Controlling Access with Firewalls

Configure a firewall to gain identity-agnostic control over access to your App Engine app. The App Engine firewall allows you to define up to 1000 individual rules that either allow or restrict a range of IP addresses and subnets.

To configure a firewall, you define rules that include a priority value, the range of IP addresses to either allow or deny and an optional description.

To ensure that you've securely configured your app and set the appropriate levels of access, review Application Security as well as Access Control.

Firewall structure and rules evaluation

An App Engine firewall consists of a set of rules that are structured as an ordered list. The firewall rules are ordered by importance, which you define as a numerical value in each rule's priority. A rule can either allow or deny the range of IP addresses that you specify. The rules that you create in your firewall apply to all the resources of that App Engine application.

Each value that you specify for a rule's priority must be unique because that value defines the importance relative to the other rules in the firewall. The values for a rule's priority scale from the most important value of 1 up to the least important at value 2147483647.

Each firewall includes a default rule that is automatically created with the 2147483647 priority and applies to the entire IP range of your app. The default rule is always evaluated after all the other rules in the firewall and applied to all requests across all IP addresses.

When there is an incoming request, the firewall begins evaluating rules by priority order. The first evaluated rule is always the rule that you define with the lowest numerical value as the priority. All the remaining rules in the firewall are sequentially evaluated until a rule matches the IP range of that request. When a matching rule is found, the connection is either allowed or denied, and all the remaining rules in the firewall are then skipped. If none of the manually defined rules in the firewall match the request, the default rule is evaluated.

Example

If you create a rule with priority 1, then that rule is always evaluated first. If an incoming request matches the rule with priority 1, only that rule is evaluated and all the other rules in the firewall are skipped, including the default rule.

Also see the Example firewall below to learn how a rule's priority can change the behavior of your firewall.

Before you begin

Before you create a firewall for your app, ensure that you meet the following prerequisites:

  • You must have one of the following App Engine IAM roles which include the necessary privileges for creating or modifying firewall rules:

    • App Engine Admin
    • Editor
    • Owner
  • To use the gcloud commands, download, install, and then initialize the Google Cloud SDK:

    Download and install SDK

  • Before you can programmatically create a firewall with the Admin API, see Accessing the Admin API for information about setting up your Cloud Platform project and the necessary credentials.

Creating firewall rules

Use one of the following methods to create a firewall rule. Repeat these steps for each of the rules that you want to add:

Console

Use the Firewall rules page in Cloud Platform Console to create a firewall rule:

  1. Go to the Create a firewall rule page in Cloud Platform Console:

    Go to the Create a firewall rule page

  2. Specify the details of the firewall rule:

    1. In Priority, enter an integer to specify the relative importance of the rule and define the order of when the rule is evaluated.

      Valid values are 1 to 2147483646. Priority 1 is the first rule evaluated. Priority 2147483647 is the last rule evaluated and is reserved for the default rule.

    2. In Action on match, specify whether to allow or deny access for requests that match the rule. Rules set to allow forward the request to the app. Rules set to deny respond to requests with a 403 Forbidden error.
    3. In IP range, define the range of IP addresses that apply to the rule. The IP address range must be defined in CIDR notation, can include subnet masks, and support both IPv4 and IPv6.
    4. Optional: In Description, include a description of the rule that is no longer than 100 characters.
  3. Click Save to create the rule.
  4. Test the rule to ensure that the priority and action provide the expected behavior:
    1. Click Test IP address.
    2. Enter the IP address that you want to validate and then click Submit to ensure that the corresponding rule gets correctly evaluated.
gcloud

Run the following gcloud app firewall-rules commands to create a firewall rule:

