App Engine connectivity questions

This page contains answers to common App Engine connectivity questions, including questions related to using Serverless VPC Access and internal IP addresses.

Set up inbound connectivity from VPC to App Engine instances using an internal IP address

Serverless VPC Access is useful when making calls from Google's serverless offerings to a Virtual Private Cloud (VPC) network, but you can't access App Engine instances using an internal IP address.

To connect to App Engine from the VPC network using an internal IP address without an assigned external IP address, do the following to access Google APIs and services:

1. Set up Private Google Access. Ensure that the App Engine service uses a Private Google Access-enabled subnet.
2. Use a Private Service Connect endpoint. Ensure that the endpoint is connected to the Private Google Access-enabled subnet.
3. Send traffic to the Private Service Connect endpoint. Ensure that the endpoint is connected to the subnet.

App Engine instances with external IP addresses can send traffic to Private Service Connect endpoints without any requirements.

Virtual machines with only internal IP addresses require Private Google Access

Internal IP addresses are required when you deploy an App Engine flexible environment application in a Shared VPC network that adds a route to avoid 0.0.0.0/0.

For instances with IP mode set to internal, you must make the following changes to the network:

• Enable Private Google Access for each subnetwork that you use.
• Create a route compatible with Private Google Access if it doesn't already exist.
• Create a firewall rule compatible with Private Google Access if it doesn't already exist.
• If you need outgoing internet access, you must also deploy Cloud NAT for each region attached to subnetworks that you use.

As documented in the internet access requirement for VPC networks, the network must have a valid default internet gateway route or custom route whose destination IP range is the most general (0.0.0.0/0). If you remove this setting, it could cause deployment or serving failures.

Connect App Engine to Cloud SQL private IP addresses

This scenario may be encountered when you want to connect from App Engine standard environment or App Engine flexible environment apps to Cloud SQL instances over private IP addresses.

In this scenario, create a connection using one of the following options:

• App Engine standard environment: Use the Serverless VPC Access connector to connect to Cloud SQL over internal IP addresses. To learn more, see Connecting from App Engine standard environment to Cloud SQL.
• App Engine flexible environment: Deploy your flexible environment app in the same VPC network as your Cloud SQL instance. Your app should now be able to connect directly using Cloud SQL instance's private IP address. To learn more, see Connecting from App Engine flexible environment to Cloud SQL.

Troubleshoot a Cloud SQL instance using public IP addresses

When deploying an older App Engine standard environment app with Cloud SQL using Unix sockets, you might see a few error messages if your app is not correctly configured to connect to a Cloud SQL instance.

The following warning message indicates that App Engine was able to fall back on a legacy connection method to complete the operation successfully:

CloudSQL warning: your action is needed to update your application and avoid potential disruptions. Please see https://cloud.google.com/sql/docs/mysql/connect-app-engine-standard for additional details: ... 

The following error message indicates that the operation to connect to Cloud SQL was not completed successfully:

Cloud SQL connection failed. Please see https://cloud.google.com/sql/docs/mysql/connect-app-engine-standard for additional details: ...

For both error messages, you need to check the following to ensure that the Cloud SQL Auth proxy is correctly configured to connect to a Cloud SQL instance:

• The Cloud SQL Admin API must be enabled.
• The service account for the App Engine app must have the correct permissions.
• The instance connection name must include the region.

If the failure message persists after troubleshooting, contact Google Cloud Support for assistance.

Customize access permissions between App Engine services

This scenario can be encountered when you have multiple App Engine services and want to configure access permissions differently between services (for example, you want to enable access to App Engine Service A only from App Engine Service B).

In this scenario, you can use App Engine with Identity-Aware Proxy (IAP) to make only some of the services publicly accessible while keeping others protected. To learn more, you can see the Centralize access to your organization's websites with IAP video and refer to the IAP documentation.

Inconsistent metrics when App Engine flexible environment uses Cloud Load Balancing

The App Engine flexible environment dashboard displays all metrics only for requests routed through a flexible environment managed backend. If you use App Engine flexible environment with Cloud Load Balancing, then certain metrics in the App Engine metrics table are reported as metrics from the loadbalancing table instead. For more information, see HTTP(S) Load Balancing logging and monitoring.