AppEngine/Managed VM and VPN

[Piotr Krzepczak]

I have an app currently running in the sandboxed Google AppEngine.

One of the modules has to have a VPN connection to the external VPN gateway.

I wanted to use the Google Cloud VPN for this but I believe that I can't set it up as I do not have an IP address given at the app engine side.

Given my requirement is it better to move this particular module to the Managed VM?

Is it possible to set up VPN using Managed VM?

If not what are other ways of tackling this problem?

Thanks

[Nick (Cloud Platform Support)]

You'll need a static IP on the machine making the connection, and the machine must be able to make the connection. Given that this is a low level network task, you'll need to user Managed VMs or Compute Engine, rather than App Engine, yes. For Compute Engine, you can set a static IP address. In Managed VMs, once the VM is switched to "User Managed", this is also possible, although I believe the address will be voided on restart of the instance - you may want to check this.

There is currently a Public Issue Tracker issue with feedback which seems to suggest that the ability to pin static IP addresses to Managed VMs may be changing, in fact. It might be worth making a feature request which specifically mentions that PIT issue and which represents a feature request to clarify that static IPs on Managed VMs is desired.

If the Beta nature of Managed VMs is not desirable, I'd suggest just making the VPN connection through a regular Compute Engine instance. 

[Piotr Krzepczak]

Thanks a lot that clarified. I followed your suggestion regarding the feature request.

One more question in this subject though...

If I will make the VPN connection through a regular Compute Engine is it possible to securely forward all the incoming traffic to one of the GAE modules?

To be more precise, once the request arrives via VPN I would like to do the protocol forwarding from the Compute Engine VM to the GAE.

This way I could keep the main logic in the scope of the GAE and make the Compute Engine VM a thin layer with no or very little logic. 

I'm not sure though if that is possible and secure in a sense of not exposing the request/response to the outside world (outside of the Google's network).

[Nick (Cloud Platform Support)]

You'd need a static IP which could receive protocol forwarding. App Engine modules don't generally work that way. A pool of Managed VMs could report their IPs to your GCE "front-end" instance and be available for protocol forwarding that way, however. You could also group the Managed VM instances behind an HTTP load-balancer. 

[Piotr Krzepczak]

Clear, thanks.

The very last question if I will make a request from the Compute Engine VM to the App Engine module which are in the same application will this request be rooted within the application's private network/lan or will it go via Internet somehow?

I guess till managed VMs are in beta I could use Compute Engine VM to take care of the VPN connection and with some minimal logic forward requests the app engine modules.

I would have to make sure though this stays within private network and does not break the safety contract provided by the VPN.

[Nick (Cloud Platform Support)]

The HTTP Load Balancer routes your requests within our infrastructure, and the same is true of TCP traffic from one instance IP to another, even if targeting the public IP. So regardless of the method chosen, your requests will be secure and won't reach the internet.