Google AppEngine's Firewall Strange behavior

12/6/2019

Today I've experienced very unusual behavior of Google AppEngine's firewall. I've an app running inside of GKE pod and another one is running inside of AppEngine. I need my pod to be able to access AppEngine If I do curl from a pod like this curl ifconfig.co I see 35...* btw, if I'm trying to crul ipinfo.io/ip answer is 0.0.0.0.

Now, with I'm trying to permit those IP address in AppEngine's firewall , but nothing's happens. (10.0.0.0/8 network is also permitted, default rule set to prohibited).

After that I tried to permit all traffic to AppEngine and determine , which IP is visible for it. And here's what I get:

protoPayload: {
  @type: "type.googleapis.com/google.appengine.logging.v1.RequestLog"   
  appEngineRelease: "1.9.71"   
  appId: "redacted"   
  cost: 2.3245e-8   
  endTime: "2019-12-06T13:50:49.895089Z"   
  finished: true   
  first: true   
  host: "redacted.appspot.com"   
  httpVersion: "HTTP/1.1"   
  instanceId: "redacted-id"   
  instanceIndex: -1   
  ip: "0.0.0.0"   
  latency: "14.364944s"

IP is 0.0.0.0. If I permit 0.0.0.0 in firewall AppEngine get's accessible for pod but not for other world. Is that expected behavior?

-- icy
firewall
google-app-engine
google-cloud-platform
google-kubernetes-engine

1 Answer

12/6/2019

When the firewall rule is set for 0.0.0.0 it only allows that IP, and 0.0.0.0/0 is the whole internet.

So If the firewall rule you set was only for 0.0.0.0 it is an expected behavior.

-- José Soní
Source: StackOverflow