Stay organized with collections
Save and categorize content based on your preferences.
Region ID
The REGION_ID is an abbreviated code that Google assigns
based on the region you select when you create your app. The code does not
correspond to a country or province, even though some region IDs may appear
similar to commonly used country and province codes. For apps created after
February 2020, REGION_ID.r is included in
App Engine URLs. For existing apps created before this date, the
region ID is optional in the URL.
This section describes how to use ingress settings to restrict network access to
your App Engine app. At a network level, by default, any resource on
the internet is able to reach your App Engine app on its
appspot URL
or at a custom domain
set up in App Engine. For example, the appspot.com URL can have the
following format:
SERVICE_ID.PROJECT_ID.REGION_ID.r.appspot.com.
You can change this default setting by specifying a
different setting for ingress. All ingress paths, including the default
appspot.com URL, are subject to your ingress setting. Ingress is set at the
service level.
Available ingress settings
The following settings are available:
Setting
Description
Internal
Most restrictive. Allows requests from resources attached to the
project's VPC networks, such as:
VMs in the same project, including Compute Engine VMs.
Requests from these sources stay within the Google network, even
if they access your service at the appspot.com URL.
Requests from other sources, including the internet, cannot reach your
service at the appspot.com URL or custom domains. There
is no support for multi-tenancy, that is, multiple trust domains
within the same project.
Internal and Cloud Load Balancing
Allows requests from the following resources:
Resources allowed by the more restrictive Internal setting
External Application Load Balancer
Use the Internal and Cloud Load Balancing setting to accept requests
from an external Application Load Balancer but not directly from the internet. Requests to
the appspot.com URL bypass the external Application Load Balancer, so this
setting prevents external requests from reaching the
appspot.com URL.
All
Least restrictive. Allows all requests, including requests directly from
the internet to the appspot.com URL.
Accessing internal services
The following considerations apply:
For requests from a Shared VPC, traffic is only considered internal if the
App Engine app is deployed in the Shared VPC host project. If the
App Engine app is deployed in a Shared VPC service project, only traffic
from networks owned by the app's own project is internal. All other traffic,
including traffic from other Shared VPCs, is external.
When accessing internal services, call them as you would normally do by using
their public URLs, either the default appspot.com URL or a
custom domain set up in App Engine.
For requests from Compute Engine VM instances or other resources running
inside a
VPC network
in the same project, no further setup is required.
Requests from resources within VPC networks in the same project are classified
as internal even if the resource they originate from has a public IP address.
Requests from on-premises resources connected to the VPC network via
Cloud VPN are considered internal.
For requests from other App Engine services or from Cloud Run
or Cloud Run functions in the same project, connect the service or function to a
VPC network and route all egress through the connector, as described in
Connecting to a Shared VPC network.
Locate the Ingress column. For each service, the value in this column
shows the ingress setting as one of All (default),
Internal + Load Balancing, or Internal.
gcloud
To view the ingress setting for a service using the gcloud CLI:
gcloudappservicesdescribeSERVICE
Replace SERVICE with the name of your service.
For example, to view the ingress settings and other information for the
default service run:
If you use Serverless VPC Access,
you can specify the egress setting for your App Engine service.
By default, only requests to internal IP addresses and internal DNS names are
routed through a Serverless VPC Access connector. You can
specify the egress setting for your service in your app.yaml file.
Egress settings are not compatible with the URL Fetch service.
Using the urlfetch library ignores egress settings, and requests will not
route through a Serverless VPC Access connector.
To configure the egress behavior of your App Engine service:
Add the egress_setting attribute to the vpc_access_connector field of your
service's app.yaml file:
private-ranges-only Default. Only requests to
RFC 1918 and
RFC 6598 IP address
ranges or internal DNS names are routed to your VPC
network. All other requests are routed directly to the internet.
all-traffic All outbound requests from your service are
routed to your VPC network. Requests are then subject to
the firewall, DNS, and routing rules of your VPC network.
