Hello, Can someone chime in on the proper way to utilize network.instance_tag in app.yaml to make a specific app engine flex service private only to the VPC network and google services like cron, task queues, deployment etc?
Outline below: 1. Leave everything to allow in app engine firewall (default rule). Note we have multiple gae flex services only one of which we want to make private. 2. Tag network.name in service app.yaml to the VPC network 3. In VPC network firewall rules allow ingress from google service IPs where destination = instance_tag In the VPC network firewall config, which IP ranges should be configured to allow ingress to the protected instance_tag? Found some here: https://cloud.google.com/appengine/docs/flexible/nodejs/creating-firewalls#allowing_requests_from_your_services I want to allow app deployment, cloud tasks/task queue, cron jobs ingress: 10.1.0.41 app deployment service (says standard env only, what about flex?) 0.1.0.40, 10.0.0.1 URL Fetch service Cron and task queues seem to be using an internal google protocol to mimic http? So don't need specific firewall rules to allow ingress? -- You received this message because you are subscribed to the Google Groups "Google App Engine" group. To unsubscribe from this group and stop receiving emails from it, send an email to google-appengine+unsubscr...@googlegroups.com. To post to this group, send email to google-appengine@googlegroups.com. Visit this group at https://groups.google.com/group/google-appengine. To view this discussion on the web visit https://groups.google.com/d/msgid/google-appengine/3135f3c9-f8ec-4703-97db-74b775f0642f%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
