Reputation: 21
App engine/Task queues when app engine service has Deny * firewall rule and only allows access through 1 compute engine
i have a django application running as an App engine this is a service i only want people to access through my vpn so i made some firewall rules to my app.
but now i have to run some code daily what i first did was, just using the Cloud scheduler to make the calls to the endpoints of my app engine which worked fine! until the call got too long and timed out after 10 minutes.
i then read about Cloud tasks and figured out i had to make a Push queue so that i did.
i now have 1 cron job in the cloud scheduler calling an endpoint daily which then add stuff (that is split up into smaller portions) to the push queue.
here comes the problem....
my Push queue is now filed with a lot of tasks each task tries to go to an endpoint on the App engine to do its part of the job but gets a status: "PERMISSION_DENIED".
i tried removing the firewall rule (Deny *) and it seems to work that way. I cant seem to find any way to allow the Push queue to access the app engine and the service is not something i want to be public
Upvotes: 1
Views: 111
Answers (2)
Reputation: 6323
1)
If you can make your tasks, App Engine tasks (this means they're invoked and run by your App Engine App), then according to the documentation, you'll only need 2 firewall rules
Allow (ip of Compute engine running vpn service)
Deny *
This is because the documentation says
Cloud Scheduler jobs using App Engine HTTP and App Engine tasks in Cloud Tasks (including App Engine Task Queues) 0.1.0.2/32, bypasses the default firewall rule if set to deny
The bolded part means traffic from App Engine tasks in Cloud Tasks won't be blocked by the deny * default rule
You can also see it here
This means that if you set the default rule to deny, requests from certain services destined for the App Engine standard environment do not get blocked. These are all types of traffic requested in the app's own configuration, or sent from the same app. Requests that bypass firewall rules in this way also include App Engine tasks in Cloud Tasks (including App Engine Task Queues).
2)
If your task is already an App Engine task, still try just using the 2 firewall rules I mentioned and see if that resolves the issue
Upvotes: 0
Reputation: 414
First, we need to allow the IP ranges 0.1.0.2/32 since it's the range that App Engine uses for requests (which you already have a rule with) [1][2].
What you can do is to set a higher priority to that IP and a lower one to Deny * [3].
The firewall rule priority is an integer from 0 to 65535, inclusive. Lower integers indicate higher priorities. If you do not specify a priority when creating a rule, it is assigned a priority of 1000.
[2]. https://cloud.google.com/tasks/docs/creating-appengine-tasks#firewall_rules
[3]. https://cloud.google.com/firewall/docs/firewalls#priority_order_for_firewall_rules
Upvotes: 0
Related Questions
- What is the difference between Google App Engine and Google Compute Engine?
- Google App Engine firewall and internal access
- How to set up private communication between Google Cloud Scheduler and App Engine?
- How can I specify App Engine host when creating App Engine Cron jobs?
- Google Cloud App Engine Instance and Firewall clarification
- How to make specific endpoints private or atleast restricted in GCP App Engine Flex?
- Google App Engine Firewall - block all access except from GCP (including cloud functions)?
- Google App Engine - Task Queues vs Cron Jobs