Connecting to a VPC network

Serverless VPC Access enables you to connect from your App Engine app directly to Compute Engine VM instances, Memorystore instances, Cloud SQL instances, and any other resources with an internal IP address. This can be helpful in cases such as the following:

You run a backend service on a Managed Instance Group in Compute Engine and need your app to communicate with this service without exposure to the public internet.
Your app uses third-party software that you run on a Compute Engine VM.
You use Memorystore to store data for your App Engine app.
Your app needs to access data from your on-premises database through Cloud VPN.

With Serverless VPC Access, requests sent from your app to internal IP addresses (as defined by RFC 1918) are routed through a Serverless VPC Access connector to your VPC network. Internal IP addresses are only accessible from Google Cloud services, so using them avoids exposing internal resources to the public internet, and also improves the latency of communication between your services.

Serverless VPC Access supports communication to VPC networks connected via Cloud VPN and VPC Network Peering. Serverless VPC Access does not support legacy networks or Shared VPC networks. Serverless VPC Access connectors incur a monthly charge; see Serverless VPC Access pricing for more information.

Connecting to your VPC network

Connecting an App Engine app to your VPC network involves two steps:

Create a Serverless VPC Access connector
Configure your App Engine services to use the connector

A Serverless VPC Access connector must be in the same project and region as the app that uses it, but the connector can send traffic to resources in different regions. Multiple App Engine services can use the same connector. For more information about connectors, including a list of supported regions, see Configuring Serverless VPC Access.

Creating a connector

You can create a connector with the Cloud Console or the gcloud command-line tool.

Console

Enable the Serverless VPC Access API for your project:

Enable API
Go to the Serverless VPC Access overview page.

Go to Serverless VPC Access
Click Create connector.
In the Name field, enter a name for your connector.
In the Region field, select the region where your app is located.

Note: The App Engine regions us-central and europe-west correspond to the regions us-central1 and europe-west1 for your connector.
In the Network field, select the VPC network to connect to.
In the IP range field, enter an unused CIDR /28 IP range. Addresses in this range are used as source addresses for traffic sent through the connector. This IP range must not overlap with any existing IP address reservations in your VPC network.

Note: You can see which IP ranges are currently reserved in the Google Cloud Console. You can choose any unused CIDR /28 IP range to use for your connector, for example, 10.8.0.0/28.
(Optional) You can control the connector's throughput by setting values in the Minimum throughput and Maximum throughput fields.
Click Create.

A green check mark will appear next to the connector's name when it is ready to use.

gcloud

Update gcloud components to the latest version:
```
gcloud components update
```
Enable the Serverless VPC Access API for your project with the command:
```
gcloud services enable vpcaccess.googleapis.com
```
Create a connector:
```
gcloud compute networks vpc-access connectors create CONNECTOR_NAME \
--network VPC_NETWORK \
--region REGION \
--range IP_RANGE
```
Where:
- CONNECTOR_NAME is a name for your connector.
- VPC_NETWORK is the VPC network to connect to.
- REGION is the region where your app is located.
  
  Note: The App Engine regions us-central and europe-west correspond to the regions us-central1 and europe-west1 for your connector.
- IP_RANGE is an unused CIDR /28 IP range. Addresses in this range are used as source addresses for traffic sent through the connector. This IP range must not overlap with any existing IP address reservations in your VPC network.
Note: You can see which IP ranges are currently reserved in the Google Cloud Console. You can choose any unused CIDR /28 IP range to use for your connector, for example, 10.8.0.0/28.
Verify that your connector is in the READY state before using it:
```
gcloud compute networks vpc-access connectors describe CONNECTOR_NAME --region REGION
```
The output should contain the line state: READY.

If creating a connector results in an error, try the following and re-create your connector:

Specify an IP range that does not overlap with any existing IP address reservations in the VPC network.
Grant your project permission to use Compute Engine VM images from the project with ID serverless-vpc-access-images. See Setting image access constraints for information on how to update your organization policy accordingly.

Configuring your app to use a connector

After you have created a Serverless VPC Access connector, you can configure the services in your App Engine app to use the connector. Multiple services can use the same connector.

To connect your connector to a service in your app:

Add the vpc_access_connector section to your service's app.yaml file:
```
vpc_access_connector:
  name: "projects/PROJECT_ID/locations/REGION/connectors/CONNECTOR_NAME"
```
Where PROJECT_ID is your Google Cloud project's ID, and REGION and CONNECTOR_NAME are the region and name you chose when you created the connector. Note that your connector and app must be in the same region.
Deploy the service:
```
gcloud app deploy
```

After you deploy your service, it is able to send requests to internal IP addresses in order to access resources in your VPC network.

Disconnecting your app from a connector

If your app no longer needs to connect to your VPC network, you can disconnect the Serverless VPC Access connector.

To disconnect a service from a connector:

Remove the vpc_access_connector section from your service's app.yaml file.
Re-deploy the service:
```
gcloud app deploy
```

Next steps

Learn more about Serverless VPC Access.