Google App Engine通过内部网络与计算引擎进行通信 [英] Google App Engine communicate with Compute Engine over internal network
问题描述
我们正在谷歌云中构建一个应用程序。我们使用App Engine作为前端,计算引擎作为后端。在这些计算引擎实例上,我正在运行一个接受某些命令消息的TCP服务器。 Compute Engine实例也通过防火墙和负载均衡器连接到Internet,以便传入https流量。我想将TCP服务器绑定到本地IP地址,并且只允许App Engine实例(它们在同一个项目中)通过 socket api 。
现在我们限制传入连接以 Google Ip的唯一身份
Compute Engine文档包含以下内容:
每个实例都是单个网络的成员。网络执行的功能与路由器在家庭网络中执行的功能相同:它描述网络范围和网关IP地址,处理实例之间的通信,并充当网络之外的实例和呼叫者之间的网关。网络受限于一个项目;它不能跨项目。即使在同一个项目中,不同网络中的实例之间的任何通信都必须通过外部IP地址。在API中,网络由Network对象表示。
是否可以建立安全的通信设置?也许使用App Engine后端实例?
目前还没有办法在GCE和GAE之间建立专用网络。限制谷歌的IP范围是不安全的,因为GAE或GCE上的任何人都可以连接到您的服务器。因此,我建议您在TCP服务器上验证传入连接,以验证连接是否来自您的GAE实例。
We're building an application in the google cloud. We're using App Engine as frontend and Compute Engine as backend. On these Compute Engine instances I'm running a TCP server that accepts certain "command" messages. The Compute Engine instances are also connected to the internet behind a firewall and load balancer for incoming https traffic. I would like to bind the TCP server to a local IP addres and allow only App Engine instances (thes are within the same project) to connect to the TCP "commands" port via the socket api.
For now we're limiting the incoming connections to Google Ip's only
The Compute Engine documentation sais the following:
Every instance is a member of a single network. A network performs the same function that a router does in a home network: it describes the network range and gateway IP address, handles communication between instances, and serves as a gateway between instances and callers outside the network. A network is constrained to a single project; it cannot span projects. Any communication between instances in different networks, even within the same project, must be through external IP addresses. In the API, a network is represented by the Network object.
Would it be possible to build a secure communication setup? Perhaps with App Engine backend instances?
There isn't currently a way to setup a private network between GCE and GAE. Limiting to google's IP range isn't secure since anyone on GAE or GCE could connect to your server. So I recommend that you authenticate incoming connections at your TCP server to verify the connection is coming from your GAE instances.
这篇关于Google App Engine通过内部网络与计算引擎进行通信的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
