App Engine connectivity questions

This page contains answers to common App Engine connectivity questions, including questions related to using Serverless VPC Access and internal IP addresses.

Set up inbound connectivity from VPC to App Engine instances using an internal IP address

This scenario can be encountered when you want to connect to an App Engine instance using an internal (private) IP address. Serverless VPC Access is useful for making calls from Google's serverless offerings into the Virtual Private Cloud (VPC) network; however, it does not provide a way to access App Engine instances on internal IP addresses.

In this scenario, you can use one of the following options:

  • Set up Private Google Access, which allows VPC resources without external (or public) IP addresses to access the public IP addresses of the App Engine service.
  • Use Private Service Connect for Google APIs, which allows VPC resources to call App Engine using an internal IP address.

The flexible environment does not support virtual machines with internal IP addresses only

This scenario might be encountered if you are attempting to deploy an App Engine flexible environment application in a Shared VPC network, and you want to add a route to the VPC network so that the flexible environment instances can be routed to the internet avoiding the route 0.0.0.0/0.

This approach should be avoided because the App Engine flexible environment currently does not support virtual machines with internal IP addresses only.

As documented in the internet access requirement for VPC networks, the network must have a valid default internet gateway route or custom route whose destination IP range is the most general (0.0.0.0/0). If you remove this setting, it could cause deployment or serving failures.

Connect App Engine to Cloud SQL internal IP addresses

This scenario may be encountered when you want to connect from App Engine standard environment or App Engine flexible environment apps to Cloud SQL instances over private IP addresses.

In this scenario, create a connection using one of the following options:

Customize access permissions between App Engine services

This scenario can be encountered when you have multiple App Engine services and want to configure access permissions differently between services (for example, you want to enable access to App Engine Service A only from App Engine Service B).

In this scenario, you can use App Engine with Identity-Aware Proxy (IAP) to make only some of the services publicly accessible while keeping others protected. To learn more, you can see the Centralize access to your organization's websites with IAP video and refer to the IAP documentation.