Google App Engine Firewall: Restrict access to all services but the default one

Question

I have a GAE project (flexible) consisting of 1 default and 2 subservices:

• foo.appspot.com
• service1.foo.appspot.com

Answer 1

App engine Flex environment is built on the Google Compute Engine and consequently, it supports the Virtual Private Cloud networking system. With the VPC networks, you can configure firewall rules that would use Instance Tags to determine the target or source component in a firewall rule. Hence, you simply have to configure the app.yaml files of the target service/version to use the appropriate instance tags.