如何为App Engine实例正确配置VPC防火墙? [英] How to properly configure VPC firewall for App Engine instances?

问题描述

我们正在尝试使用Google App Engine(主要是灵活实例)部署基于微服务的应用程序，该应用程序具有默认服务上的网关和一些提供业务逻辑的微服务.您可能认为它是:

We are trying to deploy a micro-service based application using google app engine (mainly flexible instances), having a gateway on the default service and a few Microservices providing the business logic. You might think of it as :

• foo.appspot.com
• service1.foo.appspot.com
• service2.foo.appspot.com

完成后这里

我希望只能从网关(也许还有其他几台机器)访问这些服务，而不能从外部访问，但是我无法使它正常工作.

I would like the services to be accessible only from the gateway (and maybe few other machines), and not from the outside, but I couldn't get it to work.

我已经能够在给定的VPC网络上设置所有服务，向该网络中传入的拒绝所有流量"添加一条规则，但带有标记并允许所有操作的网关除外.(如此回复此处所述)

I've been able to set all the services on a given VPC network, adding a rule to "Deny All traffic" incoming in this network, except for the gateway that is tagged and allows everything. (as described in this response here)

这适用于运行时，但是这样做时，我们无法使用 gcloud app deploy 进行部署.(它挂在更新服务"步骤上).我试图允许使用22端口，但似乎这不是正在使用的端口.我还尝试仅阻止80和443端口，但是现在可以再次从此外部访问App Engines service1和service2.

This works for runtime, however, when doing so we cannot deploy using gcloud app deploy. (It hangs at the "Updating service" step). I've tried to allow the 22 port, but it seems this is not the one in use. I've also tried to block only the 80 and 443 ports, but now the App Engines service1 and service2 are accessible from this outside again.

我应如何配置防火墙使其能够在App Engine上进行部署，并限制仅对网关的服务访问?使用VPC防火墙甚至可以做到这一点，还是我应该使用KCE实例，还是应该避免使用GCP基础结构并亲自对请求进行签名/验证?

How should I configure the firewall to be able to deploy on the App Engine, and restrict access to the services to the gateway only? Is this even possible using the VPC firewall, or should I either use a KCE instance or avoid using GCP infrastructure and sign/verify requests myself?

推荐答案

经过进一步调查后，您现在想在GAE中无法实现所需的功能.

After some further investigation, what you want is not possible in GAE right now.

这里有一些可能的解决方法，您可能要尝试:

Here there are some possible workarounds that you may want to try:

• 使用 Bastion VM .使用此选项，您将在Bastion VM中拥有默认服务的代码，然后将GAE flex与其他2个服务一起部署，并在其中设置GAE防火墙规则以仅允许与Bastion VM进行通信.

• Use a Bastion VM. With this option, you would have the code for what was your default service in the Bastion VM, and then have your GAE flex with the other 2 services deployed and set there the GAE firewall rule to only allow communication with the Bastion VM.

正如您在问题中所说，您可以使用Kubernetes.这是有关如何部署容器化的容器网络应用程序.

As you said in your question, you could use Kubernetes. Here is a tutorial on how to deploy a containerized web application.

最后，您可以使用标准HTTP标头(例如X-Forwarded-For)来确定客户端的IP地址，从而对入站请求执行自己的验证.

Lastly, you could perform your own validation of inbound requests, using standard HTTP headers such as X-Forwarded-For to determine the IP address of the client.

这篇关于如何为App Engine实例正确配置VPC防火墙?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！