The documentation from Google is not really clear about it.
Here ( https://cloud.google.com/compute/docs/vpn/overview ) it says
Google Cloud VPN securely connects your existing network to your Google Cloud Platform (GCP) network through an IPsec VPN connection
Considering that Both Google App Engine (GAE) and Google Compute Engine (GCE) are part of Google Cloud Platform (GCP), it would mean that Google Cloud VPN works for both GAE and GCE.
Also, the section for Cloud VNP is at the same level than GAE and GCE in the project console :
But the documentation is located in /compute/docs which should not obviously be compatible with /appengine/docs
And here is a graph describing the tunnel, which talks only about GCE, which could exclude GAE :
So, is GAE compatible with Cloud VPN or is it restricted to GCE only ?
Google Cloud VPN securely connects your existing network to your Google Cloud Platform (GCP) network through an IPsec VPN connection. Therefore, only resources that are connected to GCP networks can communicate through Cloud VPN tunnels.
App Engine Flexible Environment is based on Google Compute Engine and consequently can connect to your remote network via Cloud VPNs. As described in this article, you can specify network settings in your app.yaml configuration file of your GAE Flexible application.
EDIT Rodrigo Torres has pointed out that this is NOW possible.
(Leaving up the old post below. It is now WRONG!!!)
OLD POST:
Google App Engine standard CAN'T use VPN directly, however the new Flexible Google App Engine (now officially released, no longer in beta) CAN use it directly. Just set up google cloud VPN and your network from the console and make sure to include the network in your app.yaml file.
Flexible App Engine is be the easiest way for new applications to utilize VPN connections since there won't be any migration headaches.
For a standard app engine application that can't be ported over to flexible for whatever reason, you CAN still use a VPN connection - however, it requires a service to be running on flexible app engine (or compute engine), and your app will need to interface with it somehow. This may be the simplest method, as migrating from standard to flexible is not the simplest of tasks. I know - I've done it.
Related
I have CouchDB server on a Google Compute Engine via Bitnami.
I want my API (Google App Engine) to be able to talk to Compute Engine but I really don't want anyone else to be able to for security purposes.
I'm open to using App Engine Flexible if that's what needs to happen.
It says here that google app engine can't be assigned a static IP but I was wondering if anyone had any other suggestions of restricting outside access to the static ip I've assigned my compute engine to only allow incoming connections made to my Projects/My app engine, etc.
You are requiring to use Virtual Private Cloud (VPC), since this option allows you to configure firewall rules in order to provide a controlled access to your Cloud resources and allow then to interact in a safe environment.
You can give a look to the VPC overview to have a better understanding of the capabilities and options offered by Google Cloud (https://cloud.google.com/vpc/docs/vpc) and also you will find useful information on how to use the VPC over the different services in the docs (https://cloud.google.com/vpc/docs/private-access-options). By the way, you would need to move your API to App Engine Flex.
Is there a way to deploy "internal facing" applications in Google App Engine. AWS offers this capability as explained here and so does Azure as explained here.
What is the GCP equivalent for this? It appears App Engine Flexible Environment could be the answer but I could not find a clear documentation on whether Flexible Environment is indeed the way to host intranet facing applications. Is there someone from GCP who can advise?
Update
I tested the solution recommended by Dan recently. Listed below are my observations:
App Engine Flex allows deploying to a VPC and this allows VPN scenarios. The VPN scenarios however is for connections (originating) from App Engine to GCP VPCs or to other networks outside GCP which can be on-prem or in another cloud.
Access (destined) to the app itself from a GCP or another network is always routed via the internet facing Public IPs. There is no option to access the app at a private IP at the moment.
If there's another update, I will update it here.
Update 28Oct2021
Google has now launched Serverless Network Endpoint Group(NEG)s. With this users can connect AppEngine, Cloud Run & Cloud Function endpoints to a LoadBalancer. However at the moment, you can only use Serverless NEGs with an external HTTP(S) load balancer. You cannot use serverless NEGs with regional external HTTP(S) load balancers or with any other load balancer types. Google documentation for Serverless NEGs is available here.
I'm not sure this meets your requirements, but it's possible to set up an App Engine Standard application (not certain about Flexible) such that it is only accessible to users logged into your G-Suite domain. This is the approach I've used for internal-facing applications in the past, but it only applies if your case involves an entity using G-Suite.
You can set this up under the App Engine application Settings, under Identity Aware Proxy.
In this scenario the application is still operating at a publicly accessible location, but only users logged into your G-Suite domain can access it.
