Python 2.7 has reached end of supportand will be deprecatedon January 31, 2026. After deprecation, you won't be able to deploy Python 2.7applications, even if your organization previously used an organization policy tore-enable deployments of legacy runtimes. Your existing Python2.7 applications will continue to run and receive traffic after theirdeprecation date. We recommend thatyoumigrate to the latest supported version of Python.

Creating App Engine firewall rules

In App Engine, you can create a firewall with up to 1000 prioritizedindividual rules that either allow or restrict a range of IP addresses andsubnets. Your app will only respond to requests that are allowed by thefirewall.

To learn how the App Engine firewall works, seeUnderstanding firewalls.

Before you begin

Before you can create App Engine firewall rules for your app, you musthave one of the followingApp Engine IAMroles, whichinclude the necessary privileges for creating or modifying firewall rules:

App Engine Admin
Editor
Owner

Creating firewall rules

Use one of the following methods to create a firewall rule. Repeatthese steps for each additional rule:

Console

Use the Firewall rules page in Google Cloud console to create a firewall rule:

Go to the Create a firewall rule page in Google Cloud console:
Go to the Create a firewall rule page
Specify the details of the firewall rule:
1. InPriority, enter an integer to specify the relative importance of the rule and define the order of when the rule is evaluated.
  Valid values are1 to2147483646. Priority1 is the first rule evaluated. Priority2147483647 is the last rule evaluated and is reserved for the `default` rule.
  Important: After a rule is created, you cannot edit the priority value. You must delete and then recreate a rule to change the value of a rule's priority.
2. InAction on match, specify whether to allow or deny access for requests that match the rule. Rules set toallow forward the request to the app. Rules set todeny respond to requests with a403 Forbidden error.
3. InIP range, define the range of IP addresses that apply to the rule. The IP address range must be defined in CIDR notation, can include subnet masks, and support both IPv4 and IPv6.
4. Optional: InDescription, include a description of the rule that is no longer than 100 characters.
ClickSave to create the rule.
Test the rule to ensure that the priority and action provide the expected behavior:
1. ClickTest IP address.
2. Enter the IP address that you want to validate and then clickTest to ensure that the corresponding rule gets correctly evaluated.

gcloud

Run the following gcloud app firewall-rules commands to create a firewall rule:

Run the following command to create a firewall rule:
```
gcloudappfirewall-rulescreatePRIORITY--actionALLOW_OR_DENY--source-rangeIP_RANGE--descriptionDESCRIPTION
```
where:
- PRIORITY is an integer between1 and2147483646 that defines the rule's importance and order for which the rule is evaluated. Priority1 is the first rule evaluated. Priority2147483647 is the last rule evaluated and is reserved for the `default` rule.Important: After a rule is created, you cannot edit the priority value. You must delete and then recreate a rule to change the value of a rule's priority.
- ALLOW_OR_DENY specifies whether to allow or deny access for requests that match the rule. Valid values areallow ordeny. Rules set toallow forward the request to the app. Rules set todeny respond to requests with a403 Forbidden error.
- IP_RANGE defines the range of IP addresses that apply to the rule. The IP range must be defined in CIDR notation, can include subnet masks, and support both IPv4 and IPv6.
- DESCRIPTION is an optional description of the rule that is no longer than 100 characters.
Run the following command to test your rule and ensure that the priority and action provide the expected behavior:
```
gcloudappfirewall-rulestest-ipIP_ADDRESS
```
whereIP_ADDRESS is the IP address that you want to test against your firewall.
Run the following command to view a list of the existing rules:
```
gcloudappfirewall-ruleslist
```
Run the following command to delete an existing rule:
```
gcloudappfirewall-rulesdeletePRIORITY
```
wherePRIORITY is the priority value of the rule that you want to delete.

