分公司辦公室裡的工程師將無法存取公司的應用程式,因為根據新的規則優先順序,系統一律不會評估「允許該工程師存取」的規則。儘管有一項規則允許該名工程師的 IP 位址 198.51.100.2 進行存取,但這個 IP 位址同時符合拒絕 198.51.100.0/24 範圍中所有非工程大樓存取的規則,而且拒絕規則的優先順序較高。
如要修正這個問題,您必須針對允許 198.51.100.2 存取的規則,把優先順序設定為高於拒絕 IP 範圍 198.51.100.0/24 存取的規則。
[[["容易理解","easyToUnderstand","thumb-up"],["確實解決了我的問題","solvedMyProblem","thumb-up"],["其他","otherUp","thumb-up"]],[["難以理解","hardToUnderstand","thumb-down"],["資訊或程式碼範例有誤","incorrectInformationOrSampleCode","thumb-down"],["缺少我需要的資訊/範例","missingTheInformationSamplesINeed","thumb-down"],["翻譯問題","translationIssue","thumb-down"],["其他","otherDown","thumb-down"]],["上次更新時間:2025-09-04 (世界標準時間)。"],[[["\u003cp\u003eApp Engine firewalls allow you to create up to 1000 prioritized rules to allow or restrict IP addresses and subnets, with the app only responding to allowed requests.\u003c/p\u003e\n"],["\u003cp\u003eFirewall rules are prioritized using an integer from 1 to 2147483646, where lower numbers indicate higher importance, and you cannot edit the priority value after a rule's creation, you must delete and recreate the rule to change the value.\u003c/p\u003e\n"],["\u003cp\u003eEach rule specifies an action (allow or deny) for matching IP ranges, with \u003ccode\u003eallow\u003c/code\u003e rules forwarding requests to the app and \u003ccode\u003edeny\u003c/code\u003e rules returning a \u003ccode\u003e403 Forbidden\u003c/code\u003e error.\u003c/p\u003e\n"],["\u003cp\u003eA default rule with the lowest priority (2147483647) is automatically included, applying to all IP addresses and is evaluated last, after all other rules, ensuring a catch-all behavior.\u003c/p\u003e\n"],["\u003cp\u003eRules are evaluated sequentially by priority, and once a matching rule is found, that rule is applied, and all subsequent rules are skipped, so if the priority of two rules are conflicting, you must adjust the rules so the proper one is evaluated first.\u003c/p\u003e\n"]]],[],null,["# Creating App Engine firewall rules\n\nIn App Engine, you can create a firewall with up to 1000 prioritized\nindividual rules that either allow or restrict a range of IP addresses and\nsubnets. Your app will only respond to requests that are allowed by the\nfirewall.\n\nTo learn how the App Engine firewall works, see\n[Understanding firewalls](/appengine/docs/legacy/standard/php/understanding-firewalls).\n\nBefore you begin\n----------------\n\nBefore you can create App Engine firewall rules for your app, you must\nhave one of the following [App Engine IAM\nroles](/appengine/docs/legacy/standard/php/access-control), which\ninclude the necessary privileges for creating or modifying firewall rules:\n\n- App Engine Admin\n- Editor\n- Owner\n\nCreating firewall rules\n-----------------------\n\nUse one of the following methods to create a firewall rule. Repeat\nthese steps for each additional rule:\nConsole\n\n\nUse the Firewall rules page in Google Cloud console to create a\nfirewall rule:\n\n1.\n Go to the Create a firewall rule page in Google Cloud console:\n\n\n [Go to the Create a firewall rule page](https://console.cloud.google.com/appengine/firewall/create)\n2.\n Specify the details of the firewall rule:\n\n 1. In **Priority** , enter an integer to specify the relative importance of the rule and define the order of when the rule is evaluated.\n\n\n Valid values are `1` to `2147483646`.\n Priority `1` is the first rule evaluated. Priority\n `2147483647` is the last rule evaluated and is\n reserved for the \\`default\\` rule.\n | **Important**: After a rule is created, you cannot edit the priority value. You must delete and then recreate a rule to change the value of a rule's priority.\n 2. In **Action on match** , specify whether to allow or deny access for requests that match the rule. Rules set to `allow` forward the request to the app. Rules set to `deny` respond to requests with a `403 Forbidden` error.