I am trying to restrict access to a specific App Engine Flex service in a
project with multiple services using VPC firewall rules. I created a VPC
network called "vpc" using automatic subnet creation and global dynamic
routing. Next, I deployed my App with the following yaml file (names
slightly changed):
runtime: custom
env: flex
service: someservice
manual_scaling:
instances: 1
resources:
cpu: 1
memory_gb: 4.0
disk_size_gb: 10
network:
name: vpc
As you can see, I specified a network in the yaml file to run the app in
vpc. Then, I created two firewall rules in VPC to allow access to only
specific IPs. I first created a firewall rule called "deny" to deny access
to the vpc network for all IP ranges:
gcloud compute firewall-rules create deny \
--network vpc \
--action deny \
--direction ingress \
--rules tcp \
--source-ranges 0.0.0.0/0 \
--priority 5000
Finally, I created another rule named "allow" to allow a single IP address
(e.g. 192.00.00.11):
gcloud compute firewall-rules create allow \
--network vpc \
--action allow \
--direction ingress \
--rules tcp \
--source-ranges 192.00.00.11 \
--priority 1000
However, after performing the above I am still able to access the app
engine service from pretty much any IP I tested (used my phone's data and
also asked friends for sanity check). What am I doing wrong? Any help is
greatly appreciated!
--
You received this message because you are subscribed to the Google Groups
"Google App Engine" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at https://groups.google.com/group/google-appengine.
To view this discussion on the web visit
https://groups.google.com/d/msgid/google-appengine/c149c5a7-4090-43e1-9547-44f0c1a21387%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
