Proxy Google Cloud Endpoints - google-app-engine

We need to migrate from one app engine project to another (due to the constraints put in place for changing region).
The ideal solution would just be to proxy all requests through to the new server however we are using Google Cloud Endpoints which are intercepted by the server and delivered as POST requests.
We can't redirect as we have mobile apps relying on the API.
Does anyone have a solution (rather than proxying every API method we have) to proxy to a new server?

I would write a ServletFilter on the old app that intercepts /_ah/spi/* and forwards it to the new app, also on /_ah/spi/*. Keep in mind that you'll have to keep the existing Endpoints code in place, or the proxy will delete your configuration and not forward anything.

Related

How to setup Google IAP between 2 Google App Engine Apps

I have a frontend project and a backend project. These are 2 separate app engine projects.
Setting up IAP on both is not problem but when my frontend project tries to call the backend project it is blocked.
Is there anyway to have access allowed to the backend project when the user passes the frontend IAP ? or do I have to leave the backend project without IAP enabled ?
You have to programmatically invoke (make the call using an OIDC token) to the backend from your front end. See documentation on how to do that.
There are misunderstandings. Let me clarify.
Firstly, your App Engine is highly scalable in a single project. Instead of having several projects with several App Engine, you should have only one project, with a single App Engine and multiple services.
Default is usually used for the frontend part. You can use an API service for your backend, or name it as you wish.
Like that, the whole website will be protected by the same IAP context. Like that, no issue as you have before, it's the same IAP cookies and the API calls should not create issues.
Secondly, keep in mind that your JS code runs in the client browser, not on App Engine; App Engine only serves the static files, that's all. All the rest of the computation is performed locally.

Is there a way to limit only allow incoming requests from other App Engine services?

I have four services running within the same app on App Engine. I have a frontend SvelteKit application, and three backend services. If possible, I'd like to set up security in such a way that the backend services will only accept HTTP requests from the frontend application (which sends all API requests via its Node server).
Is there a way of doing this without spending a load of money on a Serverless VPC Access connector?
Ideally I want to keep these all within the same GCP project as well. So far the only solution I can come up with is to ship the services with a secret that they check against when receiving a request, but there must be a better way to do it.
Take a look at Identity Aware Proxy
Pay attention to the part of the above documentation that says
In order to make a resource publicly-accessible (while sibling resources are restricted), grant the IAP-secured Web App User role to allUsers or allAuthenticatedUsers.
Per your use case, your front-end application will be available to the public while your 3 backend services will only be available to the front-end application
Since your backend services are now secured (via IAP), you have to programmatically invoke them in your front end. See documentation on how to do that.

Clarification on Continuous Deployment Using Cloud Endpoints & App Engine

Related Reference Issue: Redeploying OpenAPI spec into App Engine standard environment
When using Cloud Endpoints via App Engine, what would be the best way to approach continuous deployments? If the OpenApi spec changes, the backend service tied to the endpoint needs to be redeployed meaning that modifications to a "v1" of an endpoint would require downtime in the service while the service is in deployment.
Does this mean that any time a new spec is generated a "breaking change" occurred and I should increment the version, redeploy the backend service, and update the url on any services that use that endpoint to allow more seamless transitioning in modifications to the endpoint? Because as of now working with endpoints I'm having trouble seeing in what instances redeploying the spec doesn't break the backend service and vice-versa.
I realized that when a new spec is generated, there is an ENDPOINTS_SERVICE_VERSION that is generated which seems to be persistent. So the act of deploying a new spec does not cause a breaking change in the API endpoint AFAIK as the backend service will still be pointing to a valid previous deployment.
I don't know how many ENDPOINTS_SERVICE_VERSIONs are persistent as I could not find this in the docs but if the backend service is updated with the latest endpoint service version soon afterwards, updates to the api can be seamless without disruption of the service as far as deployments go.

Google App Engine Backends not associated to any Frontend

I'm developing a Java app in GAE, which offers an API through Google Cloud Endpoints.
Basically it receives requests in the endpoints and uses a number of web services from different providers, stores some data and returns some data through the endpoints...
I understand that my app is conceptually a backend, because it doesn't provide any web page, but only the endpoints, don't you think so?
But there's no way to create only a backend, without being associated to any frontend app, is there? At least Google Plugin for Eclipse only allow you to "Generate App Engine Backend", from an existing app, and moreover this app must be an Android project...
I'm using it as a frontend and there's no problem, but apart from the conceptual issue, I've read that backends are kind of optimized to be backends, with more memory and CPU...
I think you're just confused because the Cloud Endpoints documentation uses the word 'backend' to refer to the entire cloud-hosted server implementation. It doesn't specifically refer to the use of GAE backend instances. Endpoint requests can be served by frontend or backend instances, based on how you set them up and the url being accessed.
From the App Ending docs:
"When an application is called to serve a web request, it must issue a response within 60 seconds"
"App Engine Backends are instances of your application that are exempt from request deadlines and have access to more memory (up to 1GB) and CPU (up to 4.8GHz) than normal instances."
So unless you're requests are doing something crazy, you don't need to use a backend. In the google-plugin-for-eclipse, "generate appengine backend" is talking about creating a backend for your android app... a server for your android app to contact (in this case your android app is the frontend and you're appengine app is the backend). In the example app you can remove the web side (index.html) to the appengine application and you'll have no web frontend. Index.html is using the gapi javascript library to make endpoints calls to your appengine service.

Are there any hosted services for Socket.IO (or alternatives)?

I have a web application running on Google App Engine and need to provide near real time updates to connected web clients. One way would be to use the Google App Engine Channels API, but I'm a bit uneasy about using a proprietary solution.
Are there any reliable hosted services allowing for clients to connect using Socket.IO (with all its supported fallback protocols), and a web server solution running on Google App Engine to publish notifications to it? Any other alternatives that offers the same functionality?
You looking for something like beaconpush.com?
I have the same problem as you.
I've thought about using the Channel API as well however the free quota is quite low (100 channels created per day, each client is one channel).
Here's the solution I'm building:
All of the server logic runs in app engine python runtime
app engine serves all the html and client code
I run a node.js socket.io server on dotcloud (using their free tier)
the node.js server sets up an http server that listens to get requests on a few special url endpoints (ie: myapp-on.dotcloud.com/room/[room_id]) and when it gets called it triggers the socket.io broadcast to the appropriate clients
html clients generated on app engine connect to my myapp-on.dotcloud.com
All user input in the client is sent to app engine via a normal ajax post/get
when the app engine server code needs to push something to the client it makes a url fetch on the appropriate url (myapp-on.dotcloud.com/room/[room_id]) that triggers a message push via socket.io to the connected clients
I'm yet to implement this, but sounds like a workable plan
the idea is to keep all the logic in app engine and only use the socket.io server as a message pusher

Resources