I have read a lot on GCP's Firewall rules and even got help from a dev-ops person who could not understand why these rules block my home IP from my App Engine Standard F1 instance.
Priority T Action IP range
2000 Allow XX.X.XX.XXX
2001 Allow xxxx:xxxx:xxxx:xxx:xxxx:xxxx:xxxx:xxxx // my V6 IP
default Deny *
When adding the V6 IP I am allowed access but with strange errors, eg. refreshing the page shows a path error: But browsing there (or to any path) loads just fine.
Error: Not Found
The requested URL /feed was not found on this server.
Without the V6 IP (and only the V4 IP allow rule) I cannot access the instance.
How can I whitelist my own IP for access?
CodePudding user response:
As reviewed in the comments, from the test I've made, I can confirm that connections are preferred to be done over IPv6 rather than IPv4.
As pointed out by this answer:
The first thing that a client determines is which protocols are available. ...It will then do a DNS lookup for both the A (IPv4 address) and AAAA (IPv6 address) records. If only one type is returned then it will use that. If both IPv4 and IPv6 addresses are returned the default behaviour depends a bit on the client software. Usually RFC 3484 is used.
According to the official standards it should prefer IPv6...
You can confirm this behaviour by checking into the logs the IP address that reaches the service of which you are testing the firewall rules (eg. default service); service, using the Logs Viewer.
Look up for a Log entry that matches a request you made (eg. to the /
root directory).
To show the latest logs, click Jump to now.
Under httpRequest on the field remoteIp you could check the IP address that your machine is using to access App Engine.
In order to do this, delete the rules you've created and change the default rule to Allow.