Java 8 has reached end of support
and will be
deprecated
on January 31, 2026. After deprecation, you won't be able to deploy Java 8
applications, even if your organization previously used an organization policy to
re-enable deployments of legacy runtimes. Your existing Java
8 applications will continue to run and receive traffic after their
deprecation date. We recommend that
you
migrate to the latest supported version of Java.
Connecting to a Shared VPC network
Stay organized with collections
Save and categorize content based on your preferences.
If your organization uses Shared VPC, you can
connect App Engine standard environment services directly to your Shared VPC network
by using Serverless VPC Access.
This allows a standard environment service to access resources in your
Shared VPC network, such as Compute Engine VM instances,
Memorystore instances, and any other resources with an internal IP
address.
Serverless VPC Access connectors incur a monthly charge. For more information, see Serverless VPC Access
pricing.
If your organization does not use Shared VPC, see
Connect to a VPC network.
Comparison of configuration methods
For Shared VPC, Serverless VPC Access connectors can be
configured in two different ways. You can either set up connectors in each
service project that has standard environment resources that need access
to your network, or you can set up shared connectors in the host project. There
are advantages to each method.
Service projects
Advantages of creating connectors in the service projects:
- Isolation: Each connector has dedicated bandwidth and is unaffected by
bandwidth use of connectors in other service projects. This is good if you
have a service that experiences spikes in traffic, or if you need to ensure
that each service project is unaffected by connector use of other service
projects.
- Chargebacks: Charges incurred by connectors are associated with the
service project containing the connector. This enables easier chargebacks.
- Security: Allows you to follow the "principle of least privilege."
Connectors must be granted access to the resources in your Shared VPC
network that they need to reach. By creating a connector in the service
project, you can limit what the services in the project can access by using
firewall rules.
- Team independence: Reduces dependency on the host project administrator.
Teams can create and manage the connectors associated with their service
project. A user with the Compute Engine
Security Admin role or a
custom Identity and Access Management (IAM) role with the
compute.firewalls.create
permission enabled for the host project must still manage firewall rules for
the connector.
To set up connectors in service projects, see
Configure connectors in service projects.
Host project
Advantages of creating connectors in the host project:
- Centralized network management: Aligns with the Shared VPC model
of centralizing network configuration resources in the host project.
- IP address space: Preserves more of your IP address space. Connectors
require an IP address for
each instance, so having fewer connectors (and fewer instances in each
connector) uses fewer IP addresses. This is good if you are concerned about
running out of IP addresses.
- Maintenance: Reduces maintenance, because each connector you create may
be used by multiple service projects. This is good if you are concerned
about maintenance overhead.
- Cost for idle time: Can reduce the amount of connector idle time and
associated cost. Connectors incur costs even when they are not serving
traffic (see pricing). Having fewer
connectors may reduce the amount of resource you pay for when not serving
traffic, depending on your connector type and number of instances. This is
often cost effective if your use case involves a large number of services, and
the services are used infrequently.
To set up connectors in the host project, see
Configure connectors in the host project.
