goal: make my google cloud app ssl
used a prebuilt solution to launch an instance on google's compute engine. i need to upload ssl cert to accept credit cards & more or less do anything. i cannot find a ui or any way to ssl my app/domain with compute engine.
google's app engine has a ui to upload certs but no way to launch prebuilt solutions or transfer apps from compute engine.
also, of course, the domain is registered using google domains and the app is registered to google cloud platform under same account.
thanks -- matt
You can setup an HTTPS Load Balancer in front of your GCE instances and install an SSL certificate and key there.
https://cloud.google.com/compute/docs/load-balancing/http/
A solution which is built for Google Compute Engine likely won't work as-is on Google App Engine (App Etfite expects that you supply code written as a set of HTTP request handlers, but does not support background tasks, running your own database, etc). Since you're already fairly happy with the pre-built solution you installed, it probably makes more sense to customize that rather than replace your solution with one running on App Engine.
You have two options for getting SSL running:
You could use Layer 3 load-balancing, and install and configure the SSL certificates on your server hosts. For example, you could get a certificate from Let's Encrypt, and use their tool to install the cert if you're running nginx or apache. For other software, you'd need to install the cert manually. This is probably the most portable (to other clouds/local machine) solution, but requires that you secure your SSL certs and maintain that software.
You could create a SslCertificate resource and attach it a Layer-7 load balancer provided by Compute Engine (TargetHttpsProxy). To do this, you would set up HTTP load balancing after uploading your public and private certificate to Google. This solution can take advantage of Google's caching and scaling infrastructure and can support health checks to verify that your application is up, but the details will vary more across different service providers.
Related
I have a Google App Engine application (node) connecting to a Google SQL Cloud DB. Everything works fine.
We want to force SSL connections so anyone accessing the DB requires certs. Even though GAE connections to SQL cloud are already encrypted, enforcing SSL connections seems to also force GAE applications to have the certs as well.
This is the configuration page I'm talking about:
The problem is that GAE doesn't have any persistent local file system and as such I don't have an obvious place to store the certs.
...so what is the recommended approach to providing GAE applications with SSL certs for the purpose of connecting to a SQL Cloud instance? I can put the cert in Google secret manager, but that's inconvenient for a number of reasons.
How are other people addressing this problem?
(I know this is similar to Google App Engine + MongoDB (w/ SSL Certificate), but I was hoping that better options would have been provided in the years since that question was asked or that the fact that I was only inside the GCP ecosystem would provide a better option for me.)
I am about to host an Nginx instance (for redirection purposes) with AppEngine, All the redirected domain names should have SSL cert over the redirection point (AppEngine) I was wondering how many SSL cert I would be able to add in a single AppEngine setting. (I might end up adding more than 100 or so domain names for redirection in there)
Please note that App Engine is used to deploy apps not nginx server used as proxy for multiple domain redirecttion.
You can use Compute Engine Virtual Machine for your use-case ( Multiple SSL Certificates ). Please have a look into the following Google Community Tutorial for HTTPS load balancing using NGINX and Compute Engine
Is there a way to deploy "internal facing" applications in Google App Engine. AWS offers this capability as explained here and so does Azure as explained here.
What is the GCP equivalent for this? It appears App Engine Flexible Environment could be the answer but I could not find a clear documentation on whether Flexible Environment is indeed the way to host intranet facing applications. Is there someone from GCP who can advise?
Update
I tested the solution recommended by Dan recently. Listed below are my observations:
App Engine Flex allows deploying to a VPC and this allows VPN scenarios. The VPN scenarios however is for connections (originating) from App Engine to GCP VPCs or to other networks outside GCP which can be on-prem or in another cloud.
Access (destined) to the app itself from a GCP or another network is always routed via the internet facing Public IPs. There is no option to access the app at a private IP at the moment.
If there's another update, I will update it here.
Update 28Oct2021
Google has now launched Serverless Network Endpoint Group(NEG)s. With this users can connect AppEngine, Cloud Run & Cloud Function endpoints to a LoadBalancer. However at the moment, you can only use Serverless NEGs with an external HTTP(S) load balancer. You cannot use serverless NEGs with regional external HTTP(S) load balancers or with any other load balancer types. Google documentation for Serverless NEGs is available here.
I'm not sure this meets your requirements, but it's possible to set up an App Engine Standard application (not certain about Flexible) such that it is only accessible to users logged into your G-Suite domain. This is the approach I've used for internal-facing applications in the past, but it only applies if your case involves an entity using G-Suite.
You can set this up under the App Engine application Settings, under Identity Aware Proxy.
In this scenario the application is still operating at a publicly accessible location, but only users logged into your G-Suite domain can access it.
It should be possible with the GAE flexible environment. From Advanced network configuration:
You can segment your Compute Engine network into subnetworks. This
allows you to enable VPN scenarios, such as accessing databases within
your corporate network.
