I have _ah/start and _ah/stop routes in my 'Flexible' app. I understand the GAE containers will invoke those endpoints when the app comes up, and is going down.
After I've deployed my app, I can hit them myself from the comfort of my couch. That makes no sense of course, as random strangers cannot be the arbiter of when app instances come up and go down. How do I configure AppEngine to block the publication of those two routes to the outside world? Or is in my job in the implementation of those two routes to check IP addresses or look for a header only GAE can send?
So flex does not use the /_ah/* paths and therefore does not hide them. Sadly we have an inconsistency in our docs. It is correctly documented here https://cloud.google.com/appengine/docs/flexible/python/migrating but (at the moment) https://cloud.google.com/appengine/docs/flexible/custom-runtimes/build is incorrect. The documentation update is under review and should go public shortly.
Apologies for the confusion.