If your organization uses Shared VPC, you can connect App Engine standard environment services directly to your Shared VPC network by using Serverless VPC Access. This allows a standard environment service to access resources in your Shared VPC network, such as Compute Engine VM instances, Memorystore instances, and any other resources with an internal IP address.
Serverless VPC Access connectors incur a monthly charge. For more information, see Serverless VPC Access pricing.
If your organization does not use Shared VPC, see Connect to a VPC network.
Comparison of configuration methods
For Shared VPC, Serverless VPC Access connectors can be configured in two different ways. You can either set up connectors in each service project that has standard environment resources that need access to your network, or you can set up shared connectors in the host project. There are advantages to each method.
Service projects
Advantages of creating connectors in the service projects:
- Isolation: Each connector has dedicated bandwidth and is unaffected by bandwidth use of connectors in other service projects. This is good if you have a service that experiences spikes in traffic, or if you need to ensure that each service project is unaffected by connector use of other service projects.
- Chargebacks: Charges incurred by connectors are associated with the service project containing the connector. This enables easier chargebacks.
- Security: Allows you to follow the "principle of least privilege." Connectors must be granted access to the resources in your Shared VPC network that they need to reach. By creating a connector in the service project, you can limit what the services in the project can access by using firewall rules.
- Team independence: Reduces dependency on the host project administrator.
Teams can create and manage the connectors associated with their service
project. A user with the Compute Engine
Security Admin role or a
custom Identity and Access Management (IAM) role with the
compute.firewalls.createpermission enabled for the host project must still manage firewall rules for the connector.
To set up connectors in service projects, see Configure connectors in service projects.
Host project
Advantages of creating connectors in the host project:
- Centralized network management: Aligns with the Shared VPC model of centralizing network configuration resources in the host project.
- IP address space: Preserves more of your IP address space. Connectors require an IP address for each instance, so having fewer connectors (and fewer instances in each connector) uses fewer IP addresses. This is good if you are concerned about running out of IP addresses.
- Maintenance: Reduces maintenance, because each connector you create may be used by multiple service projects. This is good if you are concerned about maintenance overhead.
- Cost for idle time: Can reduce the amount of connector idle time and associated cost. Connectors incur costs even when they are not serving traffic (see pricing). Having fewer connectors may reduce the amount of resource you pay for when not serving traffic, depending on your connector type and number of instances. This is often cost effective if your use case involves a large number of services, and the services are used infrequently.
To set up connectors in the host project, see Configure connectors in the host project.