无法为应用程序引擎设置特定的防火墙规则 [英] Unable to set specific firewall rules for app-engines

问题描述

我们似乎无法在GCP上为我们的不同应用引擎服务设置正确的防火墙规则，这似乎是不可能的.

We have a problem setting correct firewall rules for our different app-engine services on GCP, as it does't seem to be possible.

我们的问题非常简单:我们有一个默认的App Engine服务，该服务应可公开访问并充当网关，而所有其他服务都仅在内部且托管在同一GCP项目中.

Our problem is very simple: we have a default app-engine service that should be publicly accessible and acts as a gateway, and all the other services are only internal and are hosted on the same GCP Project.

我们尝试在VPC防火墙部分设置自定义网络标记和规则，但所有这些均被应用引擎防火墙否决.遗憾的是，最新版本不允许按服务进行配置.

We tried to set custom networks tags and rules on the VPC firewall sections, but all of those are overruled by the app-engine firewall. Sadly the latest doesn't allow a per service configuration.

您知道执行此操作的简单方法吗?到目前为止，我们唯一的解决方案是将网关放置在计算引擎或另一个GCP项目中.

Would you know a simple way to do this? Our only solution by now is to put the gateway on a compute engine or in another GCP project..

推荐答案

鉴于您使用的是App Engine Flexible，您可以通过更改

Given that you are using App Engine Flexible, you can set the network where your service will run by changing the Network Settings in the app.yaml configuration file. In your case, since you have one group of instances that you don't want to be reached, and one instance that will act as a gateway, you can do the following:

1. 创建两个不同的网络 ，以及您认为方便的区域中每个区域的子网.同样，请确保启用Private Google access，这样您将始终能够连接到GCP API，而无需创建新的防火墙规则.您可以将子网IP地址范围设置为任何项目，只要它在您的项目中尚未使用即可，例如，我使用的是10.0.0.0/9. 确保两个网络的子网区域都相同.

1. Create two different networks, and a subnetwork for each one in the region you deem convenient. As well, make sure to enable Private Google access, so you will be always able to connect to GCP APIs without the need of creating new firewall rules. You can set the subnet IP address range to anything as long as it is not already used in your project, I used 10.0.0.0/9 for example. Make sure that the subnetwork zone is the same for both networks.

在您不希望来自GCP外部流量的网络中，

In the network that you don't want traffic from outside GCP, create a firewall rule to deny all ingress traffic to the network.

通过添加以下内容来配置服务中的app.yaml文件:

Configure the app.yaml file in your services, by adding:

network:
  instance_tag: TAG_NAME
  name: NETWORK_NAME
  subnetwork_name: SUBNETWORK_NAME

您的网关实例应具有允许进入流量的网络的NETWORK_NAME和SUBNETWORK_NAME，而其余服务则是您在其中创建了先前防火墙规则的网络. TAG_NAME可以是您要赋予此机器的任何标签，我建议您为两组服务中的每组使用唯一的标签.

Your gateway instance should have the NETWORK_NAME and SUBNETWORK_NAME of the network with allowed ingress traffic, while the rest of services the network where you created the previous firewall rule. The TAG_NAME can be any tag you want to give to this machine, I recommend you to use an unique tag for each one of the two groups of services.

重新部署您的服务.

现在，您应该只能够发送充当网关的服务的流量，而网关却能够连接到其余的服务，因为在第一点上启用了Private Google access.

Now you should be able to send traffic only the service acting as a gateway, while the gateway is able to connect to the rest of services, because you enabled Private Google access in the first point.

这篇关于无法为应用程序引擎设置特定的防火墙规则的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！