0

I use gcloud compute engine for my db and app engine for my server. If on the CE I enable ephemeral external IP, my server can connect via the INTERNAL network. I can also reach my server externally. If however I configure my CE with INTERNAL ONLY then my server cannot reach the CE, even though the server used the internal network with the CE configured for ephemeral external IP. The server knows nothing about the ephemeral IP address of the CE instance. In summary:

CE with default network (10.156.0.X & ephemeral external IP) -> App Engine server (via 10.156.0.X) = works!

CE with default network (10.156.0.X only) -> App Engine server = doesn't work

I would have thought simply removing the external IP address wouldn't have an effect on the internal network! I am currently using the Serverless VPC connector on my server to access the GCE. Both are part of the same project.

With external IP configuration:

  "networkInterfaces": [
    {
      "name": "nic0",
      "network": "projects/x/global/networks/default",
      "accessConfigs": [
        {
          "name": "External NAT",
          "type": "ONE_TO_ONE_NAT",
          "natIP": "xx.xxx.xx.xx",
          "kind": "compute#accessConfig",
          "networkTier": "STANDARD",
          "setPublicPtr": false
        }
      ],
      "subnetwork": "projects/x/regions/europe-west3/subnetworks/default",
      "networkIP": "10.156.0.6",
      "fingerprint": "tkgs6oiAL8E=",
      "kind": "compute#networkInterface"
    }
  ]

Without external IP

  "networkInterfaces": [
    {
      "name": "nic0",
      "network": "projects/x/global/networks/default",
      "subnetwork": "projects/x/regions/europe-west3/subnetworks/default",
      "networkIP": "10.156.0.6",
      "fingerprint": "uWRkQpIa-fs=",
      "kind": "compute#networkInterface"
    }
  ],

Database firewall configuration:

{
  "allowed": [
    {
      "IPProtocol": "tcp",
      "ports": [
        "0-65535"
      ]
    },
    {
      "IPProtocol": "udp",
      "ports": [
        "0-65535"
      ]
    },
    {
      "IPProtocol": "icmp"
    }
  ],
  "creationTimestamp": "2020-03-23T08:36:03.630-07:00",
  "description": "Allow internal traffic on the default network",
  "direction": "INGRESS",
  "disabled": false,
  "enableLogging": false,
  "id": "x",
  "kind": "compute#firewall",
  "logConfig": {
    "enable": false
  },
  "name": "default-allow-internal",
  "network": "projects/x/global/networks/default",
  "priority": 65534,
  "selfLink": "projects/x/global/firewalls/default-allow-internal",
  "sourceRanges": [
    "0.0.0.0/0",
    "10.128.0.0/9",
    "10.8.0.0/28"
  ],
  "sourceServiceAccounts": [
    "x@appspot.gserviceaccount.com"
  ]
}

Server firewall configuration:

Priority
1000

Action on match
ALLOW

IP Range
10.156.0.6

Description
Something

App Engine configuration:

runtime: nodejs16
env: standard
instance_class: F4
handlers:
  - url: .*
    script: auto
  - url: .*
    script: auto
env_variables:
  ACCESS_CONTROL_ALLOW_ORIGIN: 'https://x.com'
  ...
  DB_PATH_INTERNAL: 'http://10.156.0.6:8529'
  ...
automatic_scaling:
  min_idle_instances: automatic
  max_idle_instances: automatic
  min_pending_latency: automatic
  max_pending_latency: automatic
network:
  name: default
vpc_access_connector:
  name: projects/x/locations/europe-west3/connectors/x
  egress_setting: private-ip-ranges
service_account: x@appspot.gserviceaccount.com
Sailor
  • 13
  • 4

1 Answers1

0

The IP address that starts with 10.0.0.0 (10/8) is a private IP address RFC 1918. Even if App Engine and your VPC are using the same address range, they are not using the same network. Each network is private.

In order for App Engine to connect to an instance in a VPC (not using the external IP address), you must configure Serverles VPC access.

Note: if both systems are using 10.x.x.x addresses then you might have a problem called overlapping networks. You might need to configure a new VPC with a non-overlapping range.

You can peer a custom mode VPC network and an auto mode VPC network such as the default network. However, you must make sure that none of the subnets in the custom mode VPC network overlap with the address space of the auto mode VPC network (10.128.0.0/9)

VPC Specifications

John Hanley
  • 74,467
  • 6
  • 95
  • 159
  • Hi John, thank you for your response. I am indeed using Serverless VPC. My server knows nothing of the db's ephemeral external ip address (it only knows the internal ip address), so this must be working. What I don't understand is why does the Serverless VPC stop working when I remove the external ip address? – Sailor Jun 13 '23 at 06:44
  • @Sailor - Edit your post with more details on what you configured and how you are connecting. – John Hanley Jun 13 '23 at 06:56
  • Hi @John-Hanley, I've updated the question with my GCE firewall settings and my server App Engine configuration. I'm connecting using the Serverless VPC (see the App Engine yaml configuration). – Sailor Jun 14 '23 at 12:29
  • Here are a few other questions on the same topic, all of which are unanswered (successfully):Same issue here: https://serverfault.com/questions/1106358/google-cloud-serverless-vpc-access-not-working-in-both-dir... Same issue here: https://serverfault.com/questions/1102780/cannot-connect-to-a-on-premise-vm-via-cloud-vpn-from-googl... Same issue here: https://stackoverflow.com/questions/76298106/google-cloud-run-egress-traffic-to-cloud-vpn Similar issue here: https://stackoverflow.com/questions/73883936/is-google-cloud-vpn-only-compatible-with-compute-engine... – Sailor Jul 17 '23 at 13:28