\n 3. In **IP range** , define the range of IP addresses that apply to the rule. The IP address range must be defined in [CIDR notation](https://wikipedia.org/wiki/Classless_Inter-Domain_Routing), can include subnet masks, and support both IPv4 and IPv6.\n 4. Optional: In **Description**, include a description of the rule that is no longer than 100 characters.\n3. Click **Save** to create the rule.\n4. Test the rule to ensure that the priority and action provide the expected behavior:\n 1. Click **Test IP address**.\n 2. Enter the IP address that you want to validate and then click **Test** to ensure that the corresponding rule gets correctly evaluated.\ngcloud\n\n\nRun the following [`gcloud\napp firewall-rules`](/sdk/gcloud/reference/app/firewall-rules) commands to create a firewall rule:\n\n1.\n Run the following command to create a firewall rule:\n\n ```bash\n gcloud app firewall-rules create PRIORITY --action ALLOW_OR_DENY --source-range IP_RANGE --description DESCRIPTION\n ```\n where:\n - \u003cvar translate=\"no\"\u003ePRIORITY\u003c/var\u003e is an integer between `1` and `2147483646` that defines the rule's importance and order for which the rule is evaluated. Priority `1` is the first rule evaluated. Priority `2147483647` is the last rule evaluated and is reserved for the \\`default\\` rule. **Important**: After a rule is created, you cannot edit the priority value. You must delete and then recreate a rule to change the value of a rule's priority.\n - \u003cvar translate=\"no\"\u003eALLOW_OR_DENY\u003c/var\u003e specifies whether to allow or deny access for requests that match the rule. Valid values are `allow` or `deny`. Rules set to `allow` forward the request to the app. Rules set to `deny` respond to requests with a `403 Forbidden` error.\n - \u003cvar translate=\"no\"\u003eIP_RANGE\u003c/var\u003e defines the range of IP addresses that apply to the rule. The IP range must be defined in [CIDR notation](https://wikipedia.org/wiki/Classless_Inter-Domain_Routing), can include subnet masks, and support both IPv4 and IPv6.\n - \u003cvar translate=\"no\"\u003eDESCRIPTION\u003c/var\u003e is an optional description of the rule that is no longer than 100 characters.\n2. Run the following command to test your rule and ensure that the priority and action provide the expected behavior: \n\n ```bash\n gcloud app firewall-rules test-ip IP_ADDRESS\n ```\n where \u003cvar translate=\"no\"\u003eIP_ADDRESS\u003c/var\u003e is the IP address that you want to test against your firewall.\n3. Run the following command to view a list of the existing rules: \n\n ```bash\n gcloud app firewall-rules list\n ```\n4. Run the following command to delete an existing rule: \n\n ```bash\n gcloud app firewall-rules delete PRIORITY\n ```\n where \u003cvar translate=\"no\"\u003ePRIORITY\u003c/var\u003e is the priority value of the rule that you want to delete.\n\nExamples:\n:\n Use the following examples to help you create your firewall:\n\n -\n Add a rule that allows an IPv6 address and subnet mask, and then\n test that rule to ensure it gets evaluated prior to your other\n rules:\n\n ```bash\n gcloud app firewall-rules create 123 --source-range fe80::3636:3bff:fecc:8778/128 --action allow\n gcloud app firewall-rules test-ip fe80::3636:3bff:fecc:8778\n ```\n -\n Add a rule to deny an IPv4 address and subnet mask, and then\n test that rule to ensure that it gets appropriately evaluated:\n\n ```bash\n gcloud app firewall-rules create 123456 --source-range \"74.125.0.0/16\" --action deny\n gcloud app firewall-rules test-ip 74.125.0.8\n ```\n -\n Update and then test the default rule to ensure that it\n restricts all IP addresses that don't match any other rules:\n\n ```bash\n gcloud app firewall-rules update default --action deny\n gcloud app firewall-rules test-ip 123.456.7.89\n ```\n\nAPI\n\n\nTo programmatically create firewall rules for your App Engine\napp, you can use the [`apps.firewall.ingressRules`](/appengine/docs/admin-api/reference/rest/v1/apps.firewall.ingressRules) methods in the\nAdmin API.