Over the summer, a new beta feature for App Engine was introduced: the App Engine firewall, an easy way to control access to your app. The firewall feature also became generally available about a month ago.
The firewall allows you to define a set of rules, ordered by priority, that specify an IP address or a set of IP addresses, to block or allow.
To define those rules, 3 approaches are available:
- via the Google Cloud console,
- with REST requests to the App Engine Admin API,
- or through the gcloud CLI.
When using the gcloud CLI, here’s the pattern of the command for defining a new rule:
gcloud app firewall-rules create PRIORITY \ --action ALLOW_OR_DENY \ --source-range IP_RANGE \ --description DESCRIPTION
So for example, if you want to block access to some rogue network of addresses, you could do:
gcloud app firewall-rules create 100 \ --action=deny \ --source-range=203.0.113.0/24 \ --description="Prevent access from rogue network"
Once you’ve updated your firewall rules, you can also test
if a particular IP address is accepted or rejected.
You can do so from within the console UI, as well as with the
gcloud app firewall-rules test-ip 203.0.113.2
And there are additional commands like
list to list the whole configuration,
delete to delete some rules by priority.
You can learn more about the App Engine firewall, by reading the documentation: “Controlling Access with Firewall.”