How can we implement app engine service to service communication using internal communication, isolated from public internet?

Question

I have app engine two services I want to invoke one service from another using only internal communication. How do I do this? example, abcproject.service1.appspot.com invoking abcproject.service2.appspot.com

Answer 1

The right question: what do you mean by internal?

First of all, internal IPs is not possible because you don't have IPs, but you have URLs. The service being serverless, it can scale up and down automatically, he is behind a load balancer (GFE - Google Front End) that authenticate and route the request. It's the same component for all/many App Engine services, from your project or for other projects. It's also the same layer that protect Google services (Youtube, Playstore, Gmail,...)

Thus, Can you have internal URLs communication? Here the internal is blurry: Internal to what?

• To your project? No, because App Engine instances doesn't reside in your project/VPC but in a Google managed world that you can't manage.
• To Google Cloud? Yes, the request stay in the Google Cloud network and never reach the public internet. The request are always authenticated, sometime encrypted

---

The question behind is: Why do you want to use only internal IPs? For security I guess. Therefore, you can use IAP to for GFE to check the authentication AND the IAM authorization of the requester before forwarding the request to App Engine. Like that, only the authenticated and the authorized traffic will be able to reach the service.

Does it not want you want to achieve at the end of the day?