I would like to block access to a rest API, so that the world can't access it and only predefined IPs could. My back-end is a Java service but I would like to separate this layer of security from the code, and apply it as an external tool. some kind of Firewall for endpoints. For an example:
I'm working with GKE.
Anyone knows a solution for this?
Thanks
You can use Google Cloud Armor to allow access to your app only to specific IP addresses or CIDR ranges. It integrates with GKE and fits exactly the use case you described. Just note that it's currently in beta and may not be suitable for production depending on your requirements.
As GKE are, in the end, a bunch of VMs, you can use firewall rules to block IPs (or allow IPs) to access your end points; remember the flow of the data
Internet -> Google Cloud (firewall) -> Validation -> Services (VMs, GKE, AppEngine, etc.)
There is this document: https://cloud.google.com/solutions/prep-kubernetes-engine-for-prod that may come in handy, specially the part where it says: Firewalling, you can use this as a guide to create the firewall rules you require to cover your needs and perhaps, even extend it for better security.
Just remember, create your rules with the access required and no more (if you are using just one port, give access to that one port only not to a bunch) and avoid the 0.0.0.0/0 rule is better to create pinholes than an open door.
Update: As the requester explained better, I think the best shot to achieve faster (and better) results will be using a Load balancing with URL Maps, that way the backend services will be untouched and the IP path discrimination will be at the upper level. The information can be found in [https://cloud.google.com/load-balancing/docs/url-map-concepts]
If you require more help, just let me know ;)
-JP