connect Google App Engine and Google Compute Engine

Question

I created a VM instance in Googl Compute Engine and app in Google App Engine standard environment. I was planning to have my app in App Engine and my database server in Compute Engine. But, I can't connect between the both by internal IP. Is this possible? the app and db are in the same zone (us-east1) but the connection by IP don't work, only work with external IP. Apparently, the rules of firewall are correct.

Answer 1

As of April 9, 2019, you can use the serverless VPC connector.

This will allow your App Engine application to connect to other internal resources in your VPC network on the Google Cloud Platform, such as Compute Engine VM instances, Cloud Memorystore instances, and any other resources with an internal IP address.

To create a connector:

$ gcloud services enable vpcaccess.googleapis.com
$ gcloud beta compute networks vpc-access connectors create CONNECTOR_NAME \
--network VPC_NETWORK --region REGION --range IP_RANGE
$ gcloud beta compute networks vpc-access connectors describe CONNECTOR_NAME --region REGION

Note: You can see which IP ranges are currently reserved in the Google Cloud Platform Console. You can choose any unused CIDR /28 IP range to use for your connector, for example, 10.8.0.0/28.

$ gcloud beta compute networks vpc-access connectors create my-vpc-connector \
--region=us-central1 --range=10.8.0.0/28
Create request issued for: [my-vpc-connector]
Waiting for operation [xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx] to complete...done.  
Created connector [my-vpc-connector]

To connect your connector to a service add this to your service's app.yaml file:

vpc_access_connector:
  name: "projects/PROJECT_ID/locations/REGION/connectors/CONNECTOR_NAME"

Deploy the service:

$ gcloud beta app deploy

Note: To use Serverless VPC Access, make sure you use gcloud beta to deploy your service. You can get access to beta commands by running gcloud components install beta.

After you deploy your service, it is able to send requests to Internal IP addresses or DNS Names in order to access resources in your VPC Networks. In case any trouble please allow about one hour or more to let the connectors are propagated completely in the GCP Global Networks.

Answer 2

For connecting through a private IP you need that the app and DB will be in the same network. You can't achieve that with app engine standard, you need app engine flex for this (see here how to set the network of your app engine flex instances)

Answer 3

You will have to connect using the external IP address of the service running on your Compute Engine instance. App Engine standard environment is on a different network than the Compute Engine instances and don't have private IP access to each other currently. Switching to an application (or service of an application) on the flexible environment might work for you if the costs associated make sense.