Using Google Compute Engine as a proxy for a Google App Engine web app

Question

I have a Java web app on Google App Engine which makes requests to an external API. The API recently requires the whitelisting of IP addresses in order to access its services. Because GAE does not offer static IPs, I understand that one solution is to set up GCE instance (with a static IP) and use it as a proxy for external requests made by the GAE app.

I have set up a f1-micro instance with Debian GNU/Linux 9, and have created a static external IP address as per the documentation.

How do I install nginx and set up GAE to route requests to the GCE proxy?

score 13 · Accepted Answer · answered Dec 11 '17 at 13:13

13

We faced a similar issue with a client who needed our IP address to be whitelisted. We solved the issue by:

Spinning up a Compute Engine with a static IP address. This is the IP address we gave to our client
Installed Squid on the compute engine (https://help.ubuntu.com/lts/serverguide/squid.html)
We then redirected all calls from the App Engine through the proxy server. You didn't list what language you are using but for PHP, that meant adding the following two lines to our CURL operations:

curl_setopt($ch, CURLOPT_PROXY, "http://" . $_SERVER['SQUID_PROXY_HOST'] . ":" . $_SERVER['SQUID_PROXY_PORT'] );

curl_setopt($ch, CURLOPT_PROXYUSERPWD, $_SERVER['SQUID_PROXY_USER'] . ":" . $_SERVER['SQUID_PROXY_PWD']);

One thing to note is that depending on the number of calls you are making, a micro instance might not work for you. We initially setup our proxy server on a micro box but were having to restart it every few days. We ended up switching to a standard box and have not run into any problems since.

answered Dec 11 '17 at 13:13

dwelling

491
4
5

2

Hello, I am facing the same problem now and we run on the app engine with a Go app which makes requests to an external server, where we have to be whitelisted. So it is the same case. You mentioned the two lines for PHP, I have no clue what i have to do with the Go app to make this possible. I already set up a VM with a static IP, but the connection from the App Engine to the VM is missing right now. – Vario Jan 30 '19 at 19:05
@vario I'm facing the same issue too, and wondered if / how you managed this in the end? It seems that a VPC access connector is needed to make the connection between App Engine and the Squid instance in Compute Engine? – jonhendrix Jan 25 '20 at 14:41
What's the point of using app engine if all requests will be redirected to the proxy server. Why don't we just deploy the application on compute engine and serve requests from there. I thought the point of using app engine is to get redundancy and fault tolerance. If it's proxied then all requests will be served from compute engine anyways? Am I missing something here? – Merhawi Fissehaye Apr 02 '20 at 08:16
That's a great point. I would definitely not suggest routing every request through the proxy server otherwise you've bottle-necked your requests and created a single point of failure. In our case, we have a few clients that required a static IP address so we only send requests to their site through the proxy server. All other requests are routed through normally. I'm not familiar with Go but in PHP it just requires us to add the two lines from my original answer if the client requests a whitelisted IP address. – dwelling Jun 10 '20 at 13:13

score 4 · Answer 2 · edited Jul 03 '23 at 10:02

You can solve the issue by configuring your app engine instances and custom NAT instance in same VPC custom network with routing rules.

Using Google Compute Engine as a proxy for a Google App Engine web app

2 Answers2

Linked