What is the best way to secure the connection between Google App Engine and Apigee Edge?

Not applicable

Hi all,

We are developing an application that is written in Python and is hosted on App Engine.

We want to use Apigee Edge in front of App Engine for all of the desired benefits.

We currently have a TEAM instance on Edge, which comes with some restrictions.

What is the best way to secure this connection? Mutual TLS?

From what I understand, App Engine now supports and manages the TLS certificates for your endpoints on App Engine - https://cloudplatform.googleblog.com/2017/09/introducing-managed-SSL-for-Google-App-Engine.html

I also know there documentation around how to connect Apigee to your services with TLS - https://docs.apigee.com/api-services/content/configuring-ssl-edge-backend-service

Is there anything specifically for GCP (some kind of deeper integration), or is it the same process as connecting to any other service endpoint?

Cheers in advance.

David

Solved Solved
0 5 2,161
1 ACCEPTED SOLUTION

Same process - nothing special for GAE endpoints at this time.

Mutual TLS is a best practice when you have control over both endpoints, and in this case you do have that control.

mTLS is more difficult when there are arbitrary clients connecting to a service - in that case you don't have control over the clients. But you have control over the Apigee proxy (client in this case) and the GAE endpoint. So, yes, use mTLS .

View solution in original post

5 REPLIES 5

Same process - nothing special for GAE endpoints at this time.

Mutual TLS is a best practice when you have control over both endpoints, and in this case you do have that control.

mTLS is more difficult when there are arbitrary clients connecting to a service - in that case you don't have control over the clients. But you have control over the Apigee proxy (client in this case) and the GAE endpoint. So, yes, use mTLS .

Not applicable

Another option that requires no exchange of certificates is to leverage Service Accounts. GAE Flex environment supports it.

Diego, Can you explain? How does it work? How does an Apigee Edge proxy connect to a GAE endpoint .... securely... without exchanging certs? (I suppose without mTLS?)

Sure. This document explains the process of enabling and Authenticating GAE Using a Service Account:

https://cloud.google.com/endpoints/docs/openapi/service-account-authentication

So, from Edge API Proxies, all you need is to use the key file that includes the private key to generate JWT tokens. Then, all calls to your GAE App will require this token.

There are plenty of SDKs for most popular languages to generate JWT tokens. In the past I've done it with Node.js.

Hope it helps!

ylesyuk
Participant V

Can you really use mTLS with GAE?! Such a possibility does not seem to exist. At least I cannot find it. Any pointers?