other instances. There does not appear to be a configuration option to define a network so I'm leaning to guess that they won't be able to see each other on the network like that.
But as an answer to the general question, I don't think there is any way of referencing app engine runtimes as sources in gce network ACLs currently.
As of now In 2016 as google cloud has launched google cloud flexible environment appengine/docs/flexible/. So yes it is possible now because now both app engine and compute engine are present in same network and therefore using app engine you can access compute engine by using their internal Ip, also remember to delete all external firewall rules for your compute engines if you only want to allow access from app engine.
there isn't way to reference App Engine resource within GCE. If you are trying to access GCE only from App Engine app, then you could define ACL in GCE to let traffic only from your AppEngine external IP.