Introducing App Engine firewall, an easy way to control access
to your app
By Lorne Kligerman, Product Manager
August 28, 2017
security feature for application developers and administrators is to
be able to allow or deny incoming requests based on source IP
addresses. This capability can help you do production testing
without exposing your app to the world, block access to your app
from specific geographies or block requests from a malicious user.
Today, we’re thrilled to announce the beta release of
Google App Engine
With App Engine firewall, you simply provide a set of rules, order
them by priority and specify an IP address, or a set of IP
addresses, to block or allow, and we’ll take care of the rest.
When App Engine firewall receives a request that you’ve configured
to be denied, it returns an HTTP 403 Forbidden response without ever
hitting your app. If your app is idle, this prevents new instances
from spinning up, and if you’re getting heavy traffic, the denied
request won’t add to your load — or
cost you money.
App Engine firewall replaces the need for a code-based solution
within your app that still allows requests in, but which can cost
you resources and still expose your app.
Getting started with App Engine
You can setup App Engine firewall rules
Google Cloud Console
as well as with the
App Engine Admin API
gcloud command-line tool.
Let’s say you’d like to test your application and give access only
to browsers from your company’s private network. Open your
in the Cloud Console and you'll see a default rule that allows all
traffic to your app.
First, add a new rule allowing traffic only from the range of IP
addresses coming from your private network. Then, update the default
rule to deny all traffic.
As with typical firewall semantics, App
Engine firewall evaluates rules with a lower priority value first,
followed by rules with a higher value. In the example above, the
Allow rule with a priority of 100 is evaluated first, followed by
the default rule.
To make sure that your set of firewall rules is working as intended,
you can test an IP address to see if a request coming from this
address would be allowed or denied.
From the Cloud Console, click the
tab in the Firewall Rules section.
The response indicates if the request can proceed and indicates the
specific firewall rule that matched the provided IP address.
With App Engine
firewall, it’s easy to set up network access to your app and focus
on what matters most: your app, without worrying about access
control within your code. Check out the full documentation
App Engine firewall is in beta, so avoid using this functionality in
production environments. If you have any questions, concerns or if
something is not working as you’d expect, you can post in the
Google App Engine forum,
public issue or
get in touch on the
App Engine slack channel