I have a Google App Engine app (python 2.7 - it's an old project in the middle of upgrading!) that needs to make queries to an Elastisearch instance on Google Compute Engine. I'm able to make the requests using the GCE public ip address without an issue, but I'd prefer not to expose the GCE instance to the public internet.
- The app engine app is in region us-central
- The compute engine instance is in region us-central1, zone us-central1-f
- The compute engine instance is in vpc network "default". (not a legacy network)
- I've set up a Serverless VPC connector in us-central1, on default network.
- I've set up the app engine app.yaml to use the connector.
But http requests to the compute engine private IP address (10.128.0.2) get connection failures, and DNS lookups on the internal DNS name for the compute engine fail edit: dns lookup does work using socket.gethostbyname.
error: An error occured while connecting to the server: Unable to connect to server at URL: http://10.128.0.2:9200/indexname
The same request succeeds when using the public IP address (when I open the VPC firewall on port 9200).
Snippet from the app engine app config:
runtime: python27
api_version: '1'
env: standard
threadsafe: false
instance_class: F4
network:
name: default
vpc_access_connector:
name: >-
projects/myproject/locations/us-central1/connectors/connector0301
gcloud beta --account="myaccount" --project="myproject" app describe:
authDomain: gmail.com
codeBucket: staging.myproject.appspot.com
databaseType: CLOUD_DATASTORE_COMPATIBILITY
defaultBucket: myproject.appspot.com
defaultHostname: myproject.appspot.com
featureSettings:
splitHealthChecks: true
useContainerOptimizedOs: true
gcrDomain: us.gcr.io
id: myproject
locationId: us-central
name: apps/myproject
servingStatus: SERVING
gcloud beta --account="myaccount" --project="myproject" compute instances describe (just the network snippet):
networkInterfaces:
- accessConfigs:
- kind: compute#accessConfig
name: External NAT
natIP: SNIPPED
networkTier: PREMIUM
type: ONE_TO_ONE_NAT
fingerprint: M087cXbOWII=
kind: compute#networkInterface
name: nic0
network: https://www.googleapis.com/compute/beta/projects/myproject/global/networks/default
networkIP: 10.128.0.2
subnetwork: https://www.googleapis.com/compute/beta/projects/myproject/regions/us-central1/subnetworks/default
gcloud beta --account="myaccount" --project="myproject" compute networks vpc-access
connectors list --region=us-central1
CONNECTOR_ID REGION NETWORK IP_CIDR_RANGE MIN_THROUGHPUT MAX_THROUGHPUT STATE
connector0301 us-central1 default 10.8.0.0/28 200 300 READY
gcloud beta --account="myaccount" --project="myproject" compute networks vpc-access connectors describe connector0301 --region=us-central1
ipCidrRange: 10.8.0.0/28
maxThroughput: 300
minThroughput: 200
name: projects/myproject/locations/us-central1/connectors/connector0301
network: default
state: READY
gcloud --account="myaccount" --project="myproject" compute firewall-rules describe default-allow-internal
allowed:
- IPProtocol: tcp
ports:
- 0-65535
- IPProtocol: udp
ports:
- 0-65535
- IPProtocol: icmp
creationTimestamp: '2020-02-11T11:18:09.906-08:00'
description: Allow internal traffic on the default network
direction: INGRESS
disabled: false
id: '1434668200291681054'
kind: compute#firewall
logConfig:
enable: true
name: default-allow-internal
network: https://www.googleapis.com/compute/v1/projects/myproject/global/networks/default
priority: 65534
selfLink: https://www.googleapis.com/compute/v1/projects/myproject/global/firewalls/default-allow-internal
sourceRanges:
- 10.128.0.0/9
- 10.8.0.0/28
Do serverless VPC connectors not work for internal IP http requests?
