Connect to kubernetes engine from app engine standard

11/14/2018

We want to access some services on Google Kubernetes Engine from a Google App Engine standard via http(s). We don't want to expose the services to external networks because of security.

  • app engine flexible can use private network with an internal loadbalancer or vpc(post). How about app engine standard?

  • 2 years ago, we could not do it. (post)

  • We can set rules about IP addresses, but an IP address for an app engine standard is not static.

What is the best solution?

Thanks for your help.

-- Kaz_JP
google-app-engine
google-compute-engine
google-kubernetes-engine
kubernetes

1 Answer

11/15/2018

app engine flexible can use private network with an internal loadbalancer or vpc(post). How about app engine standard?

Not really as per this:

"A VPC network, sometimes just called a “network,” is a virtual version of a physical network, like a data center network. It provides connectivity for your Compute Engine virtual machine (VM) instances, Kubernetes Engine clusters, App Engine Flex instances, and other resources in your project."

We can set rules about IP addresses, but an IP address for an app engine standard is not static.

Yes. They are always changing. The recommendation here is to their Static IP range combined with:

Instead, we suggest that you take a defense in depth approach using OAuth and Certs.

You could also look at things like Cloud Armor (in alpha as of this writing), or a Virtual WAF. Longer term it would make more sense to move your workloads from Google App engine into GKE.

-- Rico
Source: StackOverflow