New features to better secure your Google App Engine apps

Since its launch in 2008, Google App Engine has anchored on ease-of-use for app developers, allowing them to focus on writing code without having to manage underlying infrastructure. Over the years, we have added a variety of features to help you better secure your apps, including ingress controls, App Engine Firewalls, and support for Identity-Aware Proxy. Now we’re announcing a couple of new features to further extend the security already provided by the platform:

1. Egress Controls for Serverless VPC Access

2. User-managed service accounts

Egress Controls

As a fully managed platform, App Engine provides a pool of IP addresses for outbound traffic from apps. While this is ideal for many customers, because they do not have to manage networking details, some customers need more control over their outbound requests. 

The new egress control feature in App Engine leverages the Google Cloud VPC service, specifically its Serverless VPC Access feature. Serverless VPC Access allows users to configure a connector to route requests from their App Engine apps to their VPC network. Egress controls give customers more control over what traffic will use the VPC Connector.

Users have a pair of options to choose from: in the default case of "private ranges only," all http requests to private IPs in the VPC network are sent to VPC Connector and onward to the VPC network, while all http requests to public IPs are sent directly to the internet. The other option, "All traffic", routes all outbound HTTP requests through the VPC Connector into the VPC network. From there, these requests will be subject to the VPC firewall rules and any other VPC settings.

A key use-case that is enabled by egress controls is creating a static outbound IP address for App Engine http requests. Several App Engine customers deliver SaaS services that must connect to their end-customer networks. Most of these end-customers would prefer to open their firewalls just to traffic from a specific origin IP. With egress controls (set to “All traffic”), customers can use Serverless VPC Access, along with Cloud NAT, to configure a stable static IP address.

User-managed service accounts

Currently App Engine (both Standard and Flexible) has a default service account that is used to interact with other GCP services on behalf of the App Engine app. The App Engine default service account is set up during the initial App Engine app creation process, and customers can manage the permissions granted to the service account. However, until now, this default service account has been used by all services of the app, meaning all services share a common permission set, regardless of what permissions a specific service actually needs.

The new user-managed service accounts feature we've introduced allows customers to specify different service accounts for each version in their app (at deployment time, or via App Engine Admin API). One of the key benefits is that rather than using a single shared service account granted the permissions required by all services in the app, you can follow the “least privileges” best practice: restricting each service to only the permissions necessary to perform its tasks. Using a version-specific service account is completely optional. If no service account is specified, the App Engine default service account is used.

Next steps

To learn more about our new egress controls, take a look at the documentation. Also check out this page which shows you how to configure Serverless VPC access if you're new to that. Similarly, information about customizing your own service accounts can be found in our documentation.