I have an API (AppEngine in Project 1) that calls out to another API (AppEngine in Project 2). Is it possible to restrict access to the API in AppEngine in Project 2, so that it can only be called from the AppEngine in Project 1.

CodePudding user response：

You have to activate IAP on App Engine, and then to select the services on which you want to activate it.

Then, when you deploy a service on App Engine, you can now define an identity, i.e. the service account which is used by App Engine to generate an identity token.

Because the identity is unique to a service (for example Project 1), you can ONLY grant that identity the capacity to reach App Engine on Project 2.

Note: you can define service account per service and not per project. Here I mention the project because it was your example, but it can be service 1 that calls service 2 in the same project, and only service 2 is protected by IAP

CodePudding user response：

There is some information missing regarding requirements but perhaps this can solve your issue, you could check out Securing App Engine apps with IAP. Or maybe this can even be handled directly with firewall options as shown in GAE Security

If these options do not suit your needs then look into a Shared VPC.

Shared VPC allows an organization to connect resources from multiple projects to a common Virtual Private Cloud (VPC) network, so that they can communicate with each other securely and efficiently using internal IPs from that network.

I recommend reading through to determine what fits your needs.