Is Google Cloud VPN only compatible with Compute Engine instances? - google-app-engine

Use case: I am managing both GCP infrastructure and local infrastructure and am looking for a way for an app on Google App Engine to send data to/from a MySQL database on the local infrastructure, which is behind a VPN. I've set up and tested a Cloud VPN Gateway and VPC Connector that allows a Google Compute Engine instance to connect to the MySQL database and send and retrieve data.
Per this thread, and my own experimentation, the Google App Engine standard environment cannot currently connect to a local network via Google Cloud VPN directly. I've also been testing Cloud Function and Cloud Run to see if they can connect with the Cloud VPN, and it seems that they also have this limitation.
What I'd like to confirm is that only the Google App Engine flex environment OR a Google Compute Engine instance can connect through Cloud VPN. Google's documentation across all these resources doesn't ever outright say whether any of them can connect to Cloud VPN through a VPC Connector (just that they can connect to GCP networks via VPC Connector), so I'm hoping someone here can corroborate my testing. Additionally, is there any other GCP resource that can make use of this functionality that I've missed?

Related

Connect Google App Engine to a IPSEC Tunnel

I'm not an expert in networking so excuse the bad wording.
I have a Google App Engine service running in Google cloud (Standard environment). I need this service to access a VPN (i.e. ip-addresses in that VPN setup). How can I set this up with an IPSEC tunnel? I've looked a bit at Google VPN but it most seems how to setup a VPN Server, I want to be the client to an external VPN network so my App Engine service can access computers on that VPN.
Thanks
As other members have pointed out, there is no a direct way to connect GAE Standard service to a resource inside an external, on-premise, VPN. However, there some approaches.
There is a feature called Serverless VPC Access that allows GAE Standard to connect to other Google Cloud resources through an internal IP, but here is the interesting part:
Serverless VPC Access supports communication to VPC networks connected via Cloud VPN
Looking at the tutorial on Connecting to a VPC network, it is mentioned something similar to what I understood you are trying to achieve:
Your app needs to access data from your on-premises database through Cloud VPN.
The first step I would say is to connect your VPN to Cloud VPN. Since I'm not expert in those matters I'd suggest you take at its documentation.

Accessing files on FTP server through custom VPN from app deployed on App Engine Flex: doable?

I have the following use case:
Application is deployed on App Engine Flex environment.
Application fetches data from an FTP server on API request.
FTP server can only be accessed through a custom VPN.
Can I access the FTP server from an App Engine Flex environment? If so, what would I need?
Apologies if this is not clear, I am not a network/devOps person.
As a solution, you can connect your on-premises network and application deployed to App Engine Flex via Google Cloud VPN:
Cloud VPN securely connects your peer network to your Google
Cloud (GCP) Virtual Private Cloud (VPC) network through an
IPsec VPN connection. Traffic traveling between the two
networks is encrypted by one VPN gateway, then decrypted by the other
VPN gateway. This protects your data as it travels over the internet.
You can also connect two instances of Cloud VPN to each other.
App Engine Flexible Environment is based on Google Compute Engine and consequently can connect to your remote network via Cloud VPNs. As described in the documentation Configuring your App with app.yaml, you can specify network settings in your app.yaml configuration file:
... app in App Engine is configured using an app.yaml file, that
contains CPU, memory, network and disk resources, scaling, and other
general settings including environment variables.

Connect App-Engine app to other Google Cloud Instances - VPN or similar needed? / DNS possible?

We plan to use Appengine for our Node.JS REST-API which will serve content for our customers. The data will come from a MOngoDB Cluster (or Replicaset), which will also be hosted on Google Cloud Services. Some of the contents might be cached using the Memcache of AppEngine.
Now my question. Is it neccessary to setup a kind of VLAN or similar, to connect to the DB server? How can we assure that the DB server is connected with a good bandwidth / latency to the AppEngine instances? Or is this no matter of concern at all?
Another question, does Google Cloud have a kind of internal DNS, which can be used? So for example that we have a domainname like "ourmongodb.internal" which can be used in connection string of our REST API? Or how is the most recent approach to connect to our DB server instance?
If you use app engine flex you can setup your nodejs app engine server and the GCE VMs that run the mogoDB cluster in the same network and than connect them both in the internal IP space.

Google App Engine authorization to Google Cloud SQL Instance (Second Generation)

When trying to connect my Google App Engine to my Google Cloud SQL Instance (Second Generation), I cannot find the "...Authorized App Engine applications section..." (https://cloud.google.com/appengine/docs/php/cloud-sql/#PHP_Build_a_starter_application_and_database).
Am I just blind, or does this not exist anymore?
If it doesn't exist, how does one connect a Google App Engine to a Google Cloud SQL (Second Generation)?
Please review the limitations of Google Cloud SQL Second Generation.
Because Cloud SQL Second Generation instances are in beta, the following features are not available:
Service Level Agreement (SLA)
MySQL 5.5
MySQL 5.6 is supported.
Google App Engine connectivity. Connectivity is supported for other clients, including Compute Engine, Managed VMs, Container Engine, and your workstation.
....
I'd like to mention that although Google App Engine connectivity is not yet supported for the Cloud SQL Second Generation like the way is supported for Cloud SQL 1st Gen, however this doesn't mean that you cannot use Cloud SQL 2nd Gen with your App Engine applications.
You can use access control model which is described in this article as used for other applications. Since IP address of your App Engine application will be not a static address, you will need to authorize 0.0.0.0/0 IP range as an allowed network and use Allow only SSL connections feature of the Cloud SQL to allow only SSL connections. Configure SSL and generate keys and client certificate for your application and establish a secure connections using SSL.
Right now, App Engine cannot be used with CloudSQL Gen2. It should be possible once the CloudSQL Gen2 graduate to General Availability but right now, if you need to use it with App Engine, you'll need to stick with CloudSQL v1

Appengine to MySQL Database hosted in Compute Engine

Somebody knows if is it possible connect an application from Appengine to a mysql database hosted in compute engine?
I'm trying to do this with python and i have this error:
Can't create TCP/IP socket (-1)
I'm using SqlAlchemy ORM which use the next configuration:
create_engine('mysql+mysqldb://root#ip/database')
and locally works but when i deploy the application to appengine doesn't work.
Thanks
Google App Engine, by default, runs code in a sandboxed environment, meaning that certain aspects of the Python runtime environment are restricted, or respond differently than they would otherwise. One of these aspects is outbound network connectivity—while GAE supports sockets, there are certain restrictions, and sockets are only available for paid apps.
The recommended options for storing information in a GAE app include the App Engine Datastore, Google Cloud SQL, and Google Cloud Storage. Google Cloud SQL is MySQL, and works with SQLAlchemy, so that's probably your best option.
If you absolutely need to run your own MySQL server (rather than using Google Cloud SQL) and connect to it from a GAE app, the other option is to use the managed VM environment, which permits unrestricted network access (since it's essentially a Google Compute Engine VM with the App Engine runtime on top).

Resources