Examples:

Use the following examples to help you create your firewall:

Add a rule that allows an IPv6 address and subnet mask, and then test that rule to ensure it gets evaluated prior to your other rules:
```
gcloudappfirewall-rulescreate123--source-rangefe80::3636:3bff:fecc:8778/128--actionallowgcloudappfirewall-rulestest-ipfe80::3636:3bff:fecc:8778
```
Add a rule to deny an IPv4 address and subnet mask, and then test that rule to ensure that it gets appropriately evaluated:
```
gcloudappfirewall-rulescreate123456--source-range"74.125.0.0/16"--actiondenygcloudappfirewall-rulestest-ip74.125.0.8
```
Update and then test the default rule to ensure that it restricts all IP addresses that don't match any other rules:
```
gcloudappfirewall-rulesupdatedefault--actiondenygcloudappfirewall-rulestest-ip123.456.7.89
```

API

To programmatically create firewall rules for your App Engine app, you can use the apps.firewall.ingressRules methods in the Admin API.

To test a firewall rule and ensure that the priority and action provide the expected behavior, you can use theapps.firewall.ingressRules.list method and specify the IP address that you want to test within thematchingAddress parameter.

Understanding App Engine firewall rules

An App Engine firewall consists of an ordered list of rules that canallow or deny access from the specified IP address or range to your app. Therule applies to all resources of the App Engine application.

Firewall rule priority

The firewall rules are ordered by importance, which you define as a numericalvalue in each rule's priority. You must specify a unique priority value foreach rule as it defines the importance relative to the other rules in thefirewall. The values for a rule's priority scale from the most important valueof1 up to the least important at value2147483647.

Each firewall includes adefault rule that is automatically created with the2147483647 priority and applies to the entire IP range of your app.Thedefault rule is always evaluated after all the other rulesin the firewall and applied to all requests across all IP addresses.

The firewall evaluates the highest priority rule first.All the remaining rules in the firewall are sequentially evaluated until a rulematches the IP range of that request. When a matching rule is found, theconnection is either allowed or denied, and all the remaining rules in thefirewall are then skipped. If none of the manually defined rules in the firewallmatch the request, thedefault rule is evaluated.

For example, if you create a rule with priority1 it is always evaluatedfirst. If an incoming request matches the rule with priority1, only thatrule is evaluated and all the other rules in the firewall are skipped, includingthedefault rule.

Theexample firewall below shows how a rule'spriority can change the behavior of your firewall.

Example firewall

In this example, a company has set up a firewall to grant access to theengineering team and internal corporate network to their in-development app. Thefirewall rules have been created with large gaps between each priority to allowfor growth.

Priority	Action	IP range	Description
1000	Deny	192.0.2.1	Denies access to a DoS attacker.
2000	Allow	198.51.100.2	Allows access to an engineer in the satellite office.
3000	Deny	198.51.100.0/24	Denies access to all non-engineering buildings.
5000	Allow	203.0.113.0/24	Allows access to the main building's network.
2147483647	Deny	*	Default Action

After the firewall is created, assume that the following requests are directedat the sample app and note the app's response:

Request from 198.51.100.2 matches rule with priority 2000 and is allowed.
Request from 198.51.100.100 matches rule with priority 3000 and gets denied.
Request from 203.0.113.54 matches rule with priority 5000 and is allowed.
Request from 45.123.35.242 matches the default rule and gets denied.

Resolving conflicting rules

For example, assume that two of the priorities in the company's firewall areswapped. If the rules for priorities 2000 and 3000 are swapped, notice theunintended behavior.

Priority	Action	IP range	Description
1000	Deny	192.0.2.1	Denies access to a DoS attacker.
2000	Deny	198.51.100.0/24	Denies access to all non-engineering buildings.
3000	Allow	198.51.100.2	Allows access to an engineer in the satellite office.
5000	Allow	203.0.113.0/24	Allows access to the main building's network.
2147483647	Deny	*	Default Action

The engineer in the satellite office will not be able to access the company'sapp as the rule's new priority means it will never be evaluated. The engineer'sIP address198.51.100.2 matches the rule that denies all non-engineers in therange198.51.100.0/24 before the rule that allows access to the engineer'sIP address.

To fix this, you must set the priority of the rule that allows access to198.51.100.2 to be higher than the rule that denies access for the IP range198.51.100.0/24.

What's next

To ensure that you've securely configured your app and set the appropriatelevels of access, reviewApplication Securityas well asAccess Control.

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-12-15 UTC.

Movatterモバイル変換

Creating App Engine firewall rules Stay organized with collections Save and categorize content based on your preferences.