Python 2.7 has reached end of support
and will be deprecated
on January 31, 2026. After deprecation, you won't be able to deploy Python 2.7
applications, even if your organization previously used an organization policy to
re-enable deployments of legacy runtimes. Your existing Python
2.7 applications will continue to run and receive traffic after their
deprecation date. We recommend that
you migrate to the latest supported version of Python.
Stay organized with collections
Save and categorize content based on your preferences.
A firewall determines which network traffic is allowed to pass and which
traffic is rejected. Firewalls can apply to incoming traffic (ingress), outgoing
traffic (egress), or both. For App Engine, the App Engine firewall only
applies to incoming traffic routed to your app or service.
Overview
The App Engine firewall is checked for all types of
requests to your app, including:
Regular web traffic routed to the app's appspot.com address or custom domain.
Traffic from internal sources such as Compute Engine virtual machines (VMs) and Cloud Tasks.
In cases where your app is configured to use other networking services or
products, you might need to create rules for controlling incoming traffic in
both the App Engine firewall and the firewall or security settings of other
products. This guide covers the general behavior of the App Engine firewall,
and details about those special use cases.
App Engine firewall rules
You can configure App Engine firewall rules
using the Google Cloud console, the Google Cloud CLI, or the Admin
API by specifying rules that allow or block specified IP ranges.
By default, any request that does not match a rule is allowed access to your
app. If you need to block all requests that do not match a specific rule
(excluding requests from internal services allowed by default), change the
default rule's action to deny.
Firewall feature
In the App Engine standard environment, the App Engine firewall can allow certain internal
traffic to bypass the firewall. This means that if you set the default rule to
deny, requests from certain services destined for the App Engine standard environment do not
get blocked. These are all types of traffic requested in the app's own
configuration, or sent from the same app. Requests that bypass firewall rules in
this way include:
For apps that use the App Engine standard environment and services bundled with the first
generation runtimes, notifications from the
legacy Mail API also bypass the firewall.
Allowing incoming requests from your services
The following table lists the IP ranges and App Engine firewall behavior for
common services. The IP range you use depends on whether the incoming requests
are delivered to a version that runs on the App Engine standard environment or
flexible environment.
Service
IP range for requests sent to the App Engine standard environment
IP range for requests sent to the App Engine flexible environment
Cloud Storage or Blobstore
0.1.0.30/32
Not applicable
Cloud Scheduler jobs using App Engine HTTP and App Engine tasks in Cloud Tasks (including App Engine Task Queues)
0.1.0.2/32, bypasses the default firewall rule if set to deny
0.1.0.2/32
App Engine Cron
0.1.0.1/32 or 0.1.0.2/32, bypasses the default firewall rule if set to deny
Depending on your use case, these additional instructions might apply when
configuring App Engine firewall rules:
Requests from newly created or updated App Engine Cron jobs sent to either the App Engine standard or flexible environment come from 0.1.0.2. For Cron jobs created with older gcloud versions (earlier than 326.0.0), Cron requests will come from 0.1.0.1. To learn more about how to identify requests from the App Engine Cron service, see Validating cron requests.
Your app running in the standard environment has two services: frontend_service
and backend_service. frontend_service uses Cloud Tasks with
App Engine HTTP to send messages to backend_service. Since the default
firewall rule allows Cloud Tasks requests even if configured to deny, you do not need to create
a firewall rule for Cloud Tasks.
However, if you wanted to restrict access to your app and explicitly block
Cloud Tasks requests, you would create a deny firewall rule for IP range 0.1.0.2/32.
App Engine flexible example
Your app running in the flexible environment has two services:
frontend_service and backend_service, and has a firewall configured to deny
traffic by default. frontend_service uses Cloud Tasks with
App Engine HTTP to send messages to backend_service. Since the default
firewall rule denies Cloud Tasks requests, you would need to create an
allow firewall rule for 0.1.0.2/32.
The load balancer does not interfere or interact with App Engine firewall rules. The App Engine firewall rules are not evaluated until a serverless NEG directs traffic to App Engine.
We recommend that you use ingress controls
so that your app only receives requests sent from the load balancer
(and the VPC if you use it). Otherwise, users can use your app's
App Engine URL to bypass the load balancer, Cloud Armor
security policies, SSL certificates, and private keys that are passed through
the load balancer.
