I am trying to restrict access to a specific App Engine Flex service in a project with multiple services using VPC firewall rules. I created a VPC network called “vpc” using automatic subnet creation and global dynamic routing. Next, I deployed my App with the following yaml file (names slightly changed):
runtime: custom env: flex service: someservice manual_scaling: instances: 1 resources: cpu: 1 memory_gb: 4.0 disk_size_gb: 10 beta_settings: cloud_sql_instances: cloud network: name: vpc
As you can see, I specified a network in the yaml file to run the app in vpc. Then, I created two firewall rules in VPC to allow access to only specific IPs. I first created a firewall rule called “deny” to deny access to the vpc network for all IP ranges:
gcloud compute firewall-rules create deny --network vpc --action deny --direction ingress --rules tcp --source-ranges 0.0.0.0/0 --priority 5000
Finally, I created another rule named “allow” to allow a single IP address (e.g. 192.00.00.11):
gcloud compute firewall-rules create allow --network vpc --action allow --direction ingress --rules tcp --source-ranges 192.00.00.11 --priority 1000
However, after performing the above I am still able to access the app engine service from pretty much any IP I tested (used my phone’s data and also asked friends for sanity check). What am I doing wrong? Any help is greatly appreciated!