I created a CloudSQL instance with Private IP in the us-central1 region.
The cloud SQL instance is accessible for a Compute Engine VM.
I created a serverless VPC connector in the us-central1 region.
I deployed a cloud-run app with a serverless VPC connector that was able to connect to the CloudSQL instance successfully.
I deployed the same docker container in my App engine. Now I experienced a Cloud SQL connection timeout error.
The service account used by my App engine has the following permission:
Artifact registry reader
Logs Writer
App Engine deployment config file (app.yaml)
service: demo-app
runtime: custom
env: flex
manual_scaling:
instances: 1
resources:
cpu: 1
memory_gb: 0.5
disk_size_gb: 10
vpc_access_connector:
name: projects/<PROJECT_ID>/locations/<REGION>/connectors/sample-connector
service_account: app-engine#<PROJECT_ID>.iam.gserviceaccount.com
Because you use App Engine Flex, you have to specify the network in your configuration. The VPC access connector has no effect here.
If you set correctly the network, the same as your Cloud SQL instance is connected, simply use the Cloud SQL private IP and directly access to your database.
Related
Use case: I am managing both GCP infrastructure and local infrastructure and am looking for a way for an app on Google App Engine to send data to/from a MySQL database on the local infrastructure, which is behind a VPN. I've set up and tested a Cloud VPN Gateway and VPC Connector that allows a Google Compute Engine instance to connect to the MySQL database and send and retrieve data.
Per this thread, and my own experimentation, the Google App Engine standard environment cannot currently connect to a local network via Google Cloud VPN directly. I've also been testing Cloud Function and Cloud Run to see if they can connect with the Cloud VPN, and it seems that they also have this limitation.
What I'd like to confirm is that only the Google App Engine flex environment OR a Google Compute Engine instance can connect through Cloud VPN. Google's documentation across all these resources doesn't ever outright say whether any of them can connect to Cloud VPN through a VPC Connector (just that they can connect to GCP networks via VPC Connector), so I'm hoping someone here can corroborate my testing. Additionally, is there any other GCP resource that can make use of this functionality that I've missed?
Context:
VM Instance is essentially a Bastion host to tunnel into another
network for the sake of connecting to a non GCP hosted Database
All 3 resources (Function, Engine, and VM) live within the same GCP
Project
App Engine uses the internal IP address of the VM
I've tried using the external and internal IP address for Google
Cloud Function
Feeding the VM Instance's IP address(es) as the host option when
configuring a mysql connection
Though on App Engine, i'm using the MySQL module within a node server
On the Cloud Function, i'm using the the Python sqlalchemy url
creation module to create the connection
I've been getting a timeout error from the Google Cloud Function trying to connect, no matter how high I set the connection timeout -
I am able to get it to work from a local environment:
By:
SSHing into the VM
Setting host as localhost (and the relevant port)
So I've pinpointed it down to GCFunction failing to talk to the VM instance?
Cloud Functions requires Serverless VPC access to connect to a VPC private IP address.
A key item to understand is that Private (RFC1918) IP addresses are private. RFC1918 addresses do not route outside their network. The same address can exist in multiple networks and VPCs. You must set up a gateway/proxy/tunnel/connector to access a private IP address from another network.
Google Cloud Functions Connecting to a VPC network
Why is it that it works without a VPC for App Engine but a VPC is
required for cloud functions
Which App Engine works (Standard or Flexible)?
App Engine Standard also requires Serverless VPC access to connect to a VPC private IP address. link
For App Engine Flexible, your app is actually deployed on a VM within the VPC. link
I'm using a VPC to connect my application to a remote database service, with App Engine, I just add the connection string to my app.yaml file :
vpc_access_connector:
name: projects/ID/locations/europe-west1/connectors/database-connector
But I'm migrating the app to Google Kubernetes Engine, so the app will be deployed in Docker containers.
How can I reconnect to my VPC with GKE ?
Best regards
The easiest thing to do is to create/deploy your new GKE cluster on the same VPC as your database service.
I have the following use case:
Application is deployed on App Engine Flex environment.
Application fetches data from an FTP server on API request.
FTP server can only be accessed through a custom VPN.
Can I access the FTP server from an App Engine Flex environment? If so, what would I need?
Apologies if this is not clear, I am not a network/devOps person.
As a solution, you can connect your on-premises network and application deployed to App Engine Flex via Google Cloud VPN:
Cloud VPN securely connects your peer network to your Google
Cloud (GCP) Virtual Private Cloud (VPC) network through an
IPsec VPN connection. Traffic traveling between the two
networks is encrypted by one VPN gateway, then decrypted by the other
VPN gateway. This protects your data as it travels over the internet.
You can also connect two instances of Cloud VPN to each other.
App Engine Flexible Environment is based on Google Compute Engine and consequently can connect to your remote network via Cloud VPNs. As described in the documentation Configuring your App with app.yaml, you can specify network settings in your app.yaml configuration file:
... app in App Engine is configured using an app.yaml file, that
contains CPU, memory, network and disk resources, scaling, and other
general settings including environment variables.
I have a Google Cloud project with an app and a Cloud SQL Instance. SQL requests from the app time out. Private IP connectivity is enabled. If I explicitly add the app instances' IPs to the SQL Instance's public authorized networks, it works. This is obviously a bad solution since these IPs change on every deployment. How do I permanently grant access to the app?
Private IP's are only accessible by other services on the same Virtual Private Cloud (VPC). App Engine apps don't currently have access to VPC networks.
Edit: App Engine has recently released Serverless VPC Access, meaning that the can now be configured to connect via Private IP.
App Engine Standard does provide a unix domain socket to interface with Cloud SQL instances. Just tell your app to use the socket at /cloudsql/<INSTANCE_CONNECTION_NAME>; (with your instance's connection name), and it should be able to connect. If you are using a cross product or cross regional setup, there are more instructions here.