The App Engine firewall sits behind mechanisms that cache content, for example
web proxies and browsers. When content is cached, that content is served
publicly from the specific URL until it expires and can be accessed even after
creating new firewall rules.
For information about changing the default expiration time for static content
or preventing static content from being cached, see
Cache expiration.
To prevent dynamic content output from your app's code from being cached, use
the Cache-Control and Expires HTTP response headers. For more information about
these HTTP headers, including how to control caching, see
Avoiding caching.
What's next
Follow the instructions in Creating
Firewalls to
learn how to configure App Engine firewall rules.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-25 UTC."],[[["\u003cp\u003eThe App Engine firewall controls incoming traffic to your app, allowing or blocking requests based on specified IP ranges.\u003c/p\u003e\n"],["\u003cp\u003eBy default, requests not matching any defined rule are allowed, but this can be changed to deny access unless specifically allowed.\u003c/p\u003e\n"],["\u003cp\u003eCertain internal traffic, like warmup requests and Cloud Tasks, can bypass the firewall rules even when the default action is set to deny in the App Engine standard environment.\u003c/p\u003e\n"],["\u003cp\u003eWhen using Cloud Load Balancing, the App Engine firewall does not interact with the load balancer, and it is recommended to use ingress controls to ensure that requests only come through the load balancer.\u003c/p\u003e\n"],["\u003cp\u003eCached content may still be accessible publicly, even after new firewall rules are put in place, so control the cache behavior of static and dynamic content using Cache-Control and Expires headers.\u003c/p\u003e\n"]]],[],null,["# Understanding the App Engine firewall\n\nA **firewall** determines which network traffic is allowed to pass and which\ntraffic is rejected. Firewalls can apply to incoming traffic (ingress), outgoing\ntraffic (egress), or both. For App Engine, the App Engine firewall only\napplies to incoming traffic routed to your app or service.\n\nOverview\n--------\n\nThe App Engine firewall is checked for all types of\nrequests to your app, including:\n\n- Regular web traffic routed to the app's `appspot.com` address or custom domain.\n- Requests that arrive from [Cloud Load Balancing](/load-balancing).\n- Traffic from internal sources such as Compute Engine virtual machines (VMs) and Cloud Tasks.\n\nIn cases where your app is configured to use other networking services or\nproducts, you might need to create rules for controlling incoming traffic in\nboth the App Engine firewall and the firewall or security settings of other\nproducts. This guide covers the general behavior of the App Engine firewall,\nand details about those special use cases.\n\nApp Engine firewall rules\n-------------------------\n\nYou can [configure App Engine firewall rules](/appengine/docs/legacy/standard/python/creating-firewalls)\nusing the Google Cloud console, the Google Cloud CLI, or the Admin\nAPI by specifying rules that allow or block specified IP ranges.\n\nBy default, any request that does not match a rule is allowed access to your\napp. If you need to block all requests that do not match a specific rule\n(excluding requests from internal services allowed by default), change the\n`default` rule's action to `deny`.\n\n### Firewall feature\n\nIn the App Engine standard environment, the App Engine firewall can allow certain internal\ntraffic to bypass the firewall. This means that if you set the `default` rule to\n`deny`, requests from certain services destined for the App Engine standard environment do not\nget blocked. These are all types of traffic requested in the app's own\nconfiguration, or sent from the same app. Requests that bypass firewall rules in\nthis way include:\n\n- [Warmup requests](/appengine/docs/legacy/standard/python/configuring-warmup-requests)\n- Cloud Scheduler jobs using [App Engine HTTP](/scheduler/docs/creating#creating_jobs) (including [App Engine Cron](/appengine/docs/legacy/standard/python/config/cron)\n\n \u003cbr /\u003e\n\n - [App Engine tasks in Cloud Tasks](/tasks/docs/creating-appengine-tasks) (including App Engine Task Queues)\n\n For apps that use the App Engine standard environment and services bundled with the [first\n generation runtimes](/appengine/docs/standard/runtimes), notifications from the\n legacy Mail API also bypass the firewall.