In Google Cloud, I have an application deployed in Kubernetes in one project (call it Project-A), and another deployed in App Engine (call it Project-B). Project-A has a cloud NAT created using automatic IP. Project-B uses App Engine standard.
Project-B by default allows ingress traffic from the internet. However, I only want Project-A to communicate with Project-B. All other traffic needs to be blocked.
I currently do not have any shared VPC configured.
In Project-B, I configure the App Engine Firewall rules with the following deny rules (the list below is shown in the order of the firewall rule priority defined in App Engine Firewall):
0.0.0.1/32
0.0.0.2/31
0.0.0.4/30
0.0.0.8/29
0.0.0.16/28
0.0.0.32/27
0.0.0.64/26
0.0.0.128/25
0.0.1.0/24
0.0.2.0/23
0.0.4.0/22
0.0.8.0/21
0.0.16.0/20
0.0.32.0/19
0.0.64.0/18
0.0.128.0/17
0.1.0.0/16
0.2.0.0/15
0.4.0.0/14
0.8.0.0/13
0.16.0.0/12
0.32.0.0/11
0.64.0.0/10
0.128.0.0/9
1.0.0.0/8
2.0.0.0/7
4.0.0.0/6
8.0.0.0/5
16.0.0.0/4
32.0.0.0/3
64.0.0.0/2
128.0.0.0/1
default rule: allow *
(the CIDR blocks above correspond to 0.0.0.1 - 255.255.255.255; I used https://www.ipaddressguide.com/cidr to perform the calculation for me).
From Project-A, I am still able to reach Project-B. Is there some kind of internal network routing that Google does which bypasses the App Engine firewall? It seems like in this case, Google is using the default rule and ignoring all my other rules.
I then did the reverse. The rules for all those CIDR blocks above were changed to ALLOW, while the last default rule was changed to DENY for all IPs. I then got the reverse behaviour - Project-A is unable to reach Project-B. Again, it looks like only the default rule is being used.
How can I achieve the situation where only Project-A can communicate with Project-B, no internet ingress traffic is allowed to reach Project-B? Can I avoid using a shared VPC? If I do use a shared VPC, what should the App Engine firewall rules be for Project-B?
Sure. I ended up going with the load balancer solution. This gives me a loosely coupled solution, which is better for my scenario. Takes less than 30minutes to set it up.