Serverless VPC Access enables you to connect from your App Engine app directly to Compute Engine VM instances, Memorystore instances, Cloud SQL instances, and any other resources with an internal IP address. This is helpful in cases where:
- You run a backend service on a Managed Instance Group in Compute Engine and need your app to communicate with this service without exposure to the public internet.
- Your app uses third-party software that you run on a Compute Engine VM.
- You use Memorystore to store data for your App Engine app.
- Your app needs to access data from your on-premises database through Cloud VPN.
With Serverless VPC Access, requests sent from your app to internal IP addresses (as defined by RFC 1918) are routed through a Serverless VPC Access connector to your VPC network. Requests sent to public IP addresses are routed through the internet. Internal IP addresses are only accessible from Google Cloud services, so using them avoids exposing internal resources to the public internet, and also improves the latency of communication between your services.
Serverless VPC Access supports communication to VPC networks connected via Cloud VPN and VPC Network Peering. Serverless VPC Access does not support legacy networks or Shared VPC networks. Serverless VPC Access connectors incur a monthly charge; see Serverless VPC Access pricing for more information.
Connecting to your VPC network
Connecting an App Engine app to your VPC network involves two steps:
A Serverless VPC Access connector must be in the same project and region as the app that uses it, but the connector can send traffic to resources in different regions. Multiple App Engine services can use the same connector. For more information about connectors, including a list of supported regions, see Configuring Serverless VPC Access.
Creating a connector
You can create a connector with the Cloud Console or the gcloud
command-line tool.
Console
Enable the Serverless VPC Access API for your project:
Go to the Serverless VPC Access overview page.
Click Create connector.
In the Name field, enter a name for your connector.
In the Region field, select the region where your app is located.
In the Network field, select the VPC network to connect to.
In the IP range field, enter an unused CIDR
/28
IP range. Addresses in this range are used as source addresses for traffic sent through the connector. This IP range must not overlap with any existing IP address reservations in your VPC network.(Optional) You can control the connector's throughput by setting values in the Minimum throughput and Maximum throughput fields.
Click Create.
A green check mark will appear next to the connector's name when it is ready to use.
gcloud
Update
gcloud
components to the latest version:gcloud components update
Enable the Serverless VPC Access API for your project with the command:
gcloud services enable vpcaccess.googleapis.com
Create a connector:
gcloud compute networks vpc-access connectors create CONNECTOR_NAME \ --network VPC_NETWORK \ --region REGION \ --range IP_RANGE
Where:
CONNECTOR_NAME
is a name for your connector.VPC_NETWORK
is the VPC network to connect to.REGION
is the region where your app is located.IP_RANGE
is an unused CIDR/28
IP range. Addresses in this range are used as source addresses for traffic sent through the connector. This IP range must not overlap with any existing IP address reservations in your VPC network.
Verify that your connector is in the
READY
state before using it:gcloud compute networks vpc-access connectors describe CONNECTOR_NAME --region REGION
The output should contain the line
state: READY
.
If creating a connector results in an error, try the following and re-create your connector:
- Specify an IP range that does not overlap with any existing IP address reservations in the VPC network.
- Grant your project permission to use Compute Engine VM images from the
project with ID
serverless-vpc-access-images
. See Setting image access constraints for information on how to update your organization policy accordingly.
Configuring your app to use a connector
After you have created a Serverless VPC Access connector, you can configure the services in your App Engine app to use the connector. Multiple services can use the same connector.
To connect your connector to a service in your app:
Add the
vpc_access_connector
section to your service'sapp.yaml
file:vpc_access_connector: name: "projects/PROJECT_ID/locations/REGION/connectors/CONNECTOR_NAME"
Where
PROJECT_ID
is your Google Cloud project's ID, andREGION
andCONNECTOR_NAME
are the region and name you chose when you created the connector. Note that your connector and app must be in the same region.Deploy the service:
gcloud app deploy
After you deploy your service, it is able to send requests to internal IP addresses in order to access resources in your VPC network.
Disconnecting your app from a connector
If your app no longer needs to connect to your VPC network, you can disconnect the Serverless VPC Access connector.
To disconnect a service from a connector:
Remove the
vpc_access_connector
section from your service'sapp.yaml
file.Re-deploy the service:
gcloud app deploy