\n\n Allowing incoming requests from your services\n ---------------------------------------------\n\n The following table lists the IP ranges and App Engine firewall behavior for\n common services. The IP range you use depends on whether the incoming requests\n are delivered to a version that runs on the App Engine standard environment or\n flexible environment.\n\n Depending on your use case, these additional instructions might apply when\n configuring App Engine firewall rules:\n - Requests from newly created or updated App Engine Cron jobs sent to either the App Engine standard or flexible environment come from `0.1.0.2`. For Cron jobs created with older gcloud versions (earlier than 326.0.0), Cron requests will come from `0.1.0.1`. To learn more about how to identify requests from the App Engine Cron service, see [Validating cron requests](/appengine/docs/legacy/standard/python/scheduling-jobs-with-cron-yaml#validating_cron_requests).\n - If your app interacts with Cloud Load Balancing or is connected to a VPC network, see the [Interaction with other products or services](#interaction_with_other_products_or_services) section below.\n\n | **Caution:** Creating a rule for IP `0.0.0.0` will apply to **all** Compute Engine instances with Private Google Access enabled, not only the ones you own. Similarly, allowing requests from `0.1.0.40` will allow **any** App Engine app to make URL Fetch requests to your app.\n\n ### App Engine standard example\n\n Your app running in the standard environment has two services: `frontend_service`\n and `backend_service`. `frontend_service` uses Cloud Tasks with\n App Engine HTTP to send messages to `backend_service`. Since the `default`\n firewall rule allows Cloud Tasks requests even if configured to `deny`, you do not need to create\n a firewall rule for Cloud Tasks.\n\n However, if you wanted to restrict access to your app and explicitly block\n Cloud Tasks requests, you would create a `deny` firewall rule for IP range `0.1.0.2/32`.\n\n ### App Engine flexible example\n\n Your app running in the flexible environment has two services:\n `frontend_service` and `backend_service`, and has a firewall configured to deny\n traffic by default. `frontend_service` uses Cloud Tasks with\n App Engine HTTP to send messages to `backend_service`. Since the `default`\n firewall rule denies Cloud Tasks requests, you would need to create an\n `allow` firewall rule for `0.1.0.2/32`.\n\n Interaction with other products or services\n -------------------------------------------\n\n ### Cloud Load Balancing\n\n If you use [Cloud Load Balancing and serverless NEGs](/load-balancing/docs/negs/serverless-neg-concepts), note the following:\n - The load balancer does not interfere or interact with App Engine firewall rules. The App Engine firewall rules are not evaluated until a serverless NEG directs traffic to App Engine.\n\n \u003c!-- --\u003e\n\n - We recommend that you [use ingress controls](/appengine/docs/standard/application-security#ingress_controls)\n so that your app only receives requests sent from the load balancer\n (and the VPC if you use it). Otherwise, users can use your app's\n App Engine URL to bypass the load balancer, Cloud Armor\n security policies, SSL certificates, and private keys that are passed through\n the load balancer.\n\n - If your [ingress controls](/appengine/docs/legacy/standard/python/application-security#ingress_controls) are set to receive `internal-and-cloud-load-balancing` traffic, leave the default App Engine firewall rule as is (`allow`), and use [Google Cloud Armor web application firewall (WAF) rules](/armor/docs/rule-tuning).\n\n Preventing access to cached content\n -----------------------------------\n\n The App Engine firewall sits behind mechanisms that cache content, for example\n web proxies and browsers. When content is cached, that content is served\n publicly from the specific URL until it expires and can be accessed even after\n creating new firewall rules.\n For information about changing the default expiration time for static content or preventing static content from being cached, see [Cache expiration](/appengine/docs/legacy/standard/python/how-requests-are-handled#static_cache_expiration).\n\n \u003cbr /\u003e\n\n To prevent dynamic content output from your app's code from being cached, use\n the `Cache-Control` and `Expires` HTTP response headers. For more information about\n these HTTP headers, including how to control caching, see\n [Avoiding caching](https://wikipedia.org/wiki/List_of_HTTP_header_fields#Avoiding_caching).\n\n\n What's next\n -----------\n\n Follow the instructions in [Creating\n Firewalls](/appengine/docs/legacy/standard/python/creating-firewalls) to\n learn how to configure App Engine firewall rules."]]
