I need some help about communication between GAE and GKE.
I have :
- a golang application deployed on GAE region europe-west2.
- a Elasticsearch cluster on GKE region europe-west1-d.
The GKE service has annotations:
cloud.google.com/load-balancer-type: Internal.
I would like to connect both. How do ? In fact that a GAE microservice able to request ES.
I create 2 VPC network and appair them.
Using flex GAE for specify network and sub.
What's wrong ? It's not possible ?
The internal load balancer you are using to expose the GKE service can only be accessed within the same region and network (peered network and VPNs are fine).
GAE normally does not get deployed within a network in your project.
However, based on your comment, it seems you are using App Engine Flex. Make sure the GAE Flex instance is created in the same region as your GKE cluster and that they are either in the same network or are using Peered networks.
Related
I was wondering if a site-to-site VPN setup like the one in this diagram is possible:
From the diagram, I could access the GAE Flex instance's internal IP that are launched in the VPC from the on-premise server, but I don't think I could invoke a *.appspot.com URL without needing to go outside of the tunnel, correct?
The on-premise network can only whitelist IP ranges for external HTTPS access but it seems like GAE can't support such a configuration?
Is this kind of setup only possible by setting up a GCE reverse proxy? If that's the case, would I just be better off deploying my application as a Kubernetes cluster?
So I did an experiment that revealed several things about this setup in case any is interested in this in the future:
In the above diagram, under the assumption that the on-premise instances are in a private subnet with no external IP, they can reach app engine instances via their internal IP.
Just because they can reach the App Engine flexible instances via their internal IP, this doesn't mean that they can then be port forwarded to invoke your function.
The only real use case for App Engine flex working with Cloud VPN is if you need the App Engine instances to be able to reach either your private cloud and/or on-premise instances i.e. going from right to left in the above diagram.
We want to use an app engine flexible process to update our ElasticSearch index, which is on Google Kubernetes Engine. We need to connect to ElasticSearch via a http(s) address. What's the recommended way to do this? We don't want to expose the cluster to the external networks since we don't have authentication in front of it.
I've seen this SO post but both k8s and AE have changed a lot in the 2 years since the question/answer.
Thanks for your help!
The post you linked to was about App Engine Standard. App Engine Flex is built on top of the same Google Cloud networking that is used by Google Compute Engine virtual machines and Google Kubernetes Engine clusters. As long as you put the App Engine flex application into the same VPC as the Google Kubernetes Engine cluster you should be able to communicate between them using internal networking.
On the other hand, to expose a Kubernetes service to anything running outside of the cluster will require you to modify the service for Elastic search because by default Kubernetes services are only reachable from inside of the cluster (due to the way that the service IPs are allocated and reached via IPTables magic). You need to "expose" the service, but rather than exposing it to the internet via an external load balancer, you expose it to the VPC using an internal load balancer. See https://cloud.google.com/kubernetes-engine/docs/how-to/internal-load-balancing.
in addition to Robert's answer, make sure that app engine and GKE are in the same region,
because Internal load balancers are not usable from other region.
check this https://issuetracker.google.com/issues/111021512
I have a app running on GAE and i have a database running on google kubernetes engine. I have successfully tested the working database by forwarding port kubectl port-forward pod-name 3001:3001 and confirmed that it is working.
But my application cannot connect to it. I thought all apps within a project on Google cloud can access via localhost. Is that not true?
If not, then how do i connect my app on GAE to my database on GKE?
There are two ways:
A regular LoadBalancer which opens up the cluster to the public internet.
The other way is to use an internal LoadBalancer which only opens the traffic within google cloud.
Now, whether it opens it across the entire Gcloud network, just your projects or even just the one project is not clear to me. The docs were not clear in that regard either.
Maybe someone from Google Cloud team can help me here.
To convert a LoadBalancer service to an Internal LoadBalancer service, we add the following annotation:
annotations:
cloud.google.com/load-balancer-type: "Internal"
kubectl apply and then after a minute or so kubectl get services. You'll see an external ip address added to your service. The IP will be accessible to other apps on Gcloud, but not from the public internet.
Is there a way to deploy "internal facing" applications in Google App Engine. AWS offers this capability as explained here and so does Azure as explained here.
What is the GCP equivalent for this? It appears App Engine Flexible Environment could be the answer but I could not find a clear documentation on whether Flexible Environment is indeed the way to host intranet facing applications. Is there someone from GCP who can advise?
Update
I tested the solution recommended by Dan recently. Listed below are my observations:
App Engine Flex allows deploying to a VPC and this allows VPN scenarios. The VPN scenarios however is for connections (originating) from App Engine to GCP VPCs or to other networks outside GCP which can be on-prem or in another cloud.
Access (destined) to the app itself from a GCP or another network is always routed via the internet facing Public IPs. There is no option to access the app at a private IP at the moment.
If there's another update, I will update it here.
Update 28Oct2021
Google has now launched Serverless Network Endpoint Group(NEG)s. With this users can connect AppEngine, Cloud Run & Cloud Function endpoints to a LoadBalancer. However at the moment, you can only use Serverless NEGs with an external HTTP(S) load balancer. You cannot use serverless NEGs with regional external HTTP(S) load balancers or with any other load balancer types. Google documentation for Serverless NEGs is available here.
I'm not sure this meets your requirements, but it's possible to set up an App Engine Standard application (not certain about Flexible) such that it is only accessible to users logged into your G-Suite domain. This is the approach I've used for internal-facing applications in the past, but it only applies if your case involves an entity using G-Suite.
You can set this up under the App Engine application Settings, under Identity Aware Proxy.
In this scenario the application is still operating at a publicly accessible location, but only users logged into your G-Suite domain can access it.
It should be possible with the GAE flexible environment. From Advanced network configuration:
You can segment your Compute Engine network into subnetworks. This
allows you to enable VPN scenarios, such as accessing databases within
your corporate network.
To enable subnetworks for your App Engine application:
Create a custom subnet network.
Add the network name and subnetwork name to your app.yaml file, as specified above.
To establish a VPN, create a gateway and a tunnel for a custom subnet network.
The standard env GAE doesn't offer access to the networking layer to achieve such goal.
I am trying to configure App Engine Flexible to talk to Container Engine.
It appears that App Engine Flexible is just a container engine that is deployed with some automatic features. And by default, it uses network "default"
For container engine, it is also deployed with in network "default".
And I followed the instruction from https://cloud.google.com/container-engine/docs/internal-load-balancing
to configure an internal load balancing ip for the kubernete cluster.
I then checked my appengine instance IP through SSH. The IPs are obviously in the same subnet but I am still unable to access it. However, using external IP is totally fine.
According to: https://cloud.google.com/compute/docs/vpc/
A VPC network is a virtual version of the traditional physical
networks that exist within and between physical data centers. A VPC
network provides connectivity for your Compute Engine virtual machine
(VM) instances, Container Engine containers, App Engine Flex services,
and other network-related resources.
So I assume this should work? Any suggestion is greatly appreciated. Thanks in advance!