Static IP/Reverse proxy for Standard environment?

[Parth Mishra]

I have a standard App engine service that just uploads images to google cloud storage. However, I need to have some sort of static IP for it in order to facilitate a site-to-site VPN (so it can be whitelisted from on-prem application). I don't think the standard environment works for this so would flexible work or would I have to route my incoming traffic through a compute engine reverse proxy?

[Parth Mishra]

So it seems like Flexible is the only way to do this but I'm still curious how it works in the case of a cloud VPN. I can launch the flex instances into a Cloud VPN and then does the on-premise application still make requests to the https://*.appspot.com endpoint? or is it IP based? 

[George (Cloud Platform Support)]

Hello Mishra, 

Have you considered using Cloud VPN for your purposes? More related detail is to be found on the "Quickstart for Route based Cloud VPN" page. 

What is the purpose of uploading images to GCS? How do you plan to use them afterwards? Depending on your actual needs, you may consider using Signed URLs, which provide a way to give time-limited read or write access to anyone in possession of the URL, regardless of whether they have a Google account. You may find information of interest on the "Signed URLs" documentation page. 

[Parth Mishra]

I don't understand how Cloud VPN works with GAE Flex? I know the instances are launched into my private VPC but requests from the on-premise servers still use the https://*.appspot.com URL to call my application. Does that mean that resolving the URL requires going outside of the VPN tunnel to do dns lookup?

On Monday, July 30, 2018 at 3:35:23 PM UTC-4, George (Cloud Platform Support) wrote:

Hello Mishra, 

Have you considered using Cloud VPN for your purposes? More related detail is to be found on the "Quickstart for Route based Cloud VPN" page. 

What is to purpose of uploading images to GCS? How do you plan to use them afterwards? Depending on your actual needs, you may consider using Signed URLs, which provide a way to give time-limited read or write access to anyone in possession of the URL, regardless of whether they have a Google account. You may find information of interest on the "Signed URLs" documentation page. 

[George (Cloud Platform Support)]

Hello Mishra, 

You seem to look at your instances as endpoints for a Cloud VPN connection. In fact, Cloud VPN securely connects your on-premises network to your Google Cloud Platform (GCP) Virtual Private Cloud (VPC) network through an IPsec VPN connection. Traffic traveling between the two networks is encrypted by one VPN gateway, then decrypted by the other VPN gateway. Your instances do not contribute to the VPN connection without intermediary, so the two mentioned gateways are in charge of resolving the URL. As a consequence, Cloud VPN supports both dynamic routes that use Cloud Router, and static routes, to manage traffic between your Compute Engine Virtual Machine (VM) instances and your existing infrastructure.