Region ID
The REGION_ID
is an abbreviated code that Google assigns
based on the region you select when you create your app. The code does not
correspond to a country or province, even though some region IDs may appear
similar to commonly used country and province codes. For apps created after
February 2020, REGION_ID.r
is included in
App Engine URLs. For existing apps created before this date, the
region ID is optional in the URL.
Learn more about region IDs.
Security is a core feature of the Google Cloud, but there are still steps you should take to protect your App Engine app and identify vulnerabilities.
Use the following features to ensure that your App Engine app is secure. To learn more about the Google Security Model and the available steps that you can take to secure your Cloud projects, see Google Cloud Platform Security.
HTTPS requests
Use HTTPS requests to access to your App Engine app securely. Depending on how your app is configured, you have the following options:
appspot.com
domains- Use the
https
URL prefix to send HTTPS request to thedefault
service of your Cloud project, for example:
https://PROJECT_ID.REGION_ID.r.appspot.com
To target specific resources in your App Engine app, use the
-dot-
syntax to separate each resource you want to target, for example:
https://VERSION-dot-SERVICE-dot-PROJECT_ID.REGION_ID.r.appspot.com
To convert an HTTP URL to an HTTPS URL, replace the periods between each resource with
-dot-
, for example:
http://SERVICE_ID.PROJECT_ID.REGION_ID.r.appspot.com
https://SERVICE_ID-dot-PROJECT_ID.REGION_ID.r.appspot.com
For more information about HTTPS URLs and targeting resources, see How Requests are Routed.
- Use the
- Custom domains
To send HTTPS requests with your custom domain, you can use the managed SSL certificates that are provisioned by App Engine. For more information, see Securing Custom Domains with SSL.
- App handlers
To force HTTPS for your app's handlers, you can specify the
secure: always
element for each handler in yourapp.yaml
, for example:handlers: - url: /.* script: auto secure: always redirect_http_response_code: 301
Using
secure: always
redirects all HTTP traffic to an HTTPS URL with the same path, see theapp.yaml
configuration reference for more information.
Access control
In each Cloud project, set up access control to determine who can access the services within the project, including App Engine. You can assign different roles to different accounts to ensure each account has only the permissions it needs to support your app. For details see, Setting Up Access Control.
App Engine firewall
The App Engine firewall enables you to control access to your App Engine app through a set of rules that can either allow or deny requests from the specified ranges of IP addresses. You are not billed for traffic or bandwidth that is blocked by the firewall. Create a firewall to:
- Allow only traffic from within a specific network
- Ensure that only a certain range of IP addresses from specific networks can access your app. For example, create rules to allow only the range of IP addresses from within your company's private network during your app's testing phase. You can then create and modify your firewall rules to control the scope of access throughout your release process, allowing only certain organizations, either within your company or externally, to access your app as it makes its way to public availability.
- Allow only traffic from a specific service
- Ensure that all the traffic to your App Engine app is first proxied through a specific service. For example, if you use a third-party Web Application Firewall (WAF) to proxy requests directed at your app, you can create firewall rules to deny all requests except those that are forwarded from your WAF.
- Block abusive IP addresses
- While Google Cloud has many mechanisms in place to prevent attacks, you can use the App Engine firewall to block traffic to your app from IP addresses that present malicious intent or shield your app from denial of service attacks and similar forms of abuse. You can add IP addresses or subnetworks to a denylist, so that requests routed from those addresses and subnetworks are denied before they reach your App Engine app.
For details about creating rules and configuring your firewall, see Controlling App Access with Firewalls.
Ingress controls
By default, your App Engine app receives all HTTP requests that are sent to its appspot URL or to a custom domain that you have configured for your app.
You can use network ingress controls to restrict traffic so that your app only receives HTTP requests from specific sources:
All: Default. Your app will receive all traffic, including direct requests sent from the internet.
Internal and Cloud Load Balancing: Your app will only receive requests that are routed through Cloud Load Balancing, or that are sent from VPC networks in the same project (including Serverless VPC Access connectors or Shared VPC if you are using them). All other requests are denied with a
403
error.Internal-only: Your app will only receive requests that are sent from VPC networks in the same project. All other requests are denied with a
403
error.
View ingress settings
Console
Go to the App Engine Services page.
Locate the Ingress column. For each service, the value in this column shows the ingress setting as one of All (default), Internal + Load Balancing, or Internal.
gcloud
To view the ingress setting for a service using the gcloud CLI:
gcloud app services describe SERVICE
Replace SERVICE with the name of your service.
For example, to view the ingress settings and other information for the default service run:
gcloud app services describe default
Edit ingress settings
Console
Go to the App Engine Services page.
Select the service you wish to edit.
Click Edit ingress setting.
Select the ingress setting that you want from the menu and click Save.
gcloud
To update the ingress setting for a service using the gcloud CLI:
gcloud app services update SERVICE --ingress=INGRESS
Replace:
- SERVICE: The name of your service.
- INGRESS: The ingress control you want to apply. One of
all
,internal-only
, orinternal-and-cloud-load-balancing
.
For example:
To update the default service of an App Engine app to accept traffic only from Cloud Load Balancing and VPC networks that are in the same project:
gcloud app services update default --ingress=internal-and-cloud-load-balancing
To update a service named "internal-requests" to accept traffic only from VPC networks that are in the same project:
gcloud app services update internal-requests --ingress=internal-only
Egress settings
If you use Serverless VPC Access, you can specify the egress setting for your App Engine service.
By default, only requests to internal IP addresses and internal DNS names are
routed through a Serverless VPC Access connector. You can
specify the egress setting for your service in your app.yaml
file.
To configure the egress behavior of your App Engine service:
Add the
egress_setting
attribute to thevpc_access_connector
field of your service'sapp.yaml
file:vpc_access_connector: name: projects/PROJECT_ID/locations/REGION/connectors/CONNECTOR_NAME egress_setting: EGRESS_SETTING
Replace:
PROJECT_ID
with your Cloud project IDREGION
with the region your connector is inCONNECTOR_NAME
with the name of your connectorEGRESS_SETTING
with one of the following:private-ranges-only
Default. Only requests to RFC 1918 and RFC 6598 IP address ranges or internal DNS names are routed to your VPC network. All other requests are routed directly to the internet.all-traffic
All outbound requests from your service are routed to your VPC network. Requests are then subject to the firewall, DNS, and routing rules of your VPC network. Note that routing all outbound requests to your VPC network increases the amount of egress handled by the Serverless VPC Access connector and can incur charges.
Deploy the service:
gcloud app deploy
Security scanner
The Google Cloud Web Security Scanner discovers vulnerabilities by crawling your App Engine app, following all that links within the scope of your starting URLs, and attempting to exercise as many user inputs and event handlers as possible.
In order to use the security scanner, you must be an owner of the Cloud project. For more information on assigning roles, see Setting Up Access Control.
You can run security scans from the Google Cloud console to identify security vulnerabilities in your App Engine app. For details about running the Security Scanner, see the Security Scanner Quickstart.