
Introducing App Engine Firewall - artsandsci
https://cloudplatform.googleblog.com/2017/08/introducing-App-Engine-firewall-an-easy-way-to-control-access-to-your-app.html
======
kingbirdy
This seems almost perfectly in response to the HN submission on the NYT Games
migration to Google Cloud[0], who listed App Engine's lack of a firewall as
one of their complaints with the service

[0]:
[https://news.ycombinator.com/item?id=15084728](https://news.ycombinator.com/item?id=15084728)

~~~
spyspy
It's quite the coincidence but we're very excited about it :)

\- NYT Games Team

------
not_that_noob
Love it! I was thinking of migrating off GAE for this reason, but now will re-
evaluate.

One feature request - can we add a URL parameter to the firewall rule? The
idea is I want to restrict access to certain URLs to a well-known set of IPs -
e.g. I don't want login into admin pages unless coming from a known IP. Is
this possible on GAE right now?

I know I can split the service into two (restricted and public) and then
firewall the restricted service, but wondering if there's a simple way to
parametrize firewall services by URL.

~~~
tadhunt
We agree that this is an important use case, and is something we considered
during the design. It is now supported by placing a Web Application Firewall
in front of the App Engine application. We chose to limit the initial set of
firewall features to IP address range blocking only — in part because that's
sufficient to enable a WAF to front an App Engine Application.

-Tad Hunt (Manager on the App Engine team that brought you this firewall)

~~~
not_that_noob
Got it - thanks. Any plans to add this as an integrated feature so we don't
have to set up a separate WAF?

~~~
tadhunt
Feel free to reach out, my email is in my profile. We can discuss what you're
looking for.

~~~
not_that_noob
Would love to - couldn't find your email in your profile tho.

To keep the UI simple, I'd like to specify a URL and specify the IP range(s)
that are allowed to access each. Bonus points if I can in addition to web UI
submit and change the map programmatically. The first allows for greater
security for admin pages and similar internal uses. The second allows us to
provision for our enterprise users dynamically, who are at well known IPs.

------
Strom
My heart skipped a beat when I read the title as App Engine Farewell. Have
been actively using App Engine since 2009 and the love it gets has been on a
long downslide. Happy to see this feature come out though, the previous
lightweight dos.yaml method was quite lacking.

------
shutton
You were always able to black list IP addresses using dos.yaml
([https://cloud.google.com/appengine/docs/standard/python/conf...](https://cloud.google.com/appengine/docs/standard/python/config/dosref)).
This seems to be taking that one step further.

------
wcarron
I think this is a good product offering, and it's nice to see them compete
with AWS on another front, as well as Digital Oceans' offering.

However, I wonder if these abstractions are detrimental to developers
understanding the underlying technology? I'm not a supremely experienced
developer but it takes very little effort to understand, for example, ufw and
iptables on Linux distros.

Personally, though I'm (mostly) front end, I spend the majority of my time on
the command line. My main editor is vim, I write bash scripts to do what I
need instead of manually performing tasks, I often just use `cat` to write
files instead of opening my editor, etc.

I found that managing things from the command line such as firewalls, daemons,
and other tasks like managing databases, gave me deeper comprehension of
what's going on. Are abstractions like this becoming crutches for tomorrows'
developers?

~~~
gramakri
While they look the same, the technologies serve different purposes.

iptables/ufw block requests at the VM level. So traffic flows all the way to
your VM and then your VM spends CPU cycles rejecting those packets.

In contrast, these firewall technologies can block traffic at the network edge
of the cloud provider. This is done by propagating rules to the edge routers.

~~~
wcarron
Ahh, that changes my perspective on this. That suddenly seems vastly more
useful than it did, to me.

------
jamesmp98
Cool, now give me PHP 7.1

~~~
brightsize
And Python3 with the NDB library.

~~~
jamesmp98
Oh yeah that too

~~~
samblr
\+ websockets

------
eVeechu7
Why do they return HTTP 403 instead of dropping the traffic or returning an
ICMP message?

------
victor106
This is a good feature. Wish app engine provides capability for blue-green
deployments.

~~~
stickfigure
What do you mean? App Engine supports many versions of your application
running simultaneously. You just deploy to a new version and migrate traffic
(slowly or quickly, your choice).

------
cdnsteve
Does this work with the flexible environment too?

~~~
crcsmnky
Yep
[https://cloud.google.com/appengine/docs/flexible/python/appl...](https://cloud.google.com/appengine/docs/flexible/python/application-
security#app_engine_firewall)

------
magsafe
Does AWS offer something similar?

~~~
jedberg
They have offered a more featureful product for a while:
[https://aws.amazon.com/waf/](https://aws.amazon.com/waf/)

That being said, the simplicity of this product is elegant and solves a lot of
use cases without a lot of headache.

------
godzillabrennus
This is a great first step. Reminds me of when Microsoft started shipping
Windows with a firewall with XP.

------
vira28
haha ! It come at a better timing than this. Yesterday we had a huge
discussion around that in HN !!

