如何在Google App引擎和计算引擎之间建立专用连接? [英] How to establish a private connection between Google app engine and compute engine?
问题描述
我有一个网络应用程序/Api,当前正在google app引擎资源上运行.由于API的计算需要大量计算,因此我将计算部分外包给了托管的自动缩放Google计算引擎组,前端使用HTTP负载均衡器(以维护单个IP地址并平衡多个IP负载动态生成的引擎).
I have a web app/Api which is currently running on a google app engine resource. As the calculations of the API are very computing intensive, i have outsourced the computational part to a managed auto-scaling google compute engine group, with a HTTP load balancer in the front end (to maintain a single IP address and balance load accross the several engines that are dynamically spawning).
当前,我只是从应用程序引擎对负载均衡器IP地址进行HTTP调用.由于GAE和GCE位于同一区域,因此感觉效率很低(我知道应用程序引擎和计算引擎仍位于两个物理上分离的数据中心中).这也构成了安全威胁,因为我不断收到来自随机IP僵尸程序的电话,试图利用潜在的安全漏洞.此外,我只是在应用程序引擎级别验证API令牌的有效性,因为我不想授予用户数据库对计算引擎的访问权限(出于安全原因),因此这意味着在应用程序引擎和计算引擎之间没有完成验证工作,以便后者接听它收到的所有电话.
Currently, i just make an HTTP call to the load balancer IP address from the app engine. As the GAE and GCE are in the same region, this however feels highly innefficient (i am aware that the app engine and compute engines are still in two physically seperated data centers). This also poses a security threat as I am constently receiving calls from random IP bots trying to exploit potential security loopholes. Additionally, i am only verfying API token validity at the app engine level, as i do not want to give user database access to the compute engine (security reasons), so this means that there is no verification beeing done between app engine and compute engine, so that the latter answers all calls that it gets.
是否可以在应用引擎和云引擎之间建立私有连接?
我的目标是不必开放GCE到整个互联网,请记住它仅接收来自一个IP地址/资源的呼叫
My goal would be to not have to open the GCE to the whole internet, bearing in mind that it is only receiving calls from one IP adress/resource
我尝试仅将应用程序引擎IP地址列入白名单,但这不幸是一大堆地址,要动态检索和更改它们非常麻烦.应用程序引擎也不能使用计算引擎/Google SQL服务器的专用IP.
I have tried whitelisting only the app engines IP addresses, but this unforthunately is a large block of adresses, is very cumbersome to retrieve and changes dynamically. The app engine also cannot use the private IP of the compute engine/ google SQL servers.
我们非常欢迎其他创意!
Other creative ideas are highly welcome!
推荐答案
It appears that Serverless VPC Access may be a potential solution. The following is taken from the overview:
无服务器VPC访问使您可以从App Engine连接标准环境和云功能直接连接到您的VPC网络.此连接使您的App Engine标准成为可能环境应用程序和云功能来访问VPC中的资源通过内部(专用)IP地址进行网络连接.使用内部IP地址可改善您Google之间的通信延迟Cloud Platform服务,并避免将内部资源暴露给公共互联网.
Serverless VPC Access enables you to connect from the App Engine standard environment and Cloud Functions directly to your VPC network. This connection makes it possible for your App Engine standard environment apps and Cloud Functions to access resources in your VPC network via internal (private) IP addresses. Using internal IP addresses improves the latency of communication between your Google Cloud Platform services and avoids exposing internal resources to the public internet.
无服务器VPC访问仅允许您的应用或功能发送对您的VPC网络中的资源的请求,并收到对这些要求.在VM的相反方向上进行通信向应用或功能发起请求,要求您使用应用或功能的公开地址.
Serverless VPC Access only allows your app or function to send requests to resources in your VPC network and receive responses to those requests. Communication in the opposite direction, where a VM initiates a request to an app or function, requires you to use the public address of the app or function.
这篇关于如何在Google App引擎和计算引擎之间建立专用连接?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
