2

I am building a simple POST handler on GAE in Python that will accept a POST and write it to a Cloud SQL database.

I would like to limit access to this app to a limited number of IPs - non-GAE webservers where the POST originates. Essentially, how to allow POSTS from my IPs and disallow all other traffic?

Seems like a simple and common operation, but I haven't found a solution online that seems to fit. Most GAE authentication and routing packages are built around user auth.

Where should I look for a solution here? What Google keywords should I be using? Is this going to be written into the app itself or should I be focused on another component of GCP for IP access and routing?

Thanks!

Improve this question
8
  • How big is this range of IPs? Is it something you can store and perform a simple check for at the time of connection? Commented Nov 24, 2015 at 15:26
  • Very small. At first it will only be one or two. And yes, store and check is what I envisioned. Commented Nov 24, 2015 at 15:29
  • In that case, since it's only a few IPs, maybe a firewall rule is a better option here? Commented Nov 24, 2015 at 15:53
  • Are firewall rules available with Apps Engine, or is this a Compute Engine feature? cloud.google.com/docs/permissions-overview?hl=en#h.6ve8js2j7vwq Commented Nov 24, 2015 at 16:05
  • 4
    you can check remote_addr in the request, try self.request.remote_addr stackoverflow.com/questions/4231077/… and just check if it's in your allowed list before proceeding with the POST. Commented Nov 24, 2015 at 16:21

1 Answer 1

Reset to default
1

All credit to Paul Collingwood for alerting me to the existence of request.remote_addr.

Here is my solution as of now:

ALLOWED_IP = ['173.47.xx.xx1', '173.47.xx.xx2'] class PostHandler(webapp2.RequestHandler): def post(self): # Read the IP of the incoming request ip = self.request.remote_addr # If the IP is allowed, execute our code if ip in ALLOWED_IP: # Execute some awesome code # Otherwise, slam the door! else: self.error(403)

I'm not entirely sure that my self.error() usage is appropriate here, but this is working! POST requests made from the allowed IPs are accepted and executed. All others are given a 403.

I'm always eager to hear improvement suggestions.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

This is a nice way to do what you want, indeed. Another solution would be to use Managed VMs, where you can configure firewall rules like in Compute Engine. Cheers!
How can you configure firewall rules with MVM?

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.