1

We have set up a VPC Serverless access connector, and configured app engine to use this in app.yaml. We have egress_setting: all-traffic set, as we want to access a 3rd party API from a specific IP address. We used the documentation from https://cloud.google.com/appengine/docs/standard/python3/outbound-ip-addresses#static-ip.

Part of our testing is hitting a large set of URLs on app engine and checking the HTTP status. In this testing we noticed a dramatic reduction in the rate of serving requests when using the connector. Since all egress traffic is routed via the connector, my first inclination is to think our applications usage of Google APIs (datastore, cloud storage, Cloud SQL) is being impacted.

The connector is still has the minimum number of instances as active instances, indicating we have not reached the limit of it's performance, and that this is not the bottleneck. However, retesting with the vpc_access_connector removed from app.yaml returns performance to what we previously had.

I've tried enabling Private Google Access on the subnet the connector is linked to, but this has not improved the situation.

I think we may need to add some routing rules that allow us to send the traffic for Google APIs directly to Google's services, and not through the cloud NAT, but I'm unsure as to what rules would be applicable. I see no reason why this is not possible, but I haven't found the right documentation to guide me here.

Is this possible? Is this documented somewhere?

Mark
  • 3,459
  • 1
  • 18
  • 23
  • From reading https://cloud.google.com/nat/docs/overview#interaction-routes it looks like the cloud NAT gateway will handle any packets destined for the default internet gateway. I think this implies if we set up a second gateway, and route Google API traffic to that it will bypass the Cloud NAT. – Mark May 30 '22 at 00:48
  • Based on the documentation on creating routes (https://cloud.google.com/sdk/gcloud/reference/compute/routes/create) the only option for a static route using a gateway as next hop is currently "default-internet-gateway", which uses the cloud NAT gateway. So perhaps in future there will be another gateway option? – Mark May 30 '22 at 01:09
  • Can you help me understand the solution? We have tried using a Serverless VPC Access Connector for our project but we are unable to send any requests. I reviewed the config for the app.yaml and the VPC acccess connector and everything looked okay. Our goal was to call some APIs and connect to Redis. However, without the VPC access connector, we are able to call the APIs. But with the VPC access connector, we are only able to save data in redis but are unable to call the APIs. – Anshuman Kumar Mar 17 '23 at 06:59
  • I think it might be best to open a new question with more details about your use case. We were certainly able to make requests from our app engine project and access Google APIs, but we did find some performance constraints by routing through the gateway. – Mark Mar 20 '23 at 02:30
  • Hey Mark, thanks for your response. We were able to resolve our issue with Cloud NAT. The APIs we were using are not a part of any VPN. Previously, all the requests to those APIs were just staying inside of our VPC. That was what my team member, who does the DevOps told me. – Anshuman Kumar Mar 21 '23 at 16:39

0 Answers0