Note that routing all outbound requests to your VPC network
increases the amount of egress handled by the
Serverless VPC Access connector and can
incur charges.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003eRegion ID is a code assigned by Google based on the selected region during app creation, and it's included in App Engine URLs for apps created after February 2020.\u003c/p\u003e\n"],["\u003cp\u003eIngress settings determine network access to your App Engine app, with options including "Internal," "Internal and Cloud Load Balancing," and "All" to control traffic sources.\u003c/p\u003e\n"],["\u003cp\u003eThe "Internal" ingress setting is the most restrictive, allowing only requests from resources within the project's VPC networks, while "All" is the least restrictive, permitting all internet traffic.\u003c/p\u003e\n"],["\u003cp\u003eEgress settings, available for most runtimes except PHP, define how outbound requests from your App Engine service are routed, with options to direct traffic to your VPC network or directly to the internet.\u003c/p\u003e\n"],["\u003cp\u003eYou can view and edit ingress settings via the Google Cloud Console or the gcloud command-line interface, and you can update the egress setting in the app.yaml file.\u003c/p\u003e\n"]]],[],null,["# Ingress settings\n\n\u003cbr /\u003e\n\n\u003cbr /\u003e\n\n\n### Region ID\n\nThe \u003cvar translate=\"no\"\u003eREGION_ID\u003c/var\u003e is an abbreviated code that Google assigns\nbased on the region you select when you create your app. The code does not\ncorrespond to a country or province, even though some region IDs may appear\nsimilar to commonly used country and province codes. For apps created after\nFebruary 2020, \u003cvar translate=\"no\"\u003eREGION_ID\u003c/var\u003e`.r` is included in\nApp Engine URLs. For existing apps created before this date, the\nregion ID is optional in the URL.\n\nLearn more\n[about region IDs](/appengine/docs/standard/python/how-requests-are-routed#region-id). \nOK\n\nThis section describes how to use ingress settings to restrict network access to\nyour App Engine app. At a network level, by default, any resource on\nthe internet is able to reach your App Engine app on its\n[appspot URL](/appengine/docs/standard/how-requests-are-routed)\nor at a [custom domain](/appengine/docs/standard/mapping-custom-domains)\nset up in App Engine. For example, the `appspot.com` URL can have the\nfollowing format:\n\u003cvar translate=\"no\"\u003eSERVICE_ID\u003c/var\u003e`.`\u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e`.`\u003cvar translate=\"no\"\u003eREGION_ID\u003c/var\u003e`.r.appspot.com`.\n\nYou can change this default setting by specifying a\ndifferent setting for ingress. All ingress paths, including the default\n`appspot.com` URL, are subject to your ingress setting. Ingress is set at the\nservice level.\n\nAvailable ingress settings\n--------------------------\n\nThe following settings are available:\n\n### Accessing internal services\n\nThe following considerations apply:\n\n- For requests from a Shared VPC, traffic is only considered internal if the\n App Engine app is deployed in the Shared VPC host project. If the\n App Engine app is deployed in a Shared VPC service project, only traffic\n from networks owned by the app's own project is internal. All other traffic,\n including traffic from other Shared VPCs, is external.\n\n- When accessing internal services, call them as you would normally do by using\n their public URLs, either the default `appspot.com` URL or a\n [custom domain](/run/docs/mapping-custom-domains) set up in App Engine.\n\n- For requests from Compute Engine VM instances or other resources running\n inside a\n\n [VPC network](/appengine/docs/standard/connecting-vpc)\n in the same project, no further setup is required.\n\n- Requests from resources within VPC networks in the same project are classified\n as internal even if the resource they originate from has a public IP address.\n\n- Requests from on-premises resources connected to the VPC network via\n Cloud VPN are considered `internal`.\n\n\u003c!-- --\u003e\n\n- For requests from other App Engine services or from Cloud Run or Cloud Run functions in the same project, connect the service or function to a VPC network and route all egress through the connector, as described in [Connecting to a Shared VPC network](/appengine/docs/standard/connecting-shared-vpc).