Hi folks, we've deployed multiple GAE Flex services in the same project that talk to eachother using the URLs suggested in the documentation (https://cloud.google.com/appengine/docs/flexible/java/communicating-between-services). This works fine until we update the GAE firewall and change "The default action" from Allow to Deny. We then end up with 403 Forbidden for calls between the services. However, calls from outside GAE to the services succeed (using the same URLs).
After digging a little deeper into documentation, we found that certain IPs need to be whitelisted "to accommodate the IP addresses that are used for service-to-service communication", so we added four more rules to the GAE firewall (0.1.0.40, 10.0.0.1, 0.1.0.30, 10.1.0.41) (https://cloud.google.com/appengine/docs/flexible/java/creating-firewalls#allowing_requests_from_your_services). Unfortunately without success. Just to make sure, we've also configured the same rules in the regular VPC firewall for the default network, which would make sense since GAE Flex utilizes GCE instances. But no success here too. The documentation also lists certain request headers that can be added, but the only one that would have been helpful is only available in GAE Standard (X-Appengine-Inbound-Appid).So no point in setting them, AFAICT. We don't use the default service. We don't use a dispatch.yml. We use only the default GAE service accounts to run services, no futher credentials are provided. We don't use GAE standard. We're using a custom runtime with OpenJDK11 as base image. How is the firewall supposed to be configured for inter-service-communication with DENY as the default action? Are missing something? Thanks in advance! David -- You received this message because you are subscribed to the Google Groups "Google App Engine" group. To unsubscribe from this group and stop receiving emails from it, send an email to google-appengine+unsubscr...@googlegroups.com. To post to this group, send email to google-appengine@googlegroups.com. Visit this group at https://groups.google.com/group/google-appengine. To view this discussion on the web visit https://groups.google.com/d/msgid/google-appengine/dc672062-0a3c-4634-b2e1-9b103cd35339%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
