Google App Engine blocking access to my backend services

Question

In Google App Engine, I have 3 services, 1 for front end, 2 for back end.

Is there a way to block http calls to my backend services for accounts not from my company's domain (and the service account of the front end), but allow everyone http access to my front end service?

I know there is the firewall option, but this is restricted to IP addresses, I would prefer user based

If it matters all services are python3

Answer 1

There's currently no option to filter traffic to specific App Engine services within a single application/project:

• App Engine Firewall filters by source IP ranges but can only be set for the whole app, not per service.
• Identity-Aware Proxy can filter access by user account as you'd prefer but also applies to the whole app. Also, it only supports user account and can't be used with service accounts.

One option you may have would be to split your app in 2 different projects. Keep the front-end in one project open to the world and restrict access to the backend services in your other project via firewall rules.