Clarifying App Engine, custom VPCs, and VPNs

85 views
Skip to first unread message

Mark Drummond

unread,
Oct 24, 2018, 3:53:29 PM10/24/18
to Google App Engine
Hello everyone. I am trying to understand the interaction of App Engine apps, custom VPCs, and VPNs. After much googling and document reading I still don't have a clear picture here.
  1. Can an App Engine Flexible app use a custom VPC?
  2. Can an App Engine Flexible app use a shared VPC defined in another project?
  3. Can an App Engine Flexible app use a Cloud VPN connection?
  4. Can an App Engine Flexible app use a Cloud VPN connection set up in another project?
    1. If so, is that implemented with a shared VPC or peered VPCs?
As you might guess, I'm wondering whether my App Engine Flexible apps can communicate back to our head office over VPN, and if so how that is implemented. Initial thought was peered VPCs to a VPC that has an attached VPN but I found at least one note indicating that is not possible. Next thought was a shared VPC but found at least one note that said that would not work either (specifically with App Engine).

- Mark

The content of this message is subject to our e-mail confidentiality policy.
Le contenu de ce message est assujetti à notre politique en matière de confidentialité des courriels.

Dan S (Cloud Platform Support)

unread,
Oct 25, 2018, 11:37:02 PM10/25/18
to Google App Engine
Hello Mark, 

I'm studying your questions and I will answer by tomorrow.  

Dan S (Cloud Platform Support)

unread,
Oct 26, 2018, 10:51:38 PM10/26/18
to Google App Engine

Can an App Engine Flexible app use a custom VPC?

> You should be able to use VPC with App Engine Flex, as you can check in the following documentation[1]. You can config the network instance access by following the setup documentation[2].


Can an App Engine Flexible app use a shared VPC defined in another project?

> Unfortunately, it is not possible to share VPC, and you can confirm this limitation in the following section[3].

“In a service project, App Engine Flexible resources cannot participate in Shared VPC.”


Can an App Engine Flexible app use a Cloud VPN connection?

> Yes, since the App Engine flex uses the Compute Engine structure, you’re allowed to implement a VPN connection. You can find more details regarding the VPN connections in the following documentation[4], and the differences between App Engine Flex and Compute Engine in the following[5].


Can an App Engine Flexible app use a Cloud VPN connection set up in another project? If so, is that implemented with a shared VPC or peered VPCs?

>Yes, you can provide a connection between two App Engine application or projects by using VPC, as you can confirm in the following[6].


I hope that makes things clearer for you. In the meantime, if you have any additional comments, questions, or concerns about your issue don’t hesitate to reply as I would be happy to help you.


[1] https://cloud.google.com/vpc/docs/vpc

[2]https://cloud.google.com/appengine/docs/flexible/nodejs/reference/app-yaml#network_settings

[3] https://cloud.google.com/vpc/docs/shared-vpc#ineligible_resources

[4] https://cloud.google.com/vpn/docs/concepts/overview

[5]https://cloud.google.com/appengine/docs/the-appengine-environments#comparing_the_flexible_environment_to_compute_engine

[6] https://cloud.google.com/vpc/docs/vpc-peering#key_properties



On Wednesday, October 24, 2018 at 3:53:29 PM UTC-4, Mark Drummond wrote:

Mark Drummond

unread,
Oct 27, 2018, 6:05:48 PM10/27/18
to Google App Engine
Thanks Dan! Great info, and answers my questions.

Just to clarify on the last question and your response, I understand that you can peer VPCs, but I don't believe you can share a VPN this way. E.g.,
  • Project A VPC is peered to Project B VPC
  • Project B has a VPN
  • Project A cannot access the VPN via the peered VPC connection
From the last link you sent:
  • Only directly peered networks can communicate. Transitive peering is not supported. In other words, if VPC network N1 is peered with N2 and N3, but N2 and N3 are not also directly connected, VPC network N2 cannot communicate with VPC network N3 over the peering.

So for now it looks like I need to run a Cloud VPN connection to every project that needs VPN, since you cannot route to a VPN over peered VPCs, and App Engine Flexible environments cannot use shared VPCs at this time.

David (Google Cloud Support)

unread,
Oct 29, 2018, 5:51:10 PM10/29/18
to Google App Engine

Hello Mark,


Yes that is correct, as this document states:


“The following types of endpoints/resources are NOT propagated to directly peered networks:

- Static routes

- VPNs “


You would need to setup Cloud VPN connections to every project that needs a VPN.


Mark Drummond

unread,
Oct 30, 2018, 9:05:21 AM10/30/18
to Google App Engine
Thanks David!
Reply all
Reply to author
Forward
0 new messages