I have app engine two services I want to invoke one service from another using only internal communication. How do I do this? example, abcproject.service1.appspot.com invoking abcproject.service2.appspot.com
CodePudding user response:
The right question: what do you mean by internal?
First of all, internal IPs is not possible because you don't have IPs, but you have URLs. The service being serverless, it can scale up and down automatically, he is behind a load balancer (GFE - Google Front End) that authenticate and route the request. It's the same component for all/many App Engine services, from your project or for other projects. It's also the same layer that protect Google services (Youtube, Playstore, Gmail,...)
Thus, Can you have internal URLs communication? Here the internal is blurry: Internal to what?
- To your project? No, because App Engine instances doesn't reside in your project/VPC but in a Google managed world that you can't manage.
- To Google Cloud? Yes, the request stay in the Google Cloud network and never reach the public internet. The request are always authenticated, sometime encrypted
The question behind is: Why do you want to use only internal IPs? For security I guess. Therefore, you can use IAP to for GFE to check the authentication AND the IAM authorization of the requester before forwarding the request to App Engine. Like that, only the authenticated and the authorized traffic will be able to reach the service.
Does it not want you want to achieve at the end of the day?
CodePudding user response:
This is Google's documentation on communicating between services. According to the documentation, the simplest thing to do is to send requests to the http of the target service. If you want to ensure only your service (your app) can call the other service, see the documentation on - Setting Up Authentication for Server to Server Production Applications.