To enable subnetworks for your App Engine application:
Create a custom subnet network.
Add the network name and subnetwork name to your app.yaml file, as specified above.
To establish a VPN, create a gateway and a tunnel for a custom subnet network.
The standard env GAE doesn't offer access to the networking layer to achieve such goal.
Does anyone know if it is going to be possible anytime soon to setup SSL for a custom domain without a Google App account directly from the Google cloud developers console? Signing up for yet another Google account is bordering on making me insane.
I have setup a custom domain via the Google cloud developers console for my app project, and this is serving as a naked url...no problem.
Then I tried to setup a Google App account with an existing account linked to my Google App Engine project as an owner, but it didn't like it. So I setup a new one (deleted now) and re-verified the custom domain, which then stopped the serving of the custom domain. I then deleted the Google App account and it started serving the custom domain again. I have no idea why, what or how...
I have purchased an SSL certificate from Comodo, not yet activated, and all I want to do is set it up without giving myself an emotional hernia, I get enough of those from coding! And, yes, read the docs, but you know, they suck! A step by step idiots example would be great!
Does anyone have a guide other than a google doc on how to setup SSL for a custom domain including activating the SSL cert etc. etc.
Thanks one and all
Ok, I have discovered that Google are moving the SSL setup to their developers cloud console at the end of August 2015. So I shall wait until then to see what that process is like and then decide to go with it or perhaps use Cloudflare or some other alternative if there is one.
See https://code.google.com/p/googleappengine/issues/detail?id=777
We have added support for custom domains for App Engine from the
Google Developers Console, meaning you can now associate a custom
domain without first associating that domain with Google Apps.
To access the feature, visit https://console.developers.google.com/
and you will find the option to add a custom domain under App Engine >
Settings.
NOTE: Currently we do not support SSL on custom domains created
through this method (although we expect to rectify this in a future
release). In the meantime, we continue to support SSL (via VIP or SNI)
for custom domains that are created through Google Apps, and we
continue to provide free HTTPS for all *.appspot.com domains.
From this question I learned that Google App Engine does not currently support SSL on "custom domains" (at least not as of June 2010, when that question was asked).
Does this mean if I want to host my GAE app on www.mydomain.com, I cannot use SSL?
A few days ago it comes into tests.
Priority:
It is at the top of the Features on Deck list.
http://code.google.com/appengine/docs/roadmap.html
Simultaneous serving:
A custom domain hosted app such as http://www.mydomain.com can still be accessed on its ssl appspot subdomain such as https://yourapp.appspot.com
Issue:
http://groups.google.com/group/google-appengine/browse_thread/thread/844dc97fbfc57bab/0c8651f00072f9ea?lnk=gst&q=ssl#0c8651f00072f9ea
(As the others on here have said) SSL is not currently supported for your own domain. It is aparently on it's way but has been for some time, I believe it is currently only available to a select few Google App Engine for Business customers.
The temporary solution which many (myself included) are using is to setup a reverse proxy from another hosting service (Amazon EC2 in my case) to route SSL traffic.
If your app suits the situation where your URLs are not of importance, you could setup an SSL site somewhere and access your https://xxx.appspot.com version from within an iframe
Either way until GAE offically supports SSL via your Google Apps domains, you will need an external service to workaround it.
Custom SSL is available for App Engine since 27 Jun 2012.
You can setup it from your domain's control panel:
https://developers.google.com/appengine/docs/ssl
All secure traffic with Google App Engine must be served from your appspot.com domain (https://your-app-id.appspot.com). If you are serving your app off of a Google Apps domain, you must direct all secure traffic through your app's appspot domain.
This is what is written in google app engine documentation. That means. SSL is supported on appspot.com domain
You can get SSL to work on your custom domain hosted on AppEngine, however you need to run a reverse proxy that can modify the host header to do so. If you want to setup a reverse proxy yourself, you can do so following these instructions:
http://radomirml.com/2011/01/30/reverse-proxy-for-gae-application-using-nginx-and-ssl
Alternatively, you can use a reverse proxy service like CloudFlare. The process of getting SSL to work with an appspot.com domain is documented on the CloudFlare Blog:
http://blog.cloudflare.com/ssl-on-custom-domains-for-appengine-and-other
You can use wwwizer.com - it is a reverse proxy service with SSL.
You get an individual IP and it is showing your app both on http and https ports. It is cheaper and easier than hosting the whole server yourself.
This is my service, so, yes, this is blatant advertising :-)
Here's a HOWTO I wrote up explaining how to do SSL on your custom domain using CloudFlare:
http://blorn.com/post/20185054195/ssl-for-your-domain-on-google-app-engine
Since Sdk 1.7.0, released at Google I/O, developers can serve their applications via HTTPS on custom domains using both SNI (Server Name Indication) and VIP (Virtual Ip) based SSL.