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-08-25 UTC.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-25 UTC."],[[["\u003cp\u003eApp Engine standard environment services can connect directly to a Shared VPC network using Serverless VPC Access, allowing access to resources like Compute Engine VMs and Memorystore instances with internal IP addresses.\u003c/p\u003e\n"],["\u003cp\u003eServerless VPC Access incurs a monthly charge, and is not compatible with the URL Fetch service, necessitating the discontinuation of \u003ccode\u003eURLFetchService\u003c/code\u003e if using Serverless VPC Access.\u003c/p\u003e\n"],["\u003cp\u003eFor Shared VPC setups, connectors can be configured in either service projects, offering benefits like isolation, easier chargebacks, enhanced security, and team independence, or in the host project, providing centralized management, IP address space preservation, reduced maintenance, and potential cost savings for idle time.\u003c/p\u003e\n"],["\u003cp\u003eConfiguring connectors in service projects is ideal for services requiring isolation, detailed chargebacks, and granular security, while host project configuration is better suited for centralized management, conserving IP addresses, and reducing maintenance overhead.\u003c/p\u003e\n"],["\u003cp\u003eShared VPC users that do not wish to use serverless VPC should connect to their VPC network, using the process described in "Connect to a VPC network".\u003c/p\u003e\n"]]],[],null,["# Connecting to a Shared VPC network\n\nIf your organization uses [Shared VPC](/vpc/docs/shared-vpc), you can\nconnect App Engine standard environment services directly to your Shared VPC network\nby using [Serverless VPC Access](/vpc/docs/serverless-vpc-access).\nThis allows a standard environment service to access resources in your\nShared VPC network, such as Compute Engine VM instances,\nMemorystore instances, and any other resources with an internal IP\naddress.\n\nServerless VPC Access connectors incur a monthly charge. For more information, see Serverless VPC Access\n[pricing](/vpc/pricing#serverless-vpc-pricing).\n\nIf your organization does not use Shared VPC, see\n[Connect to a VPC network](/appengine/docs/legacy/standard/java/connecting-vpc).\n\n\u003cbr /\u003e\n\n| **Note:** Serverless VPC Access is not compatible with the [URL Fetch service](/appengine/docs/legacy/standard/java/javadoc/com/google/appengine/api/urlfetch/URLFetchService). To use Serverless VPC Access, discontinue any use of [`URLFetchService`](/appengine/docs/legacy/standard/java/javadoc/com/google/appengine/api/urlfetch/URLFetchService).\n\nComparison of configuration methods\n-----------------------------------\n\nFor Shared VPC, Serverless VPC Access connectors can be\nconfigured in two different ways. You can either set up connectors in each\nservice project that has standard environment resources that need access\nto your network, or you can set up shared connectors in the host project. There\nare advantages to each method. \n\n### Service projects\n\nAdvantages of creating connectors in the service projects:\n\n- **Isolation:** Each connector has dedicated bandwidth and is unaffected by bandwidth use of connectors in other service projects. This is good if you have a service that experiences spikes in traffic, or if you need to ensure that each service project is unaffected by connector use of other service projects.\n- **Chargebacks:** Charges incurred by connectors are associated with the service project containing the connector. This enables easier chargebacks.\n- **Security:** Allows you to follow the \"principle of least privilege.\" Connectors must be granted access to the resources in your Shared VPC network that they need to reach. By creating a connector in the service project, you can limit what the services in the project can access by using firewall rules.\n- **Team independence:** Reduces dependency on the host project administrator. Teams can create and manage the connectors associated with their service project. A user with the Compute Engine [Security Admin](/compute/docs/access/iam#compute.securityAdmin) role or a custom [Identity and Access Management (IAM)](/iam) role with the [`compute.firewalls.create`](/compute/docs/reference/rest/v1/firewalls/insert#iam-permissions) permission enabled for the host project must still manage firewall rules for the connector.\n\nTo set up connectors in service projects, see\n[Configure connectors in service projects](/appengine/docs/legacy/standard/java/shared-vpc-service-projects).\n\n### Host project\n\nAdvantages of creating connectors in the host project:\n\n- **Centralized network management:** Aligns with the Shared VPC model of centralizing network configuration resources in the host project.\n- **IP address space:** Preserves more of your IP address space. Connectors require an IP address for each instance, so having fewer connectors (and fewer instances in each connector) uses fewer IP addresses. This is good if you are concerned about running out of IP addresses.\n- **Maintenance:** Reduces maintenance, because each connector you create may be used by multiple service projects. This is good if you are concerned about maintenance overhead.\n- **Cost for idle time:** Can reduce the amount of connector idle time and associated cost. Connectors incur costs even when they are not serving traffic (see [pricing](/vpc/pricing#serverless-vpc-pricing)). Having fewer connectors may reduce the amount of resource you pay for when not serving traffic, depending on your connector type and number of instances. This is often cost effective if your use case involves a large number of services, and the services are used infrequently.\n\nTo set up connectors in the host project, see\n[Configure connectors in the host project](/appengine/docs/legacy/standard/java/shared-vpc-host-project)."]]
