need to connect App Engine Std to GCE via internal IP address

[Robert Dyas]

I need to connect App Engine Std (AES) to GCE via an internal IP address.

• Would GAE being issuing request and GCE, responses?  The other way around?  Both?
  
• AES would issue the requests only
• Are requests and responses tightly coupled like HTTP requests/responses or more independent like tasks in task queues reflecting asynchronous requests?
  
• mostly tightly coupled request wait for response (JDBC connection from AES -> GCE)
• if we neeed async, we could build a service on GCE to take a request immeiately and work on it for however long - so not an issue
• What type of scaling would be employed for the App Engine component?  Would the Compute Engine instances also be scaled?
  
• normal AES scaling as now would be fine - our AES product shards amoung server, so no special requirement there
• What solutions have you tried?  Any of the ones posted above?
• our current "solution" is using a GCE external IP - this sucks for a number of reasons 
• 1) the latency between AES and GCE is too high for fast JDBC communication (much, much, much slower than GCE internal ip --> GCE internal ip which is very very fast in our testing... the moment the same requet comes for GAE there is a ton of overhead... and JDBC is very "chatty" in our application)
• 2) we really should use SSL between GAE and GCE since going over external IP, but this makes the problem even worse
• 
  

[Evan Jones]

My understanding is that App Engine Standard can only talk to things that are accessible via a "public" Internet IP address, so I'm not sure I'm going to be able to provide any magic suggestions. However, I will mention that in our experience we can get "reasonable" latency. In particular, we collect application-specific metrics by sending them from our Python App Engine Standard code to compute engine, over an SSL encrypted socket (this is using the socket API directly). The App Engine standard traces show these packet writes taking about ~1-2 ms, but we certainly see that creating a *new* connection is much, much slower. With a connection pool, our application sees reasonable latency.

We also have some things making HTTP requests via the urlfetch API, and again we see "reasonable" latency (although I should check what it actually is, I haven't looked recently).

I have no experience with JDBC on App Engine standard, so I can't really help there.

Good luck,

Evan

[Robert Dyas]

Do you have any idea how much slower creating a new connection is? This is probably our issue.

We don't use connection pooling currently as each user is logged in to the db with their own credentials (ERP type app), but it might be worth exploring if the pooling and driver can handle that. It would be great to know how much slower you found creating the connection is vs write to open connection...

[Evan Jones]

I just took a quick look at the trace viewer for ~5 requests. It looks like sending/receiving data on an existing connection takes around 1-5 ms for the Send and Receive calls.

For creating a new connection: I see times like:

CreateSocket: 3-5 ms

Resolve: 1 ms

Connect: 2-12 ms

... a whole bunch of additional Send/Receives that I assume are due to the fact we use TLS connections, so there is a handshake that is required.

This whole process can take ~200-400 ms; some of which is "our fault" because our server takes some time to execute the TLS handshake (I'm guessing this adds ~50 ms, looking at the traces).

Hope that helps!

[Robert Dyas]

Yep, that helps. Thank you. I also bet that if you ran a test connecting over a 7 day period you would see lots of times where that ~200-400ms becomes ~1,000 to ~2,000+ms. When I run this same test machine-2-machine using the internal IP addresses on GCE, the time is close enough to zero that I don't care. The net difference in our app is a single request (a client can make up to 3 for a complex ERP screen) takes ~400-900ms (open tls connection, all the back and forth) whereas the same thing tested GCE to GCE via intenal ip takes 10ms (with high consistency.). Multiply those numbers by 3x for our biggest customers (most complex apps) and you are looking at ~30ms vs ~2,000mm wait per click (which gets old.) They do tolerate this because they are coming from really nasty systems, but we want to provide the best possible cloud experience.

I really hope someone at Google is monitoring this thread. If we could allocate our GAE std setup to the default GCE network for our project and avoid all this socket overhead it would be a very, very, very good thing.

[Lorne Kligerman]

Hey folks,

I'm glad to report that this is something that we're actively working on!

Nothing to report at the moment on timing but when ready for some testing I'll be sure to send a note here.  Stay tuned!

Cheers,

Lorne.

Product Manager - App Engine

[Robert Dyas]

That's great news! It can't come too soon!

[Robert Dyas]

Question: will the IP address from App Engine Std appear as though its on the internal GCE network? Hopefully yes so that its easy to filter incoming requests as coming from a trusted source or not.

On Sunday, April 23, 2017 at 5:27:25 PM UTC-4, Lorne Kligerman wrote:

[Lorne Kligerman]

More details to come, however we will provide a mechanism to be sure that only your App Engine app can connect to your own GCE VMs.

--
You received this message because you are subscribed to a topic in the Google Groups "Google App Engine" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/google-appengine/d7HR6dY1IZY/unsubscribe.
To unsubscribe from this group and all its topics, send an email to google-appengine+unsubscribe@googlegroups.com.
To post to this group, send email to google-appengine@googlegroups.com.
Visit this group at https://groups.google.com/group/google-appengine.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-appengine/c8657171-bdc9-4fe0-b381-66495a4b7278%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[Robert Dyas]

Yes, but in addition to that consider it a feature request that the incoming IP address from GAE std to GCE will be easily identifiable (or a range). The reason for this is we have some servers that will still be accepting requests over their external IP that will be required to be encrypted, while the internal ones from GAE can come in unencrypted . To do this with MariaDB we need to see the incoming IP address ... so if its something like if its in 10.xxx.xxx.xxx we know its internal, and if not then its external and requires encryption.

To unsubscribe from this group and all its topics, send an email to google-appengi...@googlegroups.com.
To post to this group, send email to google-a...@googlegroups.com.

Visit this group at https://groups.google.com/group/google-appengine.

[Lorne Kligerman]

Understood, thanks for the write up!

To unsubscribe from this group and all its topics, send an email to google-appengine+unsubscribe@googlegroups.com.
To post to this group, send email to google-appengine@googlegroups.com.

Visit this group at https://groups.google.com/group/google-appengine.

To view this discussion on the web visit https://groups.google.com/d/msgid/google-appengine/7fb0250e-9d48-4f09-a337-2f3b33608123%40googlegroups.com.