  1. Run the following command to create a firewall rule:

    gcloud app firewall-rules create PRIORITY --action ALLOW_OR_DENY --source-range IP_RANGE --description DESCRIPTION
    where:
    • PRIORITY is an integer between 1 and 2147483646 that defines the rule's importance and order for which the rule is evaluated. Priority 1 is the first rule evaluated. Priority 2147483647 is the last rule evaluated and is reserved for the default rule.
    • ALLOW_OR_DENY specifies whether to allow or deny access for requests that match the rule. Valid values are allow or deny. Rules set to allow forward the request to the app. Rules set to deny respond to requests with a 403 Forbidden error.
    • IP_RANGE defines the range of IP addresses that apply to the rule. The IP range must be defined in CIDR notation, can include subnet masks, and support both IPv4 and IPv6.
    • DESCRIPTION is an optional description of the rule that is no longer than 100 characters.
  2. Run the following command to test your rule and ensure that the priority and action provide the expected behavior:
    gcloud app firewall-rules test-ip IP_ADDRESS
    where IP_ADDRESS is the IP address that you want to test against your firewall.
  3. Run the following command to view a list of the existing rules:
    gcloud app firewall-rules list
  4. Run the following command to delete an existing rule:
    gcloud app firewall-rules delete PRIORITY
    where PRIORITY is the priority value of the rule that you want to delete.
Examples:
Use the following examples to help you create your firewall:
  • Add a rule that allows an IPv6 address and subnet mask, and then test that rule to ensure it gets evaluated prior to your other rules:

    gcloud app firewall-rules create 123 --source-range fe80::3636:3bff:fecc:8778/128 --action allow
    gcloud app firewall-rules test-ip fe80::3636:3bff:fecc:8778
  • Add a rule to deny an IPv4 address and subnet mask, and then test that rule to ensure that it gets appropriately evaluated:

    gcloud app firewall-rules create 123456 --source-range "74.125.0.0/16" --action deny
    gcloud app firewall-rules test-ip 74.125.0.8
  • Update and then test the default rule to ensure that it restricts all IP addresses that don't match any other rules:

    gcloud app firewall-rules update default --action deny
    gcloud app firewall-rules test-ip 123.456.7.89
API

To programmatically create firewall rules for your App Engine app, you can use the methods of the apps.firewall.ingressRules collection in the Admin API.

To test a firewall rule and ensure that the priority and action provide the expected behavior, you can use the apps.firewall.ingressRules.list method and specify the IP address that you want to test within the matchingAddress parameter.

Example firewall

In the following example, a sample company has set up a firewall to ensure that only the engineering team and internal corporate network have access to their in-development app. Notice that the firewall rules have been created with large gaps between each priority to allow for growth.

Priority Action IP range Description
1000 Deny 192.0.2.1 Denies access to a DoS attacker.
2000 Allow 198.51.100.2 Allows access to an engineer in the satellite office.
3000 Deny 198.51.100.0/24 Denies access to all non-engineering buildings.
5000 Allow 203.0.113.0/24 Allows access to the main building's network.
2147483647 Deny * Default Action

After the sample company's firewall is created, assume that the following requests are directed at the sample app and note the app's response:

  • Request from 198.51.100.2 matches rule with priority 2000 and is allowed.
  • Request from 198.51.100.100 matches rule with priority 3000 and gets denied.
  • Request from 203.0.113.54 matches rule with priority 5000 and is allowed.
  • Request from 45.123.35.242 matches the default rule and gets denied.

Conflicting priority example:

Remember, that each rule's priority plays an important role. For example, assume that two of the priorities in the sample company's firewall are swapped. If the rules for priorities 2000 and 3000 are swapped, notice the unintended behavior.

Priority Action IP range Description
1000 Deny 192.0.2.1 Denies access to a DoS attacker.
2000 Deny 198.51.100.0/24 Denies access to all non-engineering buildings.
3000 Allow 198.51.100.2 Allows access to an engineer in the satellite office.
5000 Allow 203.0.113.0/24 Allows access to the main building's network.
2147483647 Deny * Default Action

In this revised example, the engineer in the satellite office is no longer able to access the sample company's app because the priority of the rule places it later in the firewall where it will never be evaluated. The conflicting issue here is that the engineer's IP address 51.100.251.100.2 matches another rule and instead gets evaluated by the rule that denies all non-engineers in the range 198.51.100.0/24.

Monitor your resources on the go

Get the Google Cloud Console app to help you manage your projects.

Send feedback about...

App Engine standard environment for Python