It should be possible with the GAE flexible environment. From Advanced network configuration:
You can segment your Compute Engine network into subnetworks. This
allows you to enable VPN scenarios, such as accessing databases within
your corporate network.
To enable subnetworks for your App Engine application:
Create a custom subnet network.
Add the network name and subnetwork name to your app.yaml file, as specified above.
To establish a VPN, create a gateway and a tunnel for a custom subnet network.
The standard env GAE doesn't offer access to the networking layer to achieve such goal.
I am very newly in google app engine.. There are three Questoins on google app engine and in google app engine i want to choose JAVA language.
Does google app engine provide private cloude ?
I want to deploy my application with my own server( E.x.glassfish or JBoss) on google app engine ?
I want to use my own database instead of cloud SQL in google app engine?
Is it possible or not?
With Google Cloud Appengine - no, it's impossible.
With Google Cloud Instances or Google Cloud Containers - all of this is possible.
Appengine is just one piece of Google Cloud, designed for very specific job, with infrastructure managed by Google. You can only write some code (with lot of restrictions too) that runs inside it. You can read some details about code restritions there: https://cloud.google.com/appengine/docs/java/#Java_The_sandbox
What you're looking for is Google Cloud Instances, that are more standard virtual machines, where you can run anything you want. See https://cloud.google.com/compute/
There is still tools for Load Balancing, Health Check, Centralized Logging for Cloud Instances, and other stuff similar to features provided by Appengine.
TLDR;
Are there any updates about this question?
Google App Engine communicate with Compute Engine over internal network
--
It is possibile to enable HTTP traffic between App Engine and Compute Engine instances that are in the same Cloud Project?
Obviously denying all HTTP traffic from other sources.
Between AWS EC2/RDS/Beanstalk this is possibile with "security groups".
I think the best you can currently do is managed VMs (https://developers.google.com/cloud/managed-vms, early access right now). It's essentially managed VMs running custom code in the app engine project. I did not check if the managed VMs will be able to run together with other gce VMs in the same network - if they did one could just connect to the internal addresses of the other instances. There does not appear to be a configuration option to define a network so I'm leaning to guess that they won't be able to see each other on the network like that.
But as an answer to the general question, I don't think there is any way of referencing app engine runtimes as sources in gce network ACLs currently.
As of now In 2016 as google cloud has launched google cloud flexible environment appengine/docs/flexible/. So yes it is possible now because now both app engine and compute engine are present in same network and therefore using app engine you can access compute engine by using their internal Ip, also remember to delete all external firewall rules for your compute engines if you only want to allow access from app engine.
there isn't way to reference App Engine resource within GCE. If you are trying to access GCE only from App Engine app, then you could define ACL in GCE to let traffic only from your AppEngine external IP.
I am pretty new to this whole idea of cloud and started of with Google app engine. I was able to create the basic 'hello world' program.
When i tried to understand the difference between a cloud and a server I learned that Cloud is where you have an access to virtual instance created exclusively for you and you are free to choose and install software of your choice.
But I don't see such an option with Google-cloud/app-engine. What if I have a tom-cat based application server which I would like to deploy on a cloud? Will Google app engine be of any help or should I try other cloud service providers such as Amazon EC2, hp cloud etc?
/DJ
The cloud type that you are referring to is called Infrastructure as a Service cloud.
OTOH, Google App Engine is Platform as a Service cloud.
The difference is that IaaS are a bunch of virtual machines that you need to setup yourself (OS + app stack), while PaaS typically comes with it's own API, where you write your app against the API and the rest (sw stack + scalability) is taken care of.
AppEngine comes with it's own servlet container (Tomcat is also a servlet container), so from this standpoint you could use your code on AppEngine. But the problem lies elsewhere: AppEngine imposes a set of limitation on the apps:
app must use GAE provided databases.
app can not write to filesystem
app can not have listening sockets
requests must finish in 60 seconds (e.g. no Comet or WebSockets -> no push)
You might want to review the FAQ.
To add to Peter's excellent answer, note that Google also has an IaaS service called Google Compute Engine.
Regarding other cloud query-
Before you start with cloud you might once try other options. Currently deploying application in almost all services are very easy.
few of them are-
Jelastic , Heroku , rackspace , nimbus , openshift etc.
Difference between cloud and server is very well explained already.
Since you mentioned about tomcat based application , I have worked with Jelastic for the same and found very easy to implement.
http://jelastic.com/docs/tomcat
http://jelastic.com/tomcat-hosting
Try all possible option , it will help you more .