I have four services running within the same app on App Engine. I have a frontend SvelteKit application, and three backend services. If possible, I'd like to set up security in such a way that the backend services will only accept HTTP requests from the frontend application (which sends all API requests via its Node server).

Is there a way of doing this without spending a load of money on a Serverless VPC Access connector?

Ideally I want to keep these all within the same GCP project as well. So far the only solution I can come up with is to ship the services with a secret that they check against when receiving a request, but there must be a better way to do it.

CodePudding user response：

1. Take a look at Identity Aware Proxy

2. Pay attention to the part of the above documentation that says

In order to make a resource publicly-accessible (while sibling resources are restricted), grant the IAP-secured Web App User role to allUsers or allAuthenticatedUsers.

3. Per your use case, your front-end application will be available to the public while your 3 backend services will only be available to the front-end application

4. Since your backend services are now secured (via IAP), you have to programmatically invoke them in your front end. See documentation on how to do that.