In App Engine I'd like to make http fetch calls to a web server running on an Compute Engine instance, created within the same Google cloud project, and I'm wondering if I can make such calls to the instance without enabling an external IP for it? Are App Engine and Compute Engine instances, from the same project, within the same network and can I call a Compute Engine instance by name from App Engine?
The best way to solve that in the short/medium term is to deploy the VM as a VM-based backend (we are accepting TT applications). You can deploy the VM backend as a different App Engine module of the app. Then you can urlfetch "mymodule.myapp.appspot.com" from the frontend and it will hit your VM without going through the public IP.
You can also serve your app straight from the VM backend. There you can load classes that are blocked by the normal App Engine sandbox (and well as have full access to all App Engine APIs!). The downside with VM backends is that we don't have auto-scaling yet.
This is currently unsupported. Communication between App Engine and GCE must go through the URLFetch API and use a public IP.
Related
I have standard app engine which makes an api call to another app engine within same shared VPC and project but the response is 403 forbidden error. Also the standard app engine to which i am making api call as gcloud app services update service-name --ingress=internal-only but as soon as i updated the configuration of the appEngine as gcloud app services update service-name --ingress=all. All the API calls are successfull.
Note : as required by gcp a serverless connector as been created and it is being used.
Questions
1 . How to communicate between Standard AppEngine to another Standard AppEngine within shared VPC?
2 . How can i communicate between AppEngnies with gcloud app services update service-name --ingress=internal-only configuration.
When you set the ingress to internal, you tell to App Engine: accept the traffic only coming from the VPCs of this project.
Thus, you need to tell to your other App Engine services: Reach this (App Engine) service only through the VPC else you will be forbidden.
Firstly, when you deploy on serverless environment, App Engine, Cloud Run or Cloud Functions, you are on the Google Cloud VPC, not on your project VPC.
Therefore, you have to set the egress to your App Engine to use the VPC. You need to plug a VPC connector to make this bridge between the GOOGLE serverless VPC world and your VPC.
However, it won't work. Indeed, when you set that on App Engine, only the traffic to the private IP use the serverless VPC connector, but not the public IPs. You haven't the capacity to set the VPC egress to all to route all the traffic through the VPC, public and private (as you can do with Cloud Functions and Cloud Run)
Thus, the App Engine, with serverless VPC connector or not, will contact the internal App Engine service through internet and not through the VPC and you will get a 403 every time.
In conclusion, you can't do that with App Engine, have a look to Cloud Run or Cloud Functions for this type of set up. You can also review your security design and don't rely on the origine of the traffic (from the VPC) but on the authentication of the traffic (use identity token and IAM service to ensure the communication security).
This is now possible to reach other App Engine services (configured with internal traffics only) thanks to Serverless VPC.
In app.yaml add to all the services which need to talk to each others (in and/or out connection):
vpc_access_connector:
name: projects/PROJECT_ID/locations/LOCATION/connectors/CONNECTOR
egress_setting: all-traffic
The doc : https://cloud.google.com/appengine/docs/standard/go/connecting-vpc.
I'm trying to set up a project with an App Engine service that talks to a Cloud SQL database with Private IP connectivity. This is achievable through the Serverless VPC Access of Google Cloud, that allows App Engine and Cloud Functions to interact with resources in your private VPC.
For some unexplicable reason, I was able to interrogate the DB from a test Cloud Function, but not from App Engine, where I get a connection refused error. Since it works on Cloud Functions, it makes me think that the Serverless VPC Access is properly configured, but I still can't understand why it doesn't work with App Engine.
The App Engine app is deployed using gcloud app deploy. I also tried gcloud beta app deploy as somebody suggested but nothing changed.
Everything (App Engine, Cloud Function, Cloud SQL) is in the same region, europe-west1. I am not using the gcloud default network but a custom network, with a single subnetwork in the same region.
If you have any remote idea on what could possibly be misconfigured, please let me know as I really am losing hope on this. Thanks!
We are looking to use Google App Engine for one of our low latency service. We are required to provide low latency service across the globe. Since Google App Engine is a regional service and there is no straight forward way to deploy it multi-regional. So, looking at Google Load Balancer to route at DNS level, but that also does not seems to be possible as load balancer not supporting App Engine as a backend service. Is there any other way to achieve GeoDNS routing in GCP for App Engine service.
There is not an direct way to achieve GeoDNS routing since App Engine is a regional service, as you said.
Read this feature request to have further insight on this. In the second comment they state the two possible workarounds, useful for both standard and flexible environments:
The workaround is how you mentioned, using a single project with a load balancer to route requests to Compute Engine instances in
different regions. Then have each Compute Engine instance act as
proxies to an App Engine project in each of the different regions
(where you would copy your code to each App Engine project).
It may be easier in the meantime to use Google Kubernetes Engine instead of App Engine for multi-regional application serving.
You could star the FR to support it.
My team is exploring the possibility of cross-application communication within Google App Engine environment. We have our core Python app running on GAE, and a new NodeJS App running on GAE Managed VM. So far we could only find information on URL fetch service supported in Python, Java, and Go.
Does anyone know if URL fetch service is available in Node running on GAE managed VM?
Or is there other solution my team can use for high-performing cross-application communication within Google's network infrastructure for efficiency and scaling purposes.
The URL Fetch service is not available for NodeJS on app engine. However, for cross-application communication, you can use Google Cloud Pub/Sub. You can use the Google Cloud Client library for NodeJS to access the Pub/Sub service from a NodeJS app running on a flexible VM.
TLDR;
Are there any updates about this question?
Google App Engine communicate with Compute Engine over internal network
--
It is possibile to enable HTTP traffic between App Engine and Compute Engine instances that are in the same Cloud Project?
Obviously denying all HTTP traffic from other sources.
Between AWS EC2/RDS/Beanstalk this is possibile with "security groups".
I think the best you can currently do is managed VMs (https://developers.google.com/cloud/managed-vms, early access right now). It's essentially managed VMs running custom code in the app engine project. I did not check if the managed VMs will be able to run together with other gce VMs in the same network - if they did one could just connect to the internal addresses of the other instances. There does not appear to be a configuration option to define a network so I'm leaning to guess that they won't be able to see each other on the network like that.
But as an answer to the general question, I don't think there is any way of referencing app engine runtimes as sources in gce network ACLs currently.
As of now In 2016 as google cloud has launched google cloud flexible environment appengine/docs/flexible/. So yes it is possible now because now both app engine and compute engine are present in same network and therefore using app engine you can access compute engine by using their internal Ip, also remember to delete all external firewall rules for your compute engines if you only want to allow access from app engine.
there isn't way to reference App Engine resource within GCE. If you are trying to access GCE only from App Engine app, then you could define ACL in GCE to let traffic only from your AppEngine external IP.