Security is a core feature of the Google Cloud, but there are still steps youshould take to protect your App Engine app and identify vulnerabilities.

Use the following features to ensure that your App Engine app issecure. To learn more about the Google Security Model and the available stepsthat you can take to secure your Google Cloud projects, seeGoogle Cloud Platform Security.

HTTPS requests

Use HTTPS requests to access to your App Engine app securely. Dependingon how your app is configured, you have the following options:

appspot.com domains

• Use thehttps URL prefix to send HTTPS request to thedefaultservice of your Google Cloud project, for example:
  https://PROJECT_ID.REGION_ID.r.appspot.com

• To target specific resources in your App Engine app, use the-dot- syntax to separate each resource you want to target, forexample:
  https://VERSION-dot-SERVICE-dot-PROJECT_ID.REGION_ID.r.appspot.com

• To convert an HTTP URL to an HTTPS URL, replace the periodsbetween each resource with-dot-, for example:
  http://SERVICE_ID.PROJECT_ID.REGION_ID.r.appspot.com
https://SERVICE_ID-dot-PROJECT_ID.REGION_ID.r.appspot.com

For more information about HTTPS URLs and targeting resources, seeHow Requests areRouted.

Custom domains

To send HTTPS requests with your custom domain, you can use the managed SSLcertificates that are provisioned by App Engine. For more information,seeSecuring Custom Domains withSSL.

Access control

In each Google Cloud project, set up access control to determinewho can access the services within the project, including App Engine.You can assign different roles to different accounts to ensure each account hasonly the permissions it needs to support your app. For details see,Setting Up AccessControl.

App Engine firewall

TheApp Enginefirewallenables you to control access to your App Engine app through a set ofrules that can either allow or deny requests from the specified ranges of IPaddresses. You are not billed for traffic or bandwidth that is blocked by thefirewall. Create a firewall to:

Allow only traffic from within a specific network

Ensure that only a certain range of IP addresses from specific networks canaccess your app. For example, create rules to allow only the range of IPaddresses from within your company's private network during your app's testingphase. You can then create and modify your firewall rules to control thescope of access throughout your release process, allowing only certainorganizations, either within your company or externally, to access your appas it makes its way to public availability.

Allow only traffic from a specific service

Ensure that all the traffic to your App Engine app is first proxiedthrough a specific service. For example, if you use a third-party WebApplication Firewall (WAF) to proxy requests directed at your app, you cancreate firewall rules to deny all requests except those that are forwardedfrom your WAF.

Block abusive IP addresses

While Google Cloud has many mechanisms in place to prevent attacks, you canuse the App Engine firewall to block traffic to your app from IPaddresses that present malicious intent or shield your app from denial ofservice attacks and similar forms of abuse. You can add IP addresses orsubnetworks to a denylist, so that requests routed from those addresses andsubnetworks aredenied before they reach your App Engine app.

For details about creating rules and configuring your firewall, seeControlling App Access withFirewalls.

Ingress controls

This section describes how to use ingress settings to restrict network access toyour App Engine app. At a network level, by default, any resource onthe internet is able to reach your App Engine app on itsappspot URLor at acustom domainset up in App Engine. For example, theappspot.com URL can have thefollowing format:SERVICE_ID.PROJECT_ID.REGION_ID.r.appspot.com.

You can change this default setting by specifying adifferent setting for ingress. All ingress paths, including the defaultappspot.com URL, are subject to your ingress setting. Ingress is set at theservice level.

Available ingress settings

The following settings are available:

Accessing internal services

The following considerations apply:

• For requests from a Shared VPC, traffic is only considered internal if theApp Engine app is deployed in the Shared VPC host project. If theApp Engine app is deployed in a Shared VPC service project, only trafficfrom networks owned by the app's own project is internal. All other traffic,including traffic from other Shared VPCs, is external.

• When accessing internal services, call them as you would normally do by usingtheir public URLs, either the defaultappspot.com URL or acustom domain set up in App Engine.

• For requests from Compute Engine VM instances or other resources runninginside aVPC network inthe same project, no further setup is required.

• For requests from other App Engine services or from Cloud Runor Cloud Run functions in the same project, connect the service or function to aVPC network and route all egress through the connector, as described inConnecting to a Shared VPC network.

• Requests from resources within VPC networks in the same project are classifiedas internal even if the resource they originate from has a public IP address.

• Requests from on-premises resources connected to the VPC network viaCloud VPN are consideredinternal.

View ingress settings

gcloudappservicesdescribeSERVICE

gcloudappservicesdescribedefault

Edit ingress settings

gcloudappservicesupdateSERVICE--ingress=INGRESS

Egress settings

If you useServerless VPC Access,you can specify the egress setting for your App Engine service.

By default, only requests to internal IP addresses and internal DNS names arerouted through a Serverless VPC Access connector. You canspecify the egress setting for your service in yourapp.yaml file.

Egress settings are not compatible with the URL Fetch service. If you have notalready done so,disable the URL Fetch defaultand discontinue any explicit use of theurlfetchlibrary. Using theurlfetch library ignores egress settings, and requests will not route through a Serverless VPC Access connector.

To configure the egress behavior of your App Engine service:

1. Add theegress_setting attribute to thevpc_access_connector field of yourservice'sapp.yaml file:

   vpc_access_connector:name:projects/PROJECT_ID/locations/REGION/connectors/CONNECTOR_NAMEegress_setting:EGRESS_SETTING

   Replace:

   • PROJECT_ID with your Google Cloud project ID
   • REGION with the region your connector is in
   • CONNECTOR_NAME with the name of your connector
   • EGRESS_SETTING with one of the following:
     • private-ranges-only Default. Only requests toRFC 1918 andRFC 6598 IP addressranges or internal DNS names are routed to your VPCnetwork. All other requests are routed directly to the internet.
     • all-traffic All outbound requests from your service arerouted to your VPC network. Requests are then subject tothe firewall, DNS, and routing rules of your VPC network.Note that routing all outbound requests to your VPC networkincreases the amount of egress handled by theServerless VPC Access connector and canincur charges.

2. Deploy the service:

   gcloudappdeploy

Security scanner

The Google CloudWeb Security Scannerdiscovers vulnerabilities by crawling yourApp Engine app, following all that links within the scope of yourstarting URLs, and attempting to exercise as many user inputs and eventhandlers as possible.

In order to use the security scanner, you must be an owner of theGoogle Cloud project. For more information on assigning roles, seeSetting Up AccessControl.

You can run security scans from the Google Cloud console to identify securityvulnerabilities in your App Engine app. For details aboutrunning the Security Scanner, see theUsing Web Security Scanner.