Python 3.8 is now generally available.

Connecting to a VPC network

This page shows how to use Serverless VPC Access to connect your App Engine standard environment app directly to your VPC network, allowing access to Compute Engine VM instances, Memorystore instances, and any other resources with an internal IP address.

To use Serverless VPC Access, you must first create a Serverless VPC Access connector to handle communication to your VPC network. After you create a connector, you configure your App Engine services to use the connector.

Creating a Serverless VPC Access connector

For detailed instructions on creating Serverless VPC Access connectors, refer to Creating a connector.

Configuring your app to use a connector

After you have created a Serverless VPC Access connector, you can configure the services in your App Engine app to use the connector.

To specify a connector for a service in your app:

  1. Add the vpc_access_connector section to your service's app.yaml file:

    vpc_access_connector:
      name: CONNECTOR_NAME
    

    Where CONNECTOR_NAME is the name of your connector.

  2. Deploy the service:

    gcloud app deploy
    

After you deploy your service, it is able to send requests to internal IP addresses in order to access resources in your VPC network. To disconnect a service from a VPC network, remove the vpc_access_connector section from the app.yaml file and re-deploy the service.

Connecting to a Shared VPC network

If you have set up Shared VPC, you can connect your app to a Shared VPC network by following these steps:

  1. Create a Serverless VPC Access connector in the Shared VPC host project.
  2. In Shared VPC service projects where you want to deploy App Engine services, enable the Serverless VPC Access API:

    Enable the API

  3. Grant permissions for App Engine deployers in service projects to use connectors from the host project:

    Console

    1. Go to the IAM page in the Shared VPC host project:

      Go to IAM

    2. Click Add.

    3. In the New members field, enter the email address of the user or service account that does App Engine deployments in the service project.

    4. In the Role field, select Serverless VPC Access User.

    5. Click Save. Repeat these steps as necessary for multiple service projects.

    gcloud

    Grant the user or service account that does App Engine deployments in the service project appropriate permissions in the host project:

    gcloud projects add-iam-policy-binding HOST_PROJECT_ID \
    --member DEPLOYER \
    --role roles/vpcaccess.user
    

    where HOST_PROJECT_ID is the ID of the Shared VPC host project, and DEPLOYER is the email address of the user or service account that does App Engine deployments in the service project. Remember to prefix DEPLOYER with user: or serviceAccount: depending on the type of account the deployer is.

    Repeat as necessary for multiple deployers in service projects.

  4. In service projects, when you deploy an App Engine service, specify the fully-qualified name of the host project's connector:

    projects/HOST_PROJECT_ID/locations/CONNECTOR_REGION/connectors/CONNECTOR_NAME
    

Next steps