\n\n### View ingress settings\n\n### Console\n\n1. Go to the App Engine Services page.\n\n [Go to the Services page](https://console.cloud.google.com/appengine/services)\n2. Locate the **Ingress** column. For each service, the value in this column\n shows the ingress setting as one of **All** (default),\n **Internal + Load Balancing** , or **Internal**.\n\n### gcloud\n\nTo view the ingress setting for a service using the gcloud CLI: \n\n```bash\ngcloud app services describe SERVICE\n```\n\nReplace \u003cvar translate=\"no\"\u003eSERVICE\u003c/var\u003e with the name of your service.\n\nFor example, to view the ingress settings and other information for the\ndefault service run: \n\n```bash\ngcloud app services describe default\n```\n\n\u003cbr /\u003e\n\n### Edit ingress settings\n\n### Console\n\n1. Go to the App Engine Services page.\n\n [Go to the Services page](https://console.cloud.google.com/appengine/services)\n2. Select the service you wish to edit.\n\n3. Click **Edit ingress setting**.\n\n4. Select the ingress setting that you want from the menu and click\n **Save**.\n\n### gcloud\n\nTo update the ingress setting for a service using the gcloud CLI: \n\n```bash\ngcloud app services update SERVICE --ingress=INGRESS\n```\n\nReplace:\n\n- \u003cvar translate=\"no\"\u003eSERVICE\u003c/var\u003e: The name of your service.\n- \u003cvar translate=\"no\"\u003eINGRESS\u003c/var\u003e: The ingress control you want to apply. One of `all`, `internal-only`, or `internal-and-cloud-load-balancing`.\n\nFor example:\n\n- To update the default service of an App Engine app to accept traffic\n only from Cloud Load Balancing and VPC networks that are in the same\n project:\n\n ```bash\n gcloud app services update default --ingress=internal-and-cloud-load-balancing\n ```\n- To update a service named \"internal-requests\" to accept traffic only from VPC\n networks that are in the same project:\n\n ```bash\n gcloud app services update internal-requests --ingress=internal-only\n ```\n\n\u003cbr /\u003e\n\nEgress settings\n---------------\n\n| **Note:** Egress settings are not available for the PHP runtimes.\n\nIf you use [Serverless VPC Access](/vpc/docs/serverless-vpc-access),\nyou can specify the egress setting for your App Engine service.\n\n\nBy default, only requests to internal IP addresses and internal DNS names are\nrouted through a Serverless VPC Access connector. You can\nspecify the egress setting for your service in your `app.yaml` file.\n\nEgress settings are not compatible with the URL Fetch service.\nUsing the `urlfetch` library ignores egress settings, and requests will not\nroute through a Serverless VPC Access connector.\n\nTo configure the egress behavior of your App Engine service:\n\n1. Add the `egress_setting` attribute to the `vpc_access_connector` field of your\n service's `app.yaml` file:\n\n ```yaml\n vpc_access_connector:\n name: projects/\u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e/locations/\u003cvar translate=\"no\"\u003eREGION\u003c/var\u003e/connectors/\u003cvar translate=\"no\"\u003eCONNECTOR_NAME\u003c/var\u003e\n egress_setting: EGRESS_SETTING\n ```\n\n Replace:\n - \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e with your Google Cloud project ID\n - \u003cvar translate=\"no\"\u003eREGION\u003c/var\u003e with the region your connector is in\n - \u003cvar translate=\"no\"\u003eCONNECTOR_NAME\u003c/var\u003e with the name of your connector\n - \u003cvar translate=\"no\"\u003eEGRESS_SETTING\u003c/var\u003e with one of the following:\n - `private-ranges-only` Default. Only requests to [RFC 1918](https://tools.ietf.org/html/rfc1918#section-3) and [RFC 6598](https://tools.ietf.org/html/rfc6598#section-7) IP address ranges or internal DNS names are routed to your VPC network. All other requests are routed directly to the internet.\n - `all-traffic` All outbound requests from your service are routed to your VPC network. Requests are then subject to the firewall, DNS, and routing rules of your VPC network. Note that routing all outbound requests to your VPC network increases the amount of egress handled by the Serverless VPC Access connector and can [incur charges](/vpc/pricing#serverless-vpc-pricing).\n2. Deploy the service:\n\n gcloud app deploy\n\n\u003cbr /\u003e\n\n\u003cbr /\u003e"]]
