Google App Engine 通过内部网络与 Compute Engine 通信 [英] Google App Engine communicate with Compute Engine over internal network
问题描述
我们正在谷歌云中构建应用程序.我们使用 App Engine 作为前端,使用 Compute Engine 作为后端.在这些 Compute Engine 实例上,我正在运行接受某些命令"消息的 TCP 服务器.Compute Engine 实例还通过防火墙和负载均衡器连接到 Internet,用于传入 https 流量.我想将 TCP 服务器绑定到本地 IP 地址,并只允许 App Engine 实例(它们在同一个项目中)通过 socket api.
We're building an application in the google cloud. We're using App Engine as frontend and Compute Engine as backend. On these Compute Engine instances I'm running a TCP server that accepts certain "command" messages. The Compute Engine instances are also connected to the internet behind a firewall and load balancer for incoming https traffic. I would like to bind the TCP server to a local IP addres and allow only App Engine instances (thes are within the same project) to connect to the TCP "commands" port via the socket api.
目前我们将传入连接限制为 Google Ip 的唯一
For now we're limiting the incoming connections to Google Ip's only
Compute Engine 文档如下所述:
每个实例都是单个网络的成员.网络执行与家庭网络中路由器相同的功能:它描述网络范围和网关 IP 地址,处理实例之间的通信,并充当实例与网络外部调用者之间的网关.一个网络仅限于一个项目;它不能跨越项目.不同网络中的实例之间的任何通信,即使在同一个项目中,也必须通过外部 IP 地址.在 API 中,网络由 Network 对象表示.
Every instance is a member of a single network. A network performs the same function that a router does in a home network: it describes the network range and gateway IP address, handles communication between instances, and serves as a gateway between instances and callers outside the network. A network is constrained to a single project; it cannot span projects. Any communication between instances in different networks, even within the same project, must be through external IP addresses. In the API, a network is represented by the Network object.
是否可以建立一个安全的通信设置?也许使用 App Engine 后端实例?
Would it be possible to build a secure communication setup? Perhaps with App Engine backend instances?
推荐答案
目前没有办法在 GCE 和 GAE 之间设置专用网络.限制到 google 的 IP 范围并不安全,因为 GAE 或 GCE 上的任何人都可以连接到您的服务器.因此,我建议您对 TCP 服务器上的传入连接进行身份验证,以验证连接是否来自 GAE 实例.
There isn't currently a way to setup a private network between GCE and GAE. Limiting to google's IP range isn't secure since anyone on GAE or GCE could connect to your server. So I recommend that you authenticate incoming connections at your TCP server to verify the connection is coming from your GAE instances.
这篇关于Google App Engine 通过内部网络与 Compute Engine 通信的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
