Hi all,
We are developing an application that is written in Python and is hosted on App Engine.
We want to use Apigee Edge in front of App Engine for all of the desired benefits.
We currently have a TEAM instance on Edge, which comes with some restrictions.
What is the best way to secure this connection? Mutual TLS?
From what I understand, App Engine now supports and manages the TLS certificates for your endpoints on App Engine - https://cloudplatform.googleblog.com/2017/09/introducing-managed-SSL-for-Google-App-Engine.html
I also know there documentation around how to connect Apigee to your services with TLS - https://docs.apigee.com/api-services/content/configuring-ssl-edge-backend-service
Is there anything specifically for GCP (some kind of deeper integration), or is it the same process as connecting to any other service endpoint?
Cheers in advance.
David
Solved! Go to Solution.
Same process - nothing special for GAE endpoints at this time.
Mutual TLS is a best practice when you have control over both endpoints, and in this case you do have that control.
mTLS is more difficult when there are arbitrary clients connecting to a service - in that case you don't have control over the clients. But you have control over the Apigee proxy (client in this case) and the GAE endpoint. So, yes, use mTLS .
Same process - nothing special for GAE endpoints at this time.
Mutual TLS is a best practice when you have control over both endpoints, and in this case you do have that control.
mTLS is more difficult when there are arbitrary clients connecting to a service - in that case you don't have control over the clients. But you have control over the Apigee proxy (client in this case) and the GAE endpoint. So, yes, use mTLS .
Another option that requires no exchange of certificates is to leverage Service Accounts. GAE Flex environment supports it.
Diego, Can you explain? How does it work? How does an Apigee Edge proxy connect to a GAE endpoint .... securely... without exchanging certs? (I suppose without mTLS?)
Sure. This document explains the process of enabling and Authenticating GAE Using a Service Account:
https://cloud.google.com/endpoints/docs/openapi/service-account-authentication
So, from Edge API Proxies, all you need is to use the key file that includes the private key to generate JWT tokens. Then, all calls to your GAE App will require this token.
There are plenty of SDKs for most popular languages to generate JWT tokens. In the past I've done it with Node.js.
Hope it helps!
Can you really use mTLS with GAE?! Such a possibility does not seem to exist. At least I cannot find it. Any pointers?
User | Count |
---|---|
3 | |
2 | |
1 | |
1 | |
1 |