Connecting to a VPC network

This page shows how to use Serverless VPC Access to connect your App Engine standard environment app directly to your VPC network, allowing access to Compute Engine VM instances, Memorystore instances, and any other resources with an internal IP address.

To use Serverless VPC Access, you must first create a Serverless VPC Access connector to handle communication to your VPC network. After you create a connector, you configure your App Engine services to use the connector.

Creating a Serverless VPC Access connector

For detailed instructions on creating Serverless VPC Access connectors, refer to Creating a connector.

Configuring your app to use a connector

After you have created a Serverless VPC Access connector, you can configure the services in your App Engine app to use the connector.

To specify a connector for a service in your app:

1. Add the <vpc-access-connector> element to your service's appengine-web.xml file:

   <vpc-access-connector>
     <name>projects/PROJECT_ID/locations/REGION/connectors/CONNECTOR_NAME</name>
   </vpc-access-connector>
   

   Where PROJECT_ID is your Cloud project ID, REGION is the region your connector is in, and CONNECTOR_NAME is the name of your connector.

2. Deploy the service:

   gcloud app deploy WEB-INF/appengine-web.xml
   

After you deploy your service, it is able to send requests to internal IP addresses in order to access resources in your VPC network. To disconnect a service from a VPC network, remove the <vpc-access-connector> element from the appengine-web.xml file and re-deploy the service.

Connecting to a Shared VPC network

If your organization uses Shared VPC, an app in a Shared VPC service project can connect to a Shared VPC network after some configuration in the Shared VPC host project.

1. Make sure an administrator of the host project completes the setup described at Using a Shared VPC network. This setup includes creating a Serverless VPC Access connector in the host project and attaching it to the Shared VPC network.

2. Enable the Serverless VPC Access API in your service project:

   Enable API

3. After the host project setup is complete, you can specify the host project's connector in your appengine-web.xml file using the connector's fully-qualified name:

   <vpc-access-connector>
     <name>projects/HOST_PROJECT_ID/locations/CONNECTOR_REGION/connectors/CONNECTOR_NAME</name>
   </vpc-access-connector>
   

   Where HOST_PROJECT_ID is the ID of the host project, CONNECTOR_REGION is the region the connector is in, and CONNECTOR_NAME is the name of the connector.

   This connects your App Engine service to the Shared VPC network.

Next steps

• Learn more about Serverless VPC Access.
• Learn how to connect to Memorystore from the App Engine standard environment.