It is not immediately apparent, after reading the documentation page you link to, how certain IPs are to be whitelisted; targeted HTTP requests, service accounts, and Cloud Pub/Sub are mentioned, as recommended solutions.
The firewall configuration page stipulates, for requests received in the flexible environment: 0.1.0.40 and 10.0.0.1. You need to create two firewall rules to allow requests: 0.1.0.40 - A rule to allow backend_flex to receive URL Fetch requests from backend_std. 10.0.0.1 - A rule to allow the service-to-service communication for the URL Fetch requests in backend_flex. -- You received this message because you are subscribed to the Google Groups "Google App Engine" group. To unsubscribe from this group and stop receiving emails from it, send an email to google-appengine+unsubscr...@googlegroups.com. To post to this group, send email to google-appengine@googlegroups.com. Visit this group at https://groups.google.com/group/google-appengine. To view this discussion on the web visit https://groups.google.com/d/msgid/google-appengine/0ed5e71b-dfe9-4bae-aa4d-799e3767db76%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.