Menu
We're building an application in the google cloud. We're using App Engine as frontend and Compute Engine as backend. On these Compute Engine instances I'm running a TCP server that accepts certain "command" messages. The Compute Engine instances are also connected to the internet behind a firewall and load balancer for incoming https traffic. I would like to bind the TCP server to a local IP addres and allow only App Engine instances (thes are within the same project) to connect to the TCP "commands" port via the socket api.
For now we're limiting the incoming connections to Google Ip's only
The Compute Engine documentation sais the following:
Every instance is a member of a single network. A network performs the same function that a router does in a home network: it describes the network range and gateway IP address, handles communication between instances, and serves as a gateway between instances and callers outside the network. A network is constrained to a single project; it cannot span projects. Any communication between instances in different networks, even within the same project, must be through external IP addresses. In the API, a network is represented by the Network object.
Would it be possible to build a secure communication setup? Perhaps with App Engine backend instances?
729
To connect to an instance without an external IP address, use the gcloud compute ssh command with the --internal-ip flag. In the Google Cloud console, go to the VM Instances page and find the internal IP address for the instance that you want to connect to. Connect to the instance.
The App Engine is Google's Platform as a Service(PaaS) offering. It is a compute service that provides a managed platform for running applications.
Compute Engine delivers configurable virtual machines running in Google's data centers with access to high-performance networking infrastructure and block storage solutions. App Engine is a fully managed, serverless platform for developing and hosting web applications at scale.
Google Compute Engine (GCE) is an infrastructure as a service (IaaS) offering that allows clients to run workloads on Google's physical hardware. Google Compute Engine provides a scalable number of virtual machines (VMs) to serve as large compute clusters for that purpose.
With App Engine Flexible, you can setup instance_tags and use that to create firewall rules with the appropriate tagging rules. See https://cloud.google.com/appengine/docs/flexible/custom-runtimes/configuring-your-app-with-app-yaml for more information.
118
There isn't currently a way to setup a private network between GCE and GAE. Limiting to google's IP range isn't secure since anyone on GAE or GCE could connect to your server. So I recommend that you authenticate incoming connections at your TCP server to verify the connection is coming from your GAE instances.
36
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
