0

I have multiple apps which I would like to speak with each other. Every time I deploy to one, the new version has different IPs. How can I give them proper access to each other via firewall rules?

Boris K
  • 3,442
  • 9
  • 48
  • 87

1 Answers1

1

Check this documentation explaining how to let different services communicate with each other. Basically, since the deployed services run on its own domain, the idea is to issue HTTP requests to a handler in the other service. The service domains have this format:

http://[VERSION_ID].[SERVICE_ID].[MY_PROJECT_ID].appspot.com

Or:

https://[VERSION_ID]-dot-[SERVICE_ID]-dot-[MY_PROJECT_ID].appspot.com

For example, if I want to communicate to my service "website", to the handler "welcome", which is located in "my-project" I would send a request to:

http://website.my-project.appspot.com/welcome

To do so, you can use the request package in Node.js, for example.

Joan Grau Noël
  • 3,084
  • 12
  • 21
  • Thanks. This looks great. But let's say I have one service which should communicate with the outside world, and two which should only communicate with other services inside the project. It seems that at the moment I can only set up firewall rules project-wide, correct? – Boris K Jan 29 '19 at 11:30
  • If you use a Flexible environment, you can specify a network for each service in the app.yaml file ([see the network settings section](https://cloud.google.com/appengine/docs/flexible/nodejs/reference/app-yaml#network_settings)). Regarding your question on blocking traffic via the firewall, can check [this answer](https://stackoverflow.com/questions/54398964/unable-to-set-specific-firewall-rules-for-app-engines/54404916#54404916) I did to a question similar to yours. – Joan Grau Noël Jan 29 '19 at 11:35
  • What would specifying a network per service achieve? – Boris K Jan 29 '19 at 11:45
  • You can then add firewall rules to each network separately. For example, I add a `deny all` ingress traffic rule to my network1, and leaving access to internal GCP resources; while your network2 `allows all` ingress traffic from outside GCP. You can then specify the network1 to two of your services, which won't receive traffic from "ouside", and then add the network2 to the service which is supposed to receive traffic. – Joan Grau Noël Jan 29 '19 at 11:50