Skip to Content

Restrict access to your App Engine app with the firewall

Only allow or disallow access to your application to certain IP addresses

Posted on 2 mins read

Over the summer, a new beta feature for App Engine was introduced: the App Engine firewall, an easy way to control access to your app. The firewall feature also became generally available about a month ago.

The firewall allows you to define a set of rules, ordered by priority, that specify an IP address or a set of IP addresses, to block or allow.

To define those rules, 3 approaches are available:

  • via the Google Cloud console,
  • with REST requests to the App Engine Admin API,
  • or through the gcloud CLI.

Example

When using the gcloud CLI, here’s the pattern of the command for defining a new rule:

gcloud app firewall-rules create PRIORITY \
    --action ALLOW_OR_DENY \
    --source-range IP_RANGE \
    --description DESCRIPTION

So for example, if you want to block access to some rogue network of addresses, you could do:

gcloud app firewall-rules create 100 \
    --action=deny \
    --source-range=203.0.113.0/24 \
    --description="Prevent access from rogue network"

Bonus

Once you’ve updated your firewall rules, you can also test if a particular IP address is accepted or rejected. You can do so from within the console UI, as well as with the gcloud CLI:

gcloud app firewall-rules test-ip 203.0.113.2

And there are additional commands like list to list the whole configuration, or delete to delete some rules by priority.

More information

You can learn more about the App Engine firewall, by reading the documentation: “Controlling Access with Firewall.”

comments powered by Disqus