I like to use Prometheus to monitor a web app, how can I not expose /metrics to the world?

To use Prometheus to monitor a web application and prevent exposing the /metrics endpoint to the public internet, you can follow these steps:

1. Configure Prometheus on a Compute Engine instance: Start by setting up Prometheus on a separate Compute Engine instance within your VPC. This instance will be responsible for scraping metrics from your web application.
2. Restrict access to the Prometheus instance: To ensure that only authorized users or systems can access the Prometheus instance, you can apply firewall rules to limit incoming connections to specific IP ranges or networks. Configure the firewall rules to allow incoming traffic on the port used by Prometheus (default is 9090) only from trusted sources.
   • Go to the Google Cloud Console.
   • Navigate to the “VPC network” section.
   • Select “Firewall rules” from the sidebar.
   • Click on the “Create Firewall Rule” button.
   • Provide a name and description for the rule.
   • Set the “Targets” field to the Prometheus instance.
   • Specify the protocol as “TCP”.
   • In the “Ports and protocols” field, enter the Prometheus port (e.g., 9090).
   • In the “Source IP ranges” field, enter the IP ranges or networks that should be allowed to access the Prometheus instance.
   • Click “Create” to save the firewall rule.
3. Enable authentication for Prometheus: To add an additional layer of security, you can enable authentication for Prometheus. This will require users or systems to provide valid credentials before accessing the /metrics endpoint.
   • Prometheus provides several authentication mechanisms, such as basic authentication or OAuth2. Choose the one that suits your requirements.
   • Configure Prometheus to enable authentication based on the chosen mechanism. Refer to the Prometheus documentation for detailed instructions on setting up authentication.
4. Restrict access to the /metrics endpoint in your web application: To prevent direct access to the /metrics endpoint from the public internet, you can configure your web application to only respond to requests coming from the Prometheus instance.
   • Update your web application’s firewall rules to allow incoming traffic on the port it is running (e.g., port 80 for HTTP).
   • Configure your web application to only allow incoming requests from the IP address or range of the Prometheus instance. This can typically be achieved through application-level configuration or firewall settings within your web application stack.

By following these steps, you can ensure that the Prometheus metrics endpoint (/metrics) is not accessible to the public internet. The metrics can only be scraped by the Prometheus instance located within the same VPC, and access to the Prometheus instance itself is restricted to trusted sources using firewall rules and authentication mechanisms.