Is there an equivalent of AWS "security groups" between App Engine and Compute Engine instances?

Question

TLDR; Are there any updates about this question? Google App Engine communicate with Compute Engine over internal network

--

It is possibile to enable HTTP traffic between App Engine and Compute Engine instances that are in the same Cloud Project?

Obviously denying all HTTP traffic from other sources.

Between AWS EC2/RDS/Beanstalk this is possibile with "security groups".

Answer 1

As of now In 2016 as google cloud has launched google cloud flexible environment appengine/docs/flexible/. So yes it is possible now because now both app engine and compute engine are present in same network and therefore using app engine you can access compute engine by using their internal Ip, also remember to delete all external firewall rules for your compute engines if you only want to allow access from app engine.

Answer 2

there isn't way to reference App Engine resource within GCE. If you are trying to access GCE only from App Engine app, then you could define ACL in GCE to let traffic only from your AppEngine external IP.

Answer 3

I think the best you can currently do is managed VMs (https://developers.google.com/cloud/managed-vms, early access right now). It's essentially managed VMs running custom code in the app engine project. I did not check if the managed VMs will be able to run together with other gce VMs in the same network - if they did one could just connect to the internal addresses of the other instances. There does not appear to be a configuration option to define a network so I'm leaning to guess that they won't be able to see each other on the network like that.

But as an answer to the general question, I don't think there is any way of referencing app engine runtimes as sources in gce network ACLs currently.