How to establish a secure connecton from GAE (with public access) to a private GKE cluster

4/20/2020

I have a standard Google App Engine (GAE) environment. This environment is exposed to the public Internet, so users can establish connections. On the other hand, I have a private GKE cluster (no public endpoint access). In this scenario, apps in GAE need establish connection with GKE cluster, but we need to keep the GKE cluster private, since we don't want expose the GKE cluster to the public internet.

I told the customer that we can implement it using Internal Load Balancer or a Proxy in between, so that applications in GAE can safely reach the private GKE cluster.

However, the customer does not trust those alternatives.

What are the alternatives I have to allow connections from applications in GAE to the private GKE cluster in securely ?

If there is any, could you describe the arguments that make those connections (GAE to GKE) secure ?

thanks in advance!

-- José Enrique Hernández
gke-networking
google-app-engine
google-cloud-platform
google-kubernetes-engine

1 Answer

4/22/2020

Considering that you have a:

  • Standard App Engine instance
  • Private GKE cluster
  • Different project for all of your resources mentioned

As stated by @John Hanley:

Which App Engine - Standard or Flexible? For Standard, your option is Serverless VPC Access cloud.google.com/vpc/docs/configure-serverless-vpc-access. For Flexible, if you are in the same VPC, you already have access. Otherwise look at VPC Peering cloud.google.com/vpc/docs/vpc-peering

John Hanley yesterday

Both of your resources are in a different projects. They have a separate networking. There are solutions to have a connection between two projects like:

  • Shared VPC
  • VPC Peering

Shared VPC

Shared VPC allows an organization to connect resources from multiple projects to a common Virtual Private Cloud (VPC) network, so that they can communicate with each other securely and efficiently using internal IPs from that network.

-- Cloud.google.com: Shared VPC

You could try to use something like Cloud.google.com: Serverless VPC Access

Serverless VPC Access enables you to connect from the App Engine standard environment and Cloud Functions directly to your VPC network. This connection makes it possible for your App Engine standard environment apps and Cloud Functions to access resources in your VPC network via internal (private) IP addresses. Using internal IP addresses improves the latency of communication between your Google Cloud services and avoids exposing internal resources to the public internet.

The problem is that the Serverless VPC access is not supported by a Shared VPC which is required when you have different projects. Below fragment from documentation states:

Serverless VPC Access supports communication to VPC networks connected via Cloud VPN and VPC Network Peering. Serverless VPC Access does not support legacy networks or Shared VPC networks.

-- Cloud.google.com: Shared VPC

VPC Peering

Google Cloud VPC Network Peering allows private RFC 1918 connectivity across two Virtual Private Cloud (VPC) networks regardless of whether they belong to the same project or the same organization.

VPC Network Peering enables you to peer VPC networks so that workloads in different VPC networks can communicate in private RFC 1918 space. Traffic stays within Google's network and doesn't traverse the public internet.

Cloud.google.com: VPC peering

The issue with VPC Peering is that it supports the Flexible App Engine and not Standard App Engine.

VPC Network Peering works with Compute Engine, GKE, and App Engine flexible environment.

Cloud.google.com: VPC Peering: Key Properties

Workarounds

The workarounds would be either:

  • Create everything in the same project
  • Create your application as Flexible

Let me know if you have any questions in that.

-- Dawid Kruk
Source: StackOverflow