Google App Engine防火墙:限制访问所有服务,但默认服务除外 [英] Google App Engine Firewall: Restrict access to all services but the default one
问题描述
我有一个GAE项目(灵活),该项目由1个默认值和2个子服务组成:
I have a GAE project (flexible) consisting of 1 default and 2 subservices:
-
foo.appspot.com
-
service1.foo.appspot.com
-
service2.foo.appspot.com
foo.appspot.com
service1.foo.appspot.com
service2.foo.appspot.com
现在,我想使用foo.appspot.com
作为API代理&内部服务service1
和service2
的身份验证网关.我写的代理服务器本身,工作正常.
Now I want to use foo.appspot.com
as API proxy & auth gateway to the internal services service1
and service2
. The proxy itself I wrote and it is working fine.
我正在努力调整GAE防火墙以禁止进入service1
和service2
的传入世界流量,因为我想强制API用户将请求发送到foo.appspot.com
.应该允许流到默认服务foo
.
I am struggling with adjusting the GAE Firewall to forbid incoming world traffic to service1
and service2
because I would like force an API user to send requests to foo.appspot.com
. Traffic to the default service foo
should be allowed.
似乎我只能在防火墙"设置中输入IP,但不能输入服务名称.文档说它应该可以工作,但是没有显示如何工作.
It seems I can just enter IPs in the Firewall settings but not service names. The docs says that it should work but does not show how.
感谢您的帮助!
推荐答案
App引擎Flex环境基于防火墙规则,该规则将使用实例标签来确定防火墙规则中的目标或源组件.因此,您只需配置目标服务/版本的app.yaml文件即可使用适当的
App engine Flex environment is built on the Google Compute Engine and consequently, it supports the Virtual Private Cloud networking system. With the VPC networks, you can configure firewall rules that would use Instance Tags to determine the target or source component in a firewall rule. Hence, you simply have to configure the app.yaml files of the target service/version to use the appropriate instance tags.
这篇关于Google App Engine防火墙:限制访问所有服务,但默认服务除外的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!