Google App Engine防火墙和内部访问 [英] Google App Engine firewall and internal access
问题描述
我有两个在Google App Engine上运行的服务(flex,同一个项目),我希望其中一项服务可以使用HTTPS调用另一项服务.
I have two services running on Google App Engine (flex, same project), and I'd like one service to call the other using HTTPS.
在此之上,我已经设置了防火墙,只允许0.1.0.40和10.0.0.1.
On top of this, I've setup the firewall, only allowing 0.1.0.40 and 10.0.0.1.
我还在请求中设置了X-Appengine-Inbound-Appid标头.
I'm also setting the X-Appengine-Inbound-Appid header in the request.
不幸的是,我收到"403禁止访问"错误(在禁用防火墙时消失).
Unfortunately, I'm getting a "403 Access is forbidden" error (which disappears when disabling the firewall).
现在,我正在使用xxx.appspot.com URL来调用该服务.我应该改用一些内部网址吗?似乎该请求被防火墙视为外部请求.
Right now, I am using the xxx.appspot.com URL to call the service. Should I use some internal URL instead? It seems that the request is seen as external by the firewall.
谢谢!
推荐答案
我们的团队遇到了类似的问题.除了其他App Engine服务(其中一些驻留在不同的GCP项目中)之外,我们拒绝所有外部访问.允许通过防火墙从其他App Engine服务进行访问的唯一方法是让使用方服务使用URL提取服务,并按照您提到的方式传入appspot.com URL.您还可以将 followRedirects 设置为false.
Our team had a similar issue. We are denying all outside access except our other App Engine Services, some of which reside in different GCP projects. The only way to allow access from your other App Engine services through the firewall is to have the consuming service use the URL Fetch Service and pass in the appspot.com URL as you mentioned. You also would set the followRedirects to false.
但是,在您的情况下,这是行不通的.据此: https://cloud.google.com/appengine/docs/flexible/nodejs/glossary 仅适用于Java,Python,PHP&去.在这种情况下,您只需为0.1.0.40和10.0.0.1.添加一个白名单规则.
But, in your situation this won't work. According to this: https://cloud.google.com/appengine/docs/flexible/nodejs/glossary It's only available for Java, Python, PHP & Go. In these cases, you would simply add a Whitelist rule for 0.1.0.40 and 10.0.0.1.
如果您不想在Google Compute Engine中创建代理服务(如所述 https://cloud.google.com/appengine/kb/
If you don't want to create a proxy service in Google Compute Engine (as mentioned here), you will have to add in a bunch of very large CIDR ranges as specified here: https://cloud.google.com/appengine/kb/
这篇关于Google App Engine防火墙和内部访问的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
