Connecting to internal resources in a VPC network

Serverless VPC Access enables you to connect from your App Engine app directly to Compute Engine VM instances, Cloud Memorystore instances, Cloud SQL instances, and any other resources with an internal IP address. This is helpful in cases where:

  • You run a backend service on a Managed Instance Group in Compute Engine and need your app to communicate with this service without exposure to the public internet.
  • Your app uses third-party software that you run on a Compute Engine VM.
  • You use Cloud Memorystore to store data for your App Engine app.
  • Your app needs to access data from your on-premises database through Cloud VPN.

With Serverless VPC Access, requests sent from your app to internal IP addresses (as defined by RFC 1918) are routed through a Serverless VPC Access connector to your VPC network. Requests sent to public IP addresses are routed through the internet. Internal IP addresses are only accessible from Google Cloud Platform services, so using them avoids exposing internal resources to the public internet, and also improves the latency of communication between your services.

Serverless VPC Access supports communication to VPC networks connected via Cloud VPN and VPC Network Peering. Serverless VPC Access does not support legacy networks or Shared VPC networks. Serverless VPC Access connectors incur a monthly charge; see Serverless VPC Access pricing for more information.

Connecting to your VPC network

Connecting an App Engine app to your VPC network involves two steps:

  1. Create a Serverless VPC Access connector
  2. Configure your App Engine services to use the connector

A Serverless VPC Access connector must be in the same project and region as the app that uses it, but the connector can send traffic to resources in different regions. Multiple App Engine services can use the same connector. For more information about connectors, see Configuring Serverless VPC Access.

Creating a connector

You can create a connector with the GCP Console or the gcloud command-line tool.

Console

  1. Go to the Serverless VPC Access overview page.

    Go to Serverless VPC Access

  2. Click Create connector.

  3. In the Name field, enter a name for your connector.

  4. In the Region field, select the region where your app is located.

  5. In the Network field, select the VPC network to connect to.

  6. In the IP range field, enter an unused CIDR /28 IP range. Addresses in this range are used as source addresses for traffic sent through the connector. This IP range must not overlap with any existing IP address reservations in your VPC network.

  7. (Optional) You can control the connector's throughput by setting values in the Minimum throughput and Maximum throughput fields.

  8. Click Create.

A green check mark will appear next to the connector's name when it is ready to use.

gcloud

  1. Enable the Serverless VPC Access API for your project with the command:

    gcloud services enable vpcaccess.googleapis.com
    
  2. Create a connector:

    gcloud beta compute networks vpc-access connectors create CONNECTOR_NAME \
    --network VPC_NETWORK \
    --region REGION \
    --range IP_RANGE
    

    Where:

    • CONNECTOR_NAME is a name for your connector.
    • VPC_NETWORK is the VPC network to connect to.
    • REGION is the region where your app is located.
    • IP_RANGE is an unused CIDR /28 IP range. Addresses in this range are used as source addresses for traffic sent through the connector. This IP range must not overlap with any existing IP address reservations in your VPC network.
  3. Verify that your connector is in the READY state before using it:

    gcloud beta compute networks vpc-access connectors describe CONNECTOR_NAME --region REGION
    

    The output should contain the line state: READY.

If creating a connector results in an error, try the following and re-create your connector:

  • Specify an IP range that does not overlap with any existing IP address reservations in the VPC network.
  • Grant your project permission to use Compute Engine VM images from the project with ID serverless-vpc-access-images. See Setting image access constraints for information on how to update your organization policy accordingly.

Configuring your app to use a connector

After you have created a Serverless VPC Access connector, you can configure the services in your App Engine app to use the connector. Multiple services can use the same connector.

To connect your connector to a service in your app:

  1. Add the vpc_access_connector section to your service's app.yaml file:

    vpc_access_connector:
      name: "projects/PROJECT_ID/locations/REGION/connectors/CONNECTOR_NAME"
    

    Where PROJECT_ID is your GCP project's ID, and REGION and CONNECTOR_NAME are the region and name you chose when you created the connector. Note that your connector and app must be in the same region.

  2. Deploy the service:

    gcloud beta app deploy
    

After you deploy your service, it is able to send requests to internal IP addresses in order to access resources in your VPC network.

Disconnecting your app from a connector

If your app no longer needs to connect to your VPC network, you can disconnect the Serverless VPC Access connector.

To disconnect a service from a connector:

  1. Remove the vpc_access_connector section from your service's app.yaml file.

  2. Re-deploy the service:

    gcloud app deploy
    

Next steps

Was this page helpful? Let us know how we did:

Send feedback about...

App Engine standard environment for Python 2