App Engine connectivity strategies

This page describes commonly used App Engine connectivity strategies, including steps related to using Serverless VPC Access and internal IP addresses.

Connect from VPC to App Engine instances

Serverless VPC Access is useful when making calls from Google's serverless offerings to a Virtual Private Cloud (VPC) network, but you can't access App Engine instances using an internal IP address.

To connect to App Engine from the VPC network using an internal IP address without an assigned external IP address, do the following:

  1. Set up Private Google Access. Ensure that the App Engine service uses a Private Google Access-enabled subnet.
  2. Use a Private Service Connect endpoint. Ensure that the endpoint is connected to the Private Google Access-enabled subnet.
  3. Send traffic to the Private Service Connect endpoint. Ensure that the endpoint is connected to the subnet.

App Engine instances with external IP addresses can send traffic to Private Service Connect endpoints without any requirements.

Customize access permissions between App Engine services

When you have multiple App Engine services and want to configure access permissions differently between services (for example, you want to enable access to App Engine Service A only from App Engine Service B), you can use App Engine with Identity-Aware Proxy (IAP).

For more information, see Controlling access to websites and apps and IAP documentation.

Connect App Engine to Cloud SQL private IP addresses

To connect your App Engine apps to Cloud SQL instances over private IP addresses, use one of the following options:

Deploy an App Engine app in a Shared VPC network

Deploying an application in the App Engine flexible environment in a Shared VPC network requires an internal IP address. The internal IP address adds a route to avoid 0.0.0.0/0.

For instances with IP mode set to internal, you must make the following changes to the network:

  • Enable Private Google Access for each subnetwork that you use.
  • Create a route compatible with Private Google Access if it doesn't already exist.
  • Create a firewall rule compatible with Private Google Access if it doesn't already exist.
  • If you need outgoing internet access, you must also deploy Cloud NAT for each region attached to subnetworks that you use.

As documented in the internet access requirement for VPC networks, the network must have a valid default internet gateway route or custom route whose destination IP range is the most general (0.0.0.0/0). If you remove this setting, it could cause deployment or serving failures.