I have created some APIs using Firebase Functions and I have received a security assessment result stating that I need to disable TLS 1.0 and 1.1. Is there a way to do this without using a load balancer or Apigee? If so, how can I disable TLS 1.0 and 1.1?
Hi,
Disabling TLS 1.0 and 1.1 for Firebase Functions that expose cloud endpoints is primarily achieved through the use of Google Cloud Load Balancing with SSL policies. Direct control over TLS versions within Cloud Functions themselves is not available.
The following steps are required:
-
Configure Ingress Settings for Cloud Functions:
-
Set the ingress settings of your Cloud Function to
internal-and-gclb(Allow internal traffic and traffic from Cloud Load Balancing). This ensures that the function can only be invoked by resources within the same project’s VPC network or by a Google Cloud Load Balancer. -
This can be done in the Google Cloud Console under the function’s settings, or using the
gcloudCLI during deployment:
-
Code
gcloud functions deploy YOUR_FUNCTION_NAME --ingress-settings=inter
Once this is done traffic will only traverse Google’s encrypted network and when needed to expose the endpoint externally, the traffic will need to go through a Load Balancer which can control the
Here’s how to implement the Load Balancer:
-
Deploy your Firebase Function:
Ensure your Firebase Function is deployed and accessible.
-
Set up a Google Cloud Load Balancer:
-
Create an HTTPS Load Balancer in Google Cloud.
-
Configure the backend service to point to your Cloud Function using a Serverless Network Endpoint Group (NEG). This allows the load balancer to route traffic to your serverless function.
-
-
Create an SSL Policy:
-
Within the Load Balancer configuration, create or select an SSL policy.
-
In the SSL policy settings, specify the Minimum TLS Version to be TLS 1.2 (or higher if desired). This will effectively disable TLS 1.0 and 1.1 for all connections handled by this load balancer.
-
You can also further restrict cipher suites within the SSL policy for enhanced security.
-
-
Associate the SSL Policy with the Load Balancer:
Apply the configured SSL policy to the relevant frontend of your HTTPS Load Balancer.
-
Route traffic through the Load Balancer:
Ensure that client requests intended for your Firebase Function are directed to the IP address or domain name associated with your Google Cloud Load Balancer.
By implementing this architecture, the Google Cloud Load Balancer acts as an intermediary, enforcing the desired TLS version and cipher suite restrictions before forwarding requests to your Firebase Function, thus disabling TLS 1.0 and 1.1 for your cloud endpoint.
1 Like
Thank you for your very helpful support. I have tried implementing it on my application.
I understand that:
-
It is not possible to disable TLS directly on this domain. Instead, I need to:
-
Create an API Gateway and connect it to Cloud Functions.
-
Set up a Load Balancer and configure the API Gateway as the backend service, then adjust the settings on the API Gateway.
-
The deployment steps are as follows:
-
Create a service account for the API Gateway:
gcloud iam service-accounts create [YOUR_SERVICE_ACCOUNT_NAME] --description="[DESCRIPTION]" --display-name="[DISPLAY_NAME]"
-
Create an API config for the API Gateway:
-
gcloud api-gateway api-configs create [YOUR_API_CONFIG_NAME] --api=[YOUR_API_NAME] --openapi-spec=[SPEC_FILE_PATH] -
This command requires you to have an OpenAPI spec file, so you’ll need to prepare that before executing the command.
-
-
Create the API Gateway:
gcloud api-gateway gateways create [YOUR_GATEWAY_NAME] --api=[YOUR_API_NAME] --api-config=[YOUR_API_CONFIG_NAME] --location=[LOCATION]
-
Deploy the API Gateway to Google Cloud:
- After creating the service account, API config, and the gateway, you can deploy the API Gateway to handle traffic.
These steps allow the API Gateway to handle requests and forward them to Cloud Functions via the Load Balancer.
The domain for calling the API will change. It will no longer be in the format of asia-northeast1-projectID.cloudfunctions.net, but will be something like https://project-gateway-xxx.an.gateway.dev/. Users will no longer be able to call the old API directly; instead, they will only be able to call through the gateway. Therefore, all projects calling the old API will need to transition to the new API Gateway.
Currently, the old code is using Firebase Functions (Firebase SDK). Now, we will switch to using the API Gateway (HTTP REST API). These are two completely different protocols, so simply changing the API URL is not enough. We will also need to update all parts of the code that use the Firebase SDK to work with the HTTP REST API.
This change of domain and rewriting the entire logic seems like it could have a significant impact. Is there any way to minimize the scope of the impact? (As I currently have many different projects that all share the same Cloud Function API.)
Hi,
The API Gateway should not be needed, only the load balancer is needed. What I’m not sure of off hand are which protocols are used by the Firebase SDK. You’ll need to match the needed protocols against the correct load balancer option and then confirm whether that option still has the SSL policy controls.
Thank you, I followed your instructions, but when I reached the step “Create an HTTPS Load Balancer in Google Cloud. Configure the backend service to point to your Cloud Function using a Serverless Network Endpoint Group (NEG)”, I encountered an issue.
When configuring the Backend Service and trying to Create a Serverless Network Endpoint Group (NEG), I am unable to create a single NEG for all of my functions. Instead, I can only create one NEG per function, and I have many functions. How should I proceed without using the API Gateway?
Could you please guide me on the correct approach to handle this?