Connecting to internal resources in a VPC network

は、

Using Serverless VPC Access, you can connect from your App Engine app directly to Compute Engine VM instances, Cloud Memorystore instances, Cloud SQL instances, and any other resources with an internal IP address. This is helpful in cases where:

  • You run a backend service on a Managed Instance Group in Compute Engine and need your app to communicate with this service without exposure to the public internet.
  • Your app uses third-party software that you run on a Compute Engine VM.
  • You use Cloud Memorystore to store data for your App Engine app.
  • Your app needs to access data from your on-premises database through Cloud VPN.

Serverless VPC Access enables you to send requests from your app to resources in your VPC network using internal IP addresses. Internal IP addresses are only accessible from Google Cloud Platform services, so using them avoids exposing internal resources to the public internet, and also improves the latency of communication between your services.

Serverless VPC Access does not support legacy networks or Shared VPC networks. Serverless VPC Access connectors incur a monthly charge, see Serverless VPC Access pricing for more information.

Connecting to your VPC network

Connecting an App Engine app to your VPC network involves two steps:

  1. Create a Serverless VPC Access connector
  2. Configure your App Engine services to use the connector

A Serverless VPC Access connector must be in the same project and region as the app that uses it, but the connector can send traffic to resources in different regions. Multiple App Engine services can use the same connector. For more information about connectors, see Configuring Serverless VPC Access.

Creating a connector

You can create a connector with the GCP Console or the gcloud command-line tool.

Console

  1. Go to the Serverless VPC Access overview page.

    Go to Serverless VPC Access

  2. Click Create connector.

  3. In the Name field, enter a name for your connector.

  4. In the Region field, select the region where your app is located.

  5. In the Network field, select the VPC network to connect to.

  6. In the IP range field, enter an unused CIDR /28 IP range. Addresses in this range are used as source addresses for traffic sent through the connector. This IP range must not overlap with any existing IP address reservations in your VPC network.

  7. (Optional) You can control the connector's throughput by setting values in the Minimum throughput and Maximum throughput fields.

  8. Click Create.

A green check mark will appear next to the connector's name when it is ready to use.

gcloud

  1. Enable the Serverless VPC Access API for your project with the command:

    gcloud services enable vpcaccess.googleapis.com
    
  2. Create a connector:

    gcloud beta compute networks vpc-access connectors create CONNECTOR_NAME \
    --network VPC_NETWORK \
    --region REGION \
    --range IP_RANGE
    

    Where:

    • CONNECTOR_NAME is a name for your connector.
    • VPC_NETWORK is the VPC network to connect to.
    • REGION is the region where your app is located.
    • IP_RANGE is an unused CIDR /28 IP range. Addresses in this range are used as source addresses for traffic sent through the connector. This IP range must not overlap with any existing IP address reservations in your VPC network.
  3. Verify that your connector is in the READY state before using it:

    gcloud beta compute networks vpc-access connectors describe CONNECTOR_NAME --region REGION
    

    The output should contain the line state: READY.

Configuring your app to use a connector

After you have created a Serverless VPC Access connector, you can configure the services in your App Engine app to use the connector. Multiple services can use the same connector.

To connect your connector to a service in your app:

  1. Add the <vpc-access-connector> element to your service's appengine-web.xml file:

    <vpc-access-connector>
      <name>projects/PROJECT_ID/locations/REGION/connectors/CONNECTOR_NAME</name>
    </vpc-access-connector>
    

    Where PROJECT_ID is your GCP project's ID, and REGION and CONNECTOR_NAME are the region and name you chose when you created the connector. Note that your connector and app must be in the same region.

  2. Re-deploy the service:

    gcloud beta app deploy WEB-INF/appengine-web.xml
    

After you re-deploy your service, it is able to send requests to internal IP addresses in order to access resources in your VPC network.

Disconnecting your app from a connector

If your app no longer needs to connect to your VPC network, you can disconnect the Serverless VPC Access connector.

To disconnect a service from a connector:

  1. Remove the <vpc-access-connector> element from your service's appengine-web.xml file.

  2. Re-deploy the service:

    gcloud app deploy WEB-INF/appengine-web.xml
    

Next steps

このページは役立ちましたか?評価をお願いいたします。

フィードバックを送信...

App Engine standard environment for Java