Hello Parth, GAE flex environment is built on the Google compute engine and supports VPC networking environment. GCE Firewall rules <https://cloud.google.com/vpc/docs/firewalls> can be used to determine the target or source component to allow or restrict traffic based on instance network tags <https://cloud.google.com/vpc/docs/add-remove-network-tags>. For more information, can refer to this documentation <https://cloud.google.com/appengine/docs/flexible/python/reference/app-yaml#network_settings>. Application access control can be managed through the flex instance network tags <https://cloud.google.com/appengine/docs/flexible/python/reference/app-yaml#network_settings> in conjunction with the GCE firewall rules.
On other hand, GAE firewall rules <https://cloud.google.com/appengine/docs/standard/python/creating-firewalls> applies to all resources of the App Engine application including application serving on GAE flex instances. Here is the more detailed information on allowing requests from your services using GAE firewall rules <https://cloud.google.com/appengine/docs/standard/python/creating-firewalls#allowing_requests_from_your_services>. In brief, both GCE firewall rules based on network tags for the GAE flex instances and GAE firewall rules would needs to pass for traffic flow to serve the application hosted on GAE platform. In addition, defining the VPC network <https://cloud.google.com/appengine/docs/flexible/python/reference/app-yaml#network_settings> for an GAE flex instance provides flexibility to communicate with the GCE instances within the same VPC network using the internal network, enables for the VPN scenarios and also port forwarding. Also, provide more granularity for access control using network instance tags in conjunction with the firewall rules applicable to the defined target tags. For more information, check this documentation <https://cloud.google.com/appengine/docs/flexible/python/reference/app-yaml#advanced_network_configuration> . I hope it helps. On Monday, June 25, 2018 at 5:25:06 PM UTC-4, Parth Mishra wrote: > > If you launch a GAE Flex application into a VPC subnet that has its own > Firewall rules, how do they interact with any existing App Engine Firewall > rules? What is the point of being able to specify a VPC for an app engine > instance? > -- You received this message because you are subscribed to the Google Groups "Google App Engine" group. To unsubscribe from this group and stop receiving emails from it, send an email to google-appengine+unsubscr...@googlegroups.com. To post to this group, send email to google-appengine@googlegroups.com. Visit this group at https://groups.google.com/group/google-appengine. To view this discussion on the web visit https://groups.google.com/d/msgid/google-appengine/759fd1b1-2aa3-4702-8b2e-945f2c931f6b%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.