Hi,
Thanks for the screenshots! I’ve reproduced this and was able to confirm that if you switch the App Engine Firewall rules to “Deny All” and then try to granularly allow some IP address the app will return 403s. This is most likely due to the internal App Engine infrastructure so I would recommend IAP as your best current solution to communicate between GAE services. On Wednesday, February 27, 2019 at 10:20:33 AM UTC-5, dvd gsng wrote: > > Hi George, thanks for replying. Unfortunately, we've tried that, but it > didn't work out as expected. We added those two IPs (and two more, see > initial post) to the GAE firewall as well as the regular VPC firewall. > Please have a look that the images for reference: > > GAE firewall: > > [image: gae-fw.png] > > > > VPC firewall: > > [image: vpc-fw.png] > Note that the VPC FW rule does apply to the GAE. > > WDYT? > > Also, we're currently looking into using IAP for securing our endpoints. > Is that the recommended way to implement authenticated communication > between GAE services? > > David > > > On Monday, February 25, 2019 at 7:56:55 PM UTC+1, George (Cloud Platform > Support) wrote: >> >> It is not immediately apparent, after reading the documentation page you >> link to, how certain IPs are to be whitelisted; targeted HTTP requests, >> service accounts, and Cloud Pub/Sub are mentioned, are recommended >> solutions on that page. >> >> The firewall configuration page stipulates, for requests received in the >> flexible environment: 0.1.0.40 and 10.0.0.1. You need to create two >> firewall rules to allow requests: >> >> 0.1.0.40 - A rule to allow backend_flex to receive URL Fetch requests >> from backend_std. >> 10.0.0.1 - A rule to allow the service-to-service communication for the >> URL Fetch requests in backend_flex. >> > -- You received this message because you are subscribed to the Google Groups "Google App Engine" group. To unsubscribe from this group and stop receiving emails from it, send an email to google-appengine+unsubscr...@googlegroups.com. To post to this group, send email to google-appengine@googlegroups.com. Visit this group at https://groups.google.com/group/google-appengine. To view this discussion on the web visit https://groups.google.com/d/msgid/google-appengine/8c7eeca8-758b-4fd9-a194-3c77ca5708b4%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