\n\n\nTo test a firewall rule and ensure that the priority and action\nprovide the expected behavior, you can use the [`apps.firewall.ingressRules.list`](/appengine/docs/admin-api/reference/rest/v1/apps.firewall.ingressRules/list) method and specify\nthe IP address that you want to test within the\n`matchingAddress` parameter.\n\nUnderstanding App Engine firewall rules\n---------------------------------------\n\nAn App Engine firewall consists of an ordered list of rules that can\nallow or deny access from the specified IP address or range to your app. The\nrule applies to all resources of the App Engine application.\n\n### Firewall rule priority\n\nThe firewall rules are ordered by importance, which you define as a numerical\nvalue in each rule's priority. You must specify a unique priority value for\neach rule as it defines the importance relative to the other rules in the\nfirewall. The values for a rule's priority scale from the most important value\nof `1` up to the least important at value `2147483647`.\n\nEach firewall includes a `default` rule that is automatically created with the\n`2147483647` priority and applies to the entire IP range of your app.\nThe `default` rule is always evaluated after all the other rules\nin the firewall and applied to all requests across all IP addresses.\n\nThe firewall evaluates the highest priority rule first.\nAll the remaining rules in the firewall are sequentially evaluated until a rule\nmatches the IP range of that request. When a matching rule is found, the\nconnection is either allowed or denied, and all the remaining rules in the\nfirewall are then skipped. If none of the manually defined rules in the firewall\nmatch the request, the `default` rule is evaluated.\n\nFor example, if you create a rule with priority `1` it is always evaluated\nfirst. If an incoming request matches the rule with priority `1`, only that\nrule is evaluated and all the other rules in the firewall are skipped, including\nthe `default` rule.\n\nThe [example firewall](#example_firewall) below shows how a rule's\npriority can change the behavior of your firewall.\n\nExample firewall\n----------------\n\nIn this example, a company has set up a firewall to grant access to the\nengineering team and internal corporate network to their in-development app. The\nfirewall rules have been created with large gaps between each priority to allow\nfor growth.\n\nAfter the firewall is created, assume that the following requests are directed\nat the sample app and note the app's response:\n\n- Request from 198.51.100.2 matches rule with priority 2000 and is allowed.\n- Request from 198.51.100.100 matches rule with priority 3000 and gets denied.\n- Request from 203.0.113.54 matches rule with priority 5000 and is allowed.\n- Request from 45.123.35.242 matches the default rule and gets denied.\n\n### Resolving conflicting rules\n\nFor example, assume that two of the priorities in the company's firewall are\nswapped. If the rules for priorities 2000 and 3000 are swapped, notice the\nunintended behavior.\n\nThe engineer in the satellite office will not be able to access the company's\napp as the rule's new priority means it will never be evaluated. The engineer's\nIP address `198.51.100.2` matches the rule that denies all non-engineers in the\nrange `198.51.100.0/24` before the rule that allows access to the engineer's\nIP address.\n\nTo fix this, you must set the priority of the rule that allows access to\n`198.51.100.2` to be higher than the rule that denies access for the IP range\n`198.51.100.0/24`.\n\nWhat's next\n-----------\n\nTo ensure that you've securely configured your app and set the appropriate\nlevels of access, review\n\n[Application Security](/appengine/docs/legacy/standard/php/application-security)\nas well as\n\n[Access Control](/appengine/docs/legacy/standard/php/access-control)."]]
