I would like to achieve following setup using GCP App Engine:

• service A - acts as an API Gateway, performs authentication & authorization
• services B, C and D - act as backend microservices. They are not exposed to the internet. The source code of this microservices doesn't contain any logic related to authorization or authentication. They accept requests knowing that requests come from other trusted microservices.

How to achieve such setup in App Engine?

CodePudding user response：

The principle is possible, but not in the exact same terms.

Firstly, you have to activate IAP on AppEngine. Then, you have to define a custom service account in your service A. Then, authorize only that service account to access the service B, C and D with IAP through IAM authorization (grant IAP-secured web user role on your service account).

Like that, only service A can access service B,C and D. The authentication mechanism is performed by the App Engine environment.

You can also imagine something closer of what you want. You can set the ingress on service B, C and D to internal only. Like that, only the requests coming from your project's VPCs are allowed. Your service is internal.

However, your service A isn't in your Project's VPCs and you have to connect the Google Cloud serverless world with your VPC through a serverless VPC connector (minimum bill at $17 per month)

However, your service are still publicly exposed to the internet. It's not a problem because the unauthenticated and unauthorized (Based on authentication or on network origin) traffic is filtered by GFE (Google Front End) and automatically discarded (you won't pay for the bad traffic)