Google's App Engine team recently announced a beta version of its new Google App Engine firewall. The software-based firewall enables developers and administrators to protect their apps based on source IP addresses. Once integrated, app owners can block access from specific geographies and malicious users. The App Engine firewall was designed to supplement the security features already baked into the Google Cloud Platform.
To use the firewall, developers set rules, and prioritize the rules. Developers can select IP addresses, a set of IP addresses, and set rules based on allow and deny. Once in place, Google handles the prioritization and the applicable admission/denial settings in place. Blocked users receive a HTTP 403 Forbidden response, but the blocked user never hits the app. Denied requests won't add to an app's load, or cost anything.
Developers can implement their firewall rules within the Google Cloud Console, the App Engine Admin API, or gcloud command-line tool. Within the console, the default rule allows all traffic to the app in question. To start blocking specific IP addresses, create a rule that allows traffic from a specific range of IP addresses and then change the default rule to deny all traffic. The firewall will evaluate lower priority values first, and then higher values.
To help developers get familiar with the firewall, Google created a Test IP function within the Cloud Console. The Test IP function allows developers to test their firewall rules. The firewall is currently in beta and Google does not recommend utilizing it in production environments. However, Google does encourage developers to join the conversation regarding the new offering in the Google App Engine forum and slack channel.