I have some firebase functions that have to connect to a REST service running on a GCE machine in GCP (under the same project of course). The firewall is blocking the connection and the only way to make it happen was to open the port to everybody.
Does anybody know how can you specify firebase functions as source in a firewall rule?
You should use Service account in a source of firewall rule. Service account which is associated with you Fire-base Cloud function. Following steps will
Go the google cloud console and select with project name.
Go to the IAM section and find your service account with
(name="Google Cloud Functions Service Agent" and has #gcf.***.com)
Link this service account with firewall rule source.
Related
Instead of allowing for all, I just want to open the port for the specific IP/URL, How we can do this in Google Cloud Platform?
As it was already discussed at the comment section, you can use Google Cloud Firewall which operates on the Level 3 to create a rule and allow access from the particular IP addresses:
Firewall rules are defined at the network level, and only apply to the network where they are created.
If you require URL filtration on the Level 6/7 you can have a look on the Google Cloud Web Application Firewall - Google Cloud Armor.
I have a web app with a React frontend on Firebase that connects to a Django backend running on Google App Engine.
I have this setup duplicated for a "staging" environment. The problem is that anyone can access this staging environment.
I'd like to set this up so that you need to be on our VPN to access it.
Can someone point me in the right direction to setup this VPN and move the staging environment behind it?
If you are using Firebase Hosting I believe there's no other way to restrict the access and it does not have a firewall feature. You should use authentication method to restrict and limit who can access your web app.
In App Engine, you can restrict the access of your web server/application by using the following:
App Engine Firewall - #JohnHanley answer, control which using IP addresses can connect to the app.
Identity Aware Proxy - without using VPN you can limit who can access of your App Engine by using their user account. IAP is free but when used with Compute Engine, the required load balancing and firewall configuration may incur additional costs.
App Engine with Load Balancer - to secure and make your App Engine(Standard & Flexible) receives only internal and Cloud Load Balancing traffic
I'd like to set this up so that you need to be on our VPN to access
it.
You cannot limit access to just your VPN. App Engine is in Google's network and you cannot limit access based upon a VPN.
You can use App Engine firewall rules to control which IP addresses can connect to the service. Firebase however does not have firewall rules.
If the public side of your Internet router has a static IP address, then this is simple to setup.
I recommend using authorization to limit who can access your services.
I have a bucket in Google Cloud which I have upload Angular template i.e. http://digitaldevnet.appspot.com
then I have VM instance IP where I have WordPress website i.e.
http://35.200.194.201
I found different tutorials where you can connect domain to Google Cloud hosting
but I want to connect appspot link i.e. http://digitaldevnet.appspot.com to WordPress site
can be connected and once we browse it should work as VM may be offline sometime.
Any recommendation and tutorial, please let me know
You would need to set up a Load balancer in order to direct your traffic between the GCE instance and the bucket, you can find the instructions for this over here.
Nevertheless, it would be a bit complicated as you would need to set up the configuration and some health checks so that the GCE instance is not accessible when it's down.
Hope you find this useful.
I created a Redis instance using https://console.cloud.google.com/launcher/details/bitnami-launchpad/redis-ha
and the network interface is:
I'm trying to connect to this Redis instance from a Firebase trigger.
The question is: what firewall rule do I need to connect from a cloud function to a compute instance?
Please provide as many details as possible, e.g. IP ranges, ingress/egress, etc, and whether I have to connect the Redis client to the instance on the internal IP, or the external IP.
This is the code:
const redis = require('redis');
let redisInstance = redis.createClient({
/* surely external IP needn't be used
here as it's all GCP infra? */
host: '10.1.2.3',
port: 6379
})
redisInstance.on('connect', () => {
console.log(`connected`);
});
redisInstance.on('error', (err) => {
console.log(`Connection error ${err}`);
});
The error in the log is
Connection error Error: Redis connection to 10.1.2.3:6379 failed - connect ETIMEDOUT 10.1.2.3:6379
I've looked at Google Cloud Function cannot connect to Redis but it's not specific enough about the options when setting up a rule.
What I've tried
I tried to set up a firewall rule with these settings:
ingress
network: default
source filter: my firebase service account
protocols/ports: all
targets: all
Just a note about the service account:
created by Firebase
has the Editor role in IAM
is known to work with BigQuery and other Firebase services from my Firebase triggers
This same firewall rule has been in effect for a few hours now, and I've also redeployed the trigger which tests Redis, but still getting ETIMEDOUT
UPDATES
2018-06-25 morning
I phoned GCP Gold support and the problem isn't obvious to the operator, so they'll open a case, investigate, and leave some notes.
2018-06-25 afternoon
Using a permissive firewall rule (source 0.0.0.0/0, destination "all targets") and connecting to the Redis instance's external IP address works (of course!). However, I mentioned many times now on the phone call I don't want the Redis instance to be open to the Internet, and if there's some sort of solution involving a networking bridge/VPN so I can connect to the 10.x.x.x address from the Cloud Function.
The operator said they'll get back to me in 2 days.
2018-06-25 bit later in the afternoon
I've self-answered that it doesn't seem to be possible to connect to a Compute Engine internal IP from a cloud function.
It looks like it's NOT currently possible to connect to Google Compute Engine internal IP from Google Cloud Funtions so all my (and my helpful Gold support operator's) efforts have been in vain.
Here's the (open) issue: https://issuetracker.google.com/issues/36859738
As it is explained in the question you referred to, when you create a new firewall rule you change the Source Filter field from IP ranges to Service Account. In the following step you won't need to specify any IPs, only the name of the service account for Cloud Functions.
I want to execute espresso UI test on firebase test cloud devices and my staging environment is a VPN network. So, Is it possible to configure VPN on firebase test cloud or can we configure cisco any connect VPN on firebase test cloud devices?
Thanks!
You could try whitelisting the Test Labs IP addresses for VPN-less access:
https://firebase.google.com/docs/test-lab/android/get-started#ip-blocks
Sorry, there's currently no way to configure the network for devices in Firebase Test Lab. They are only able to access publicly available network resources.
Always feel free to file a feature request to see if there's anything that can be done to suit your needs.