Only allow app engine to speak or connect to compute engine

Question

I have a Compute Engine with a static IP that has apache/php installed.

My app engine makes calls to a php script like any normal POST call. I'm getting random requests pointed at my compute engine and I'd like to restrict my Compute Engine to only accept requests from my app engine.

Either checking it in the PHP Script or making some sort of firewall rule?

The only way I can think of is restricting it's IP but App Engines have many different IPs.

What do you guys think is the best course of action?

Answer 1

The way to do this (that I have implemented and works fine) is to set up HTTP authentication on your GCE server - and use those credentials in your requests.

I've done this with both nginx and apache - depending on what you are running on GCE.

You can either use basic authentication or digest/HTTPS if you need to.

I actually use this to take advantage of Elasticsearch from App Engine.

Answer 2

HTTPS is probably the safest approach, as you can check the counterpart's certificate and drop request coming from anybody but the counterpart you like. urlfetch can make https requests and in fact they're encouraged for all sorts of solid security best-practice reasons!