I have an API which is deployed in GKE and exposed via Cloud Endpoints with ESPv2. I have secured the API using API key as of now and its available via internet. Is there any possible way I can apply some firewall rules that the endpoint is available only from a certain network or range of IPs ?
You need to define an ingress with a global HTTPS load balancer in front of your ESPv2 service.
Then, you can activate Cloud Armor and set policies to filter the IPs and ranges that you want
Related
I'm using google Cloud Load Balancer for exposing dashboard. This load balancer was created by GKE ingress. I want to restrict certain endpoints with specific pattern to be accessible with organization email. eg. */internal/*.
I've tried to use IAP but it's restricting all URLs.
I have deployed an API Gateway on GCP. I would like to attach a static IP to the gateway so that I can add the IP to an allowlist of another service, that the API Gateway forwards requests to. The service is a third-party service, that only accepts requests from IPs on their allowlist.
I have set up a load balancer for the API Gateway, which does have a global static IP attached. However, this does solve the egress traffic, I see in the logs that the IP isn't static. Is there a way that I can attach a static IP to the API Gateway for egress, so that I can add a single IP to the other service?
Any help on this would be appreciated!
You can't add egress control on API Gateway. A workaround is to create a proxy Cloud Functions that have a static egress IP. There is an overcost for the Cloud Functions processing and for the serverless VPC connector that you have to use.
Another solution is to host the equivalent of API Gateway yourselves on Cloud Run for example (the open source project is name ESPv2, and I wrote an article on that (before the existence of the managed solution: API Gateway) and to use the similar configuration (serverless VPC connector and Cloud NAT) on the Cloud Run service.
We want to secure spring-boot actuator endpoints inside aws. Requirement is not to use spring boot application.yml properties provided by spring boot and secure them using just aws and vpc an/or loadbalancer configuration. And then How can we allow internal users to access those endpoints who're coming from vpn?
For example /actuator/* endpoints
Not sure if it´s what you are looking for but you can use an Application Load Balancer in AWS to allow / deny IPs to certain URLs on your application
https://aws.amazon.com/es/blogs/aws/new-advanced-request-routing-for-aws-application-load-balancers/
I've been searching on google and keep getting referred to the VPC documentation https://cloud.google.com/vpc-service-controls/docs/set-up-private-connectivity but I don't think this will solve my problem. I'm trying to limit the IP address accessing my webhook function on GCP and I need to use API gateway (Apigee isn't an option at the moment for me). Any advice would be great!
If API Gateway isn't requirement, I propose you this solution:
Update the ingress control of your function to set it internal_and_cloud_load_balancing to allow only traffic from your VPCs and the load balancers
Then create a HTTPS external load balancer with a serverless NEG that point to your Cloud Functions
Add Cloud Armor policies on your Load Balancer to filter IP sources.
Is it possible to access GCP PaaS (App Engine , Cloud Function, Cloud Run) internally (throught VPC)
I see in this doc : https://cloud.google.com/vpc/docs/configure-serverless-vpc-access
"Serverless VPC Access only allows requests to be initiated by the serverless environment. Requests initiated by a VM must use the external address of your serverless service—see Private Google Access for more information."
But searching for something like "Serverless VPC Access allows in/out requests"
You have 2 ways: in and out
Request TO serverless APP
You can use ingress control with Cloud Functions and Cloud Run services. You can say: I want that only connections from my VPC (or VPC SC perimeter) access to my serverless APP. With App Engine, you have firewall rules but doesn't work with private IP.
Request FROM serverless APP
Here you want to reach private resource exposed only on your VPC with a private IP. And with Cloud Run, Cloud Functions and App Engine, you can plug a serverless VPC connector to achieve this.
EDIT 1
With your appliance firewall deployed on Google Cloud, App Engine isn't the perfect product for this. Indeed, with App Engine you can't control the ingress traffic, and you always accept the traffic from the internet, even if you have a stuff (here your appliance) already on Google Cloud Network with a private IP.
The solution here (to test, depends on the appliance capacity) is to use Cloud NAT and to route all the traffic of the subnet on which the appliance is deployed, and to use a reserved static IP.
Then, on App Engine, you can set a firewall rule to accept only traffic from this reserved static IP.
The latency will increase with all these layers...