#StackBounty: #google-app-engine Trouble restricting access to app engine flexible service using VPC

Bounty: 100

I am trying to restrict access to a specific App Engine Flex service in a project with multiple services using VPC firewall rules. I created a VPC network called “vpc” using automatic subnet creation and global dynamic routing. Next, I deployed my App with the following yaml file (names slightly changed):

runtime: custom
env: flex
service: someservice
manual_scaling:
    instances: 1
resources:
    cpu: 1
    memory_gb: 4.0
    disk_size_gb: 10
beta_settings:
    cloud_sql_instances: cloud
network:
    name: vpc

As you can see, I specified a network in the yaml file to run the app in vpc. Then, I created two firewall rules in VPC to allow access to only specific IPs. I first created a firewall rule called “deny” to deny access to the vpc network for all IP ranges:

gcloud compute firewall-rules create deny 
    --network vpc 
    --action deny 
    --direction ingress 
    --rules tcp 
    --source-ranges 0.0.0.0/0 
    --priority 5000

Finally, I created another rule named “allow” to allow a single IP address (e.g. 192.00.00.11):

gcloud compute firewall-rules create allow 
    --network vpc 
    --action allow 
    --direction ingress 
    --rules tcp 
    --source-ranges 192.00.00.11 
    --priority 1000

However, after performing the above I am still able to access the app engine service from pretty much any IP I tested (used my phone’s data and also asked friends for sanity check). What am I doing wrong? Any help is greatly appreciated!

Note: similar problem: https://stackoverflow.com/questions/49296666/google-app-engine-firewall-restrict-access-to-all-services-but-the-default-one


Get this bounty!!!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.