How to block AppEngine's _ah/start and _ah/stop routes from being visible to the outside world
I have _ah/start and _ah/stop routes in my 'Flexible' app. I understand the GAE containers will invoke those endpoints when the app comes up, and is going down. After I've deployed my app, I can hit them myself from the comfort of my couch. That makes no sense of course, as random strangers cannot be the arbiter of when app instances come up and go down. How do I configure AppEngine to block the publication of those two routes to the outside world? Or is in my job in the implementation of those two routes to check IP addresses or look for a header only GAE can send?
Based on this page: https://cloud.google.com/appengine/docs/flexible/go/how-requests-are-handled Headers that match X-Google-* or X-Appengine-* are removed when the request enters GCP. Appengine may then add headers that match those patterns, so if your handlers detect any such headers I think it is safe to assume the request comes from GAE and not some random client. You can dump all headers you get and see whether there are any interesting ones, then from a public client try and send a request and set such a header with some value and see whether it is sanitized first and then set again by GAE. Any such header must be sanitized first or anyone would be able to send them to your app otherwise. I would not rely on IP addresses.
So flex does not use the /_ah/* paths and therefore does not hide them. Sadly we have an inconsistency in our docs. It is correctly documented here https://cloud.google.com/appengine/docs/flexible/python/migrating but (at them moment) https://cloud.google.com/appengine/docs/flexible/custom-runtimes/build is incorrect. The documentation update is under review and should go public shortly. Apologies for the confusion.
Query by multiple doc_ids in Google App Engine Search API
Appengine ndb - Transactions can report failure but succeed
ImportError: No module named _ctypes running Python Flask tutorial for Google App Engine on Windows
Gcloud custom domain
Not getting all labels with Adwords Python client
Standard for Google Cloud and AWS Setup for multiple instances
GAE custom domain wildcard subdomain issues
Cron per Service/Module (AppEngine)
How do we parse and generate App Engine URL-Safe Datastore Keys in the Google Cloud API?
Google App Engine: How to create HTTPS endpoints with flexible environment?
Deployed Google Endpoints Quickstart app giving error message when i request url?
Google Cloud SDK vs Google Cloud Client Libraries
when does dispatch.xml get updated?
How do I stop this Google cloude Instances billing?
Google Appengine Deployment Security Woes
google cloud share vm access to other google account