If I have a GAE Flex application that's only for internal usage and not intended for any public facing uses, what is the best way to secure it? By default, the *.appspot.com domain exposes a public HTTP/S endpoint.
If I set the default App Engine firewall rule for an explicit deny of all HTTP traffic, how can I then access the application from other GCE instances or other GAE Flex apps in other Projects?
I originally thought that editing the app.yaml
file to launch the instance into a private VPC with its own GCE Firewall rules (with the default ingress deny) would suffice, but it's still allowing external traffic due to the fact that requests go through a Cloud load balancer IP.
The next option I looked at is Cloud IAP which allows only authenticated users and service accounts to access my application. This might work but, if I need to access my application from a private VPC with no internet access, it wouldn't work if I'm understanding the service correctly since requests would still have to come via HTTP.
So what can I do to ensure that there is absolutely no public access to the app engine while still allowing internal resources to access it?
Best Answer
The description of you use case makes it suitable for using the App Engine firewall:
Beginning at Allowing requests from your services there are the instructions on how to create firewall rules.
When you create your firewall rules in app engine, you can choose which IP's to allow or deny access to your app. It is not mandatory to deny all HTTP traffic to all IP's. Take a look at the Example Firewall where some rules are created. Some of them allow traffic to a certain IP's while others deny traffic to other IP's as well: