无法为应用引擎设置特定的防火墙规则 [英] Unable to set specific firewall rules for app-engines
问题描述
我们在 GCP 上为不同的应用引擎服务设置正确的防火墙规则时遇到问题,因为这似乎不可能.
We have a problem setting correct firewall rules for our different app-engine services on GCP, as it does't seem to be possible.
我们的问题很简单:我们有一个默认的应用引擎服务,它应该可以公开访问并充当网关,而所有其他服务都只是内部服务,并且托管在同一个 GCP 项目中.
Our problem is very simple: we have a default app-engine service that should be publicly accessible and acts as a gateway, and all the other services are only internal and are hosted on the same GCP Project.
我们尝试在 VPC 防火墙部分设置自定义网络标签和规则,但所有这些都被应用引擎防火墙否决了.遗憾的是,最新版本不允许对每个服务进行配置.
We tried to set custom networks tags and rules on the VPC firewall sections, but all of those are overruled by the app-engine firewall. Sadly the latest doesn't allow a per service configuration.
你知道一个简单的方法吗?我们现在唯一的解决方案是将网关放在计算引擎或另一个 GCP 项目中..
Would you know a simple way to do this? Our only solution by now is to put the gateway on a compute engine or in another GCP project..
推荐答案
鉴于您使用的是 App Engine Flexible,您可以通过更改 app.yaml 配置文件中的网络设置.在您的情况下,由于您有一组不想被访问的实例,以及一个将充当网关的实例,您可以执行以下操作:
Given that you are using App Engine Flexible, you can set the network where your service will run by changing the Network Settings in the app.yaml configuration file. In your case, since you have one group of instances that you don't want to be reached, and one instance that will act as a gateway, you can do the following:
创建两个不同的网络,以及您认为方便的区域中的每个子网.同样,请确保启用
Google 私有访问,这样您就可以始终连接到 GCP API,而无需创建新的防火墙规则.您可以将子网 IP 地址范围设置为任何尚未在您的项目中使用的内容,例如我使用了10.0.0.0/9.确保两个网络的子网区域相同.
Create two different networks, and a subnetwork for each one in the region you deem convenient. As well, make sure to enable
Private Google access, so you will be always able to connect to GCP APIs without the need of creating new firewall rules. You can set the subnet IP address range to anything as long as it is not already used in your project, I used10.0.0.0/9for example. Make sure that the subnetwork zone is the same for both networks.
在您不希望来自 GCP 外部流量的网络中,创建防火墙规则 以拒绝所有到网络的入口流量.
In the network that you don't want traffic from outside GCP, create a firewall rule to deny all ingress traffic to the network.
在您的服务中配置 app.yaml 文件,添加:
Configure the app.yaml file in your services, by adding:
network:
instance_tag: TAG_NAME
name: NETWORK_NAME
subnetwork_name: SUBNETWORK_NAME
您的网关实例应该具有网络的 NETWORK_NAME 和 SUBNETWORK_NAME 并允许入口流量,而其余服务则是您在其中创建了先前防火墙规则的网络.TAG_NAME 可以是你想给这台机器的任何标签,我建议你为两组服务中的每一个使用一个唯一的标签.
Your gateway instance should have the NETWORK_NAME and SUBNETWORK_NAME of the network with allowed ingress traffic, while the rest of services the network where you created the previous firewall rule. The TAG_NAME can be any tag you want to give to this machine, I recommend you to use an unique tag for each one of the two groups of services.
重新部署您的服务.
现在您应该只能发送充当网关的服务的流量,而网关能够连接到其余服务,因为您在第一点启用了 Google 私有访问.
Now you should be able to send traffic only the service acting as a gateway, while the gateway is able to connect to the rest of services, because you enabled Private Google access in the first point.
这篇关于无法为应用引擎设置特定的防火墙规则的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
