Can an App Engine Flexible app use a Cloud VPN connection set up in another project and, if so, is that implemented with a shared VPC or peered VPCs?
App Engine Flex app in Project 1
|
\- [MAGIC]
|
\- VPN set up in Project 2
|
\- Corp. Network
Turns out this is not possible at this time. You cannot using VPC peering b/c you cannot route to a VPN is one VPC from a peered VPC, and App Engine Flex environments cannot use Shared VPCs.
Apparently we will be able to use Shared VPCs with App Engine Flex in the future, which would likely solve this problem. In the meantime, you need to run a VPN to every / any project that needs VPN services.
Possibly you could run a VPN between projects, and route to the VPN back to your corporate network that way. Haven't tried that or investigated it.
App Engine flexible resources cannot participate in Shared VPC as mentioned in the GCP public documentation here. It is not possible to reach a peered VPC network from a VPN tunnel as routes are not transitive in GCP. From the on premise network you can reach the VPC that is behind the tunnel but no further hop.
What you could do is put a kind of proxy (NAT instance or some ip masquerading process) in project 2 VPC network so it would be reachable from the on premise network via the VPN tunnel and from that proxy you could be able to reach the VPC of project 1 through the VPC peering.
The simplest solution is to create a VPN network between the on premise network and the projects' VPC network where the app engine flex is located.
