I'd like to put a Redis server on Google Compute Engine and speak to it via AppEngine's socket support. The only problem is that there doesn't seem to be a specific firewall rule that says "this AppEngine application can access this host/port and no other".
There are some rules at instance setup time that describe whether the instance has access to task queues, etc, but not the inverse.
So my question is: how can I restrict port access to a Redis service only to a single AppEngine application?
In short you can not. AppEngine is a shared IP space with all the other apps, just like shared hosting. You need to use application level authentication such as OAuth to get the proper restrictions in place.
Related
I have a web app/Api which is currently running on a google app engine resource. As the calculations of the API are very computing intensive, i have outsourced the computational part to a managed auto-scaling google compute engine group, with a HTTP load balancer in the front end (to maintain a single IP address and balance load accross the several engines that are dynamically spawning).
Currently, i just make an HTTP call to the load balancer IP address from the app engine. As the GAE and GCE are in the same region, this however feels highly innefficient (i am aware that the app engine and compute engines are still in two physically seperated data centers). This also poses a security threat as I am constently receiving calls from random IP bots trying to exploit potential security loopholes. Additionally, i am only verfying API token validity at the app engine level, as i do not want to give user database access to the compute engine (security reasons), so this means that there is no verification beeing done between app engine and compute engine, so that the latter answers all calls that it gets.
Is there a way to establish a private connection between the app engine and cloud engine?
My goal would be to not have to open the GCE to the whole internet, bearing in mind that it is only receiving calls from one IP adress/resource
I have tried whitelisting only the app engines IP addresses, but this unforthunately is a large block of adresses, is very cumbersome to retrieve and changes dynamically. The app engine also cannot use the private IP of the compute engine/ google SQL servers.
Other creative ideas are highly welcome!
It appears that Serverless VPC Access may be a potential solution. The following is taken from the overview:
Serverless VPC Access enables you to connect from the App Engine
standard environment and Cloud Functions directly to your VPC network.
This connection makes it possible for your App Engine standard
environment apps and Cloud Functions to access resources in your VPC
network via internal (private) IP addresses. Using internal IP
addresses improves the latency of communication between your Google
Cloud Platform services and avoids exposing internal resources to the
public internet.
Serverless VPC Access only allows your app or function to send
requests to resources in your VPC network and receive responses to
those requests. Communication in the opposite direction, where a VM
initiates a request to an app or function, requires you to use the
public address of the app or function.
Is there a way to deploy "internal facing" applications in Google App Engine. AWS offers this capability as explained here and so does Azure as explained here.
What is the GCP equivalent for this? It appears App Engine Flexible Environment could be the answer but I could not find a clear documentation on whether Flexible Environment is indeed the way to host intranet facing applications. Is there someone from GCP who can advise?
Update
I tested the solution recommended by Dan recently. Listed below are my observations:
App Engine Flex allows deploying to a VPC and this allows VPN scenarios. The VPN scenarios however is for connections (originating) from App Engine to GCP VPCs or to other networks outside GCP which can be on-prem or in another cloud.
Access (destined) to the app itself from a GCP or another network is always routed via the internet facing Public IPs. There is no option to access the app at a private IP at the moment.
If there's another update, I will update it here.
Update 28Oct2021
Google has now launched Serverless Network Endpoint Group(NEG)s. With this users can connect AppEngine, Cloud Run & Cloud Function endpoints to a LoadBalancer. However at the moment, you can only use Serverless NEGs with an external HTTP(S) load balancer. You cannot use serverless NEGs with regional external HTTP(S) load balancers or with any other load balancer types. Google documentation for Serverless NEGs is available here.
I'm not sure this meets your requirements, but it's possible to set up an App Engine Standard application (not certain about Flexible) such that it is only accessible to users logged into your G-Suite domain. This is the approach I've used for internal-facing applications in the past, but it only applies if your case involves an entity using G-Suite.
You can set this up under the App Engine application Settings, under Identity Aware Proxy.
In this scenario the application is still operating at a publicly accessible location, but only users logged into your G-Suite domain can access it.
It should be possible with the GAE flexible environment. From Advanced network configuration:
You can segment your Compute Engine network into subnetworks. This
allows you to enable VPN scenarios, such as accessing databases within
your corporate network.
To enable subnetworks for your App Engine application:
Create a custom subnet network.
Add the network name and subnetwork name to your app.yaml file, as specified above.
To establish a VPN, create a gateway and a tunnel for a custom subnet network.
The standard env GAE doesn't offer access to the networking layer to achieve such goal.
Google Compute Engine instances can be secured behind a firewall that allows you to open the instance by ports and/or IP addresses.
Google App Engine doesn't use a single IP address.
I have a Compute Engine server running Nginx that I would like to completely lock down so the only way to access it is through an application on Google App Engine, is this possible?
If not, is there a simple way to send a POST request with a string of characters to Nginx, that if not present, the Nginx server would send people to a 404?
Use HTTP authentication as per the question Dan has linked to. There is no viable network/IP/firewall mechanism to restrict access.
The HTTP authentication works just fine!
I want my AppEngine site to connect to one of my instances (Google Compute Engine ) in order to get some data from a local redis server.
How can I do that?
It seems there's no way to get a connection between AppEngine and Compute Engine within the same account/project...
Thanks!
The answer depends on what protocol your Compute Engine instance accepts :
If it accepts HTTP(S) requests, then you can use the URLFetch service to perform HTTP calls as usual. But your instance must be exposed on the internet (public IP address).
If it does not accept HTTP(S) calls, like Redis, then you will need to use the Sockets API to make outbound calls from App Engine to Compute Engine. Note that this API is in Beta.
Then there's the question of how to secure the Compute Engine instance. You cannot use an IP filter because Google won't tell you what IP your App Engine instances have.
For HTTP(S) calls, one option is to use OAuth2. App Engine instances have an OAuth2 identity embedded in the Identity service, so it is easy to generate OAuth tokens that reliably identity the App Engine instance.
For other types of protocol (MySQL, Redis, others) you will need to rely on the security provided by whatever you're running on the Compute Engine instance. For example in Redis you can require a password to access your server.
TLDR;
Are there any updates about this question?
Google App Engine communicate with Compute Engine over internal network
--
It is possibile to enable HTTP traffic between App Engine and Compute Engine instances that are in the same Cloud Project?
Obviously denying all HTTP traffic from other sources.
Between AWS EC2/RDS/Beanstalk this is possibile with "security groups".
I think the best you can currently do is managed VMs (https://developers.google.com/cloud/managed-vms, early access right now). It's essentially managed VMs running custom code in the app engine project. I did not check if the managed VMs will be able to run together with other gce VMs in the same network - if they did one could just connect to the internal addresses of the other instances. There does not appear to be a configuration option to define a network so I'm leaning to guess that they won't be able to see each other on the network like that.
But as an answer to the general question, I don't think there is any way of referencing app engine runtimes as sources in gce network ACLs currently.
As of now In 2016 as google cloud has launched google cloud flexible environment appengine/docs/flexible/. So yes it is possible now because now both app engine and compute engine are present in same network and therefore using app engine you can access compute engine by using their internal Ip, also remember to delete all external firewall rules for your compute engines if you only want to allow access from app engine.
there isn't way to reference App Engine resource within GCE. If you are trying to access GCE only from App Engine app, then you could define ACL in GCE to let traffic only from your AppEngine external IP.