Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Is it possible to use a fully managed service (Cloud Run or App Engine) with firewall in GCP?

Tags:

google-app-engine

google-cloud-platform

cloud

google-cloud-run

google-cloud-armor

Problem. I'm looking for an agile way to shoot a docker container (stored on GCR.IO) to a managed service on GCP:

  • one docker container gcr.io/project/helloworld with private data (say, Cloud SQL backend) - can't face the real world.
  • a bunch of IPs I want to expose it to: say [ "1.2.3.4" , "2.3.4.0/24" ].

My ideal platform would be Cloud Run, but also GAE works.

I want to develop in agile way (say deploy with 2-3 lines of code), is it possible run my service secretly and yet super easily? We're not talking about a huge production project, we're talking about playing around and writing a POC you want to share securely over the internet to a few friends making sure the rest of the world gets a 403.

What I've tried so far.

The only think that works easily is a GCE vm with docker-friendly OS (like cos) where I can set up firewall rules. This works, but it's a lame docker app on a disposable VM. Machine runs forever and dies at reboot unless I stabilize it on cron/startup. Looks like I'm doing somebody else's job.

Everything else I've tried so far failed:

  • Cloud Run. Amazing but can't set up firewall rules on it, or Cloud Director, .. seems to work only with IAP which is painful to set up.
  • GAE. Works with multiple IPs and can't detach public IPs or firewall it. I managed to get the IP filtering within the app but seems a bit risky. I don't [want to] trust my coding skills :)
  • Cloud Armor. Only supports a HTTPS Load Balancer which I don't have. Nor I have MIGs to point to. I want simplicity.
  • Traffic Director and need a HTTP L7 balancer. But I have a docker container, on a single pod. Why do I need a LB?
  • GKE. Actually this seems to work: [1] but it's not fully managed (I need to create cluster, pods, ..)

Is this a product deficiency or am I looking at the wrong products? What's the simplest way to achieve what I want?

[1] how do I add a firewall rule to a gke service?

like image 362
Riccardo Avatar asked Nov 09 '19 20:11

Riccardo

People also ask

What type of firewall rules does Google Cloud's Networking Support?

VPC firewall rules are stateful. When a connection is allowed through the firewall in either direction, return traffic matching this connection is also allowed. You cannot configure a firewall rule to deny associated response traffic.

What is the difference between firewall rules GCP and the VM Series?

As you deploy workloads to Google Cloud, Google Cloud firewall rules filter traffic based on port or protocol to control access to the deployed Google Cloud resources. The VM-Series complements Google Cloud firewall rules by classifying traffic based on the app—not the port.

What is the difference between cloud run and App Engine?

Cloud Run - A fully managed serverless platform that runs individual containers. You give code or a container to Cloud Run, and it hosts and auto scales as needed to respond to web and other events. App Engine - A fully managed serverless platform for complete web applications.

1 Answers

Please limit your question to one service. Not everyone is an expert on all Google Cloud services. You will have a better chance of a good answer for each service if they are separate questions.

In summary, if you want to use Google Cloud Security Groups to control IP based access you need to use a service that runs on Compute Engine as security groups are part of the VPC feature set. App Engine Standard and Cloud Run do not run within your project's VPC. This leaves you with App Engine Flex, Compute Engine, and Kubernetes.

I would change strategies and use Google Cloud Run managed by authentication. Access is controlled by Google Cloud IAM via OAuth tokens.

Cloud Run Authentication Overview

like image 173
John Hanley Avatar answered Oct 13 '22 20:10

John Hanley
Sign in to Comment

Related questions

Is it safe to use images.get_serving_url_async() inside a ndb tasklet?
What response times can be expected from GAE/NDB?
How to avoid 'Failed to retrieve access token: { "error" : "invalid_grant" }' in offline GAE cron tasks?
Messed up character encoding with Android + GAE Cloud Endpoints
Google app engine bulkloader opens empty file at upload
Url fetch to third party server keeps timing out from cron job?
Java 6 applications are prevented from being deployed to Google App Engine from any version of the SDK
Is it possible to run scikit-learn on Google App Engine?
how to create gwt gae with app engine modules using google eclipse plugin
Putting a Cloud Endpoints API in a separate App Engine module
User info using OAuth with Google App Engine
Why no entity kind with name _BlobInfo_ in datastore is created when application is deployed on GAE?
How to speed up Google App Engine Go unit tests?
gcloud connect to docker Daemon fail
redirect all requests from one domain to another with Google App Engine but keep static routing rules in yaml
Action required: 7 days left to recover Google Compute Engine resources in billing disabled projects
Import error while using dev_appserver.py in virtualenv
Stackdriver vs ELK for app engine
App Engine Search API (Document Search) - Multiple Languages
Google App Engine old versions of static files being served

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!