I have a standard Google App Engine (GAE) environment. This environment is exposed to the public Internet, so users can establish connections. On the other hand, I have a private GKE cluster (no public endpoint access). In this scenario, apps in GAE need establish connection with GKE cluster, but we need to keep the GKE cluster private, since we don't want expose the GKE cluster to the public internet.
I told the customer that we can implement it using Internal Load Balancer or a Proxy in between, so that applications in GAE can safely reach the private GKE cluster.
However, the customer does not trust those alternatives.
What are the alternatives I have to allow connections from applications in GAE to the private GKE cluster in securely ?
If there is any, could you describe the arguments that make those connections (GAE to GKE) secure ?
thanks in advance!
Considering that you have a:
App Engine instanceGKE clusterAs stated by @John Hanley:
Which App Engine - Standard or Flexible? For Standard, your option is Serverless VPC Access cloud.google.com/vpc/docs/configure-serverless-vpc-access. For Flexible, if you are in the same VPC, you already have access. Otherwise look at VPC Peering cloud.google.com/vpc/docs/vpc-peering
Both of your resources are in a different projects. They have a separate networking. There are solutions to have a connection between two projects like:
Shared VPC allows an organization to connect resources from multiple projects to a common Virtual Private Cloud (VPC) network, so that they can communicate with each other securely and efficiently using internal IPs from that network.
You could try to use something like Cloud.google.com: Serverless VPC Access
Serverless VPC Access enables you to connect from the App Engine standard environment and Cloud Functions directly to your VPC network. This connection makes it possible for your App Engine standard environment apps and Cloud Functions to access resources in your VPC network via internal (private) IP addresses. Using internal IP addresses improves the latency of communication between your Google Cloud services and avoids exposing internal resources to the public internet.
The problem is that the Serverless VPC access is not supported by a Shared VPC which is required when you have different projects. Below fragment from documentation states:
Serverless VPC Access supports communication to VPC networks connected via Cloud VPN and VPC Network Peering. Serverless VPC Access does not support legacy networks or Shared VPC networks.
Google Cloud VPC Network Peering allows private RFC 1918 connectivity across two Virtual Private Cloud (VPC) networks regardless of whether they belong to the same project or the same organization.
VPC Network Peering enables you to peer VPC networks so that workloads in different VPC networks can communicate in private RFC 1918 space. Traffic stays within Google's network and doesn't traverse the public internet.
The issue with VPC Peering is that it supports the Flexible App Engine and not Standard App Engine.
VPC Network Peering works with Compute Engine, GKE, and App Engine flexible environment.
The workarounds would be either:
FlexibleLet me know if you have any questions in that.