Can I use google service accounts to authenticate INCOMING requests?

Question

We currently have an App Engine application plus some Google Compute Engine backends. Unfortunately App Engine is not considered "in-network" so in order for App Engine to make requests to backend servers, the relevant ports must be made publicly available in the firewall which is obviously a security risk. It would be very convenient if our App Engine app could automatically "sign" all request to our backends by using a service account client to issue the requests. Is this possible?

And likewise, I'd love to also do this in the other direction, where requests from our GCE servers could be authenticated by App Engine as long as the requests are issued from a GCE service account. I naively tried the latter by issuing a request from GCE to a test handler on app engine that checks the current user (via the Users service) but unsurprisingly the user was null (since "users" and "service accounts" aren't exactly the same I didn't expect this to work - but hey worth a shot).

There's a fair amount of info on the web for issuing service-account-authenticated requests (e.g. to google APIs) but I can't find anything on authenticating incoming requests. Does such a thing exist? (ideally in Go)

Answer 1

There is a new feature coming out soon called Managed VMs. You can click on the following link for more details and signup for updates https://developers.google.com/cloud/managed-vms.