Connecting to internal resources in a VPC network

Python 2.7/3.7 |Java 8/11 |PHP 5/7 |Go 1.9/1.11/1.12 |Node.js

Using Serverless VPC Access, you can connect from your App Engine app directly to Compute Engine VM instances, Cloud Memorystore instances, Cloud SQL instances, and any other resources with an internal IP address. This is helpful in cases where:

You run a backend service on a Managed Instance Group in Compute Engine and need your app to communicate with this service without exposure to the public internet.
Your app uses third-party software that you run on a Compute Engine VM.
You use Cloud Memorystore to store data for your App Engine app.
Your app needs to access data from your on-premises database through Cloud VPN.

Serverless VPC Access enables you to send requests from your app to resources in your VPC network using internal IP addresses. Internal IP addresses are only accessible from Google Cloud Platform services, so using them avoids exposing internal resources to the public internet, and also improves the latency of communication between your services.

Serverless VPC Access does not support legacy networks or Shared VPC networks. Serverless VPC Access connectors incur a monthly charge, see Serverless VPC Access pricing for more information.

Connecting to your VPC network

Connecting an App Engine app to your VPC network involves two steps:

Create a Serverless VPC Access connector
Configure your App Engine services to use the connector

A Serverless VPC Access connector must be in the same project and region as the app that uses it, but the connector can send traffic to resources in different regions. Multiple App Engine services can use the same connector. For more information about connectors, see Configuring Serverless VPC Access.

Creating a connector

You can create a connector with the GCP Console or the gcloud command-line tool.

Console

Go to the Serverless VPC Access overview page.

Go to Serverless VPC Access
Click Create connector.
In the Name field, enter a name for your connector.
In the Region field, select the region where your app is located.
In the Network field, select the VPC network to connect to.
In the IP range field, enter an unused CIDR /28 IP range. Addresses in this range are used as source addresses for traffic sent through the connector. This IP range must not overlap with any existing IP address reservations in your VPC network.

Note: You can see which IP ranges are currently reserved in the Google Cloud Platform Console. You can choose any unused CIDR /28 IP range to use for your connector, for example, 10.8.0.0/28.
(Optional) You can control the connector's throughput by setting values in the Minimum throughput and Maximum throughput fields.
Click Create.

A green check mark will appear next to the connector's name when it is ready to use.

gcloud

Enable the Serverless VPC Access API for your project with the command:
```
gcloud services enable vpcaccess.googleapis.com
```
Create a connector:
```
gcloud beta compute networks vpc-access connectors create CONNECTOR_NAME \
--network VPC_NETWORK \
--region REGION \
--range IP_RANGE
```
Where:
- CONNECTOR_NAME is a name for your connector.
- VPC_NETWORK is the VPC network to connect to.
- REGION is the region where your app is located.
- IP_RANGE is an unused CIDR /28 IP range. Addresses in this range are used as source addresses for traffic sent through the connector. This IP range must not overlap with any existing IP address reservations in your VPC network.
Note: You can see which IP ranges are currently reserved in the Google Cloud Platform Console. You can choose any unused CIDR /28 IP range to use for your connector, for example, 10.8.0.0/28.
Verify that your connector is in the READY state before using it:
```
gcloud beta compute networks vpc-access connectors describe CONNECTOR_NAME --region REGION
```
The output should contain the line state: READY.

Configuring your app to use a connector

After you have created a Serverless VPC Access connector, you can configure the services in your App Engine app to use the connector. Multiple services can use the same connector.

To connect your connector to a service in your app:

Add the vpc_access_connector section to your service's app.yaml file:
```
vpc_access_connector:
  name: "projects/PROJECT_ID/locations/REGION/connectors/CONNECTOR_NAME"
```
Where PROJECT_ID is your GCP project's ID, and REGION and CONNECTOR_NAME are the region and name you chose when you created the connector. Note that your connector and app must be in the same region.
Re-deploy the service:
```
gcloud beta app deploy
```
Note: To use Serverless VPC Access, make sure you use gcloud beta to deploy your service. You can get access to beta commands by running gcloud components install beta.

After you re-deploy your service, it is able to send requests to internal IP addresses in order to access resources in your VPC network.

Disconnecting your app from a connector

If your app no longer needs to connect to your VPC network, you can disconnect the Serverless VPC Access connector.

To disconnect a service from a connector:

Remove the vpc_access_connector section from your service's app.yaml file.
Re-deploy the service:
```
gcloud app deploy
```

Next steps

Learn more about Serverless VPC Access.

Was this page helpful? Let us know how we did:

Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see our Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated June 6, 2019.