Google Cloud Memorystore (Redis) ETIMEDOUT in App Engine

0
votes

Im writing a NodeJS app and trying to connect to GCPs Redis MemoryStore, but I'm getting the ETIMEDOUT 10.47.29.131:6379 error message. The 10.47.29.131 corresponds to the REDISHOST. I'm trying to reach the server by it's internal private IP.

While the app works locally with a local Redis installed, it does not when deployed to the GCP AppEngine.

My GCP-Setup

  • Redis instance running at location europe-west3-a
  • Created a connector under "Serverless VPC access" which is in europe-west3
  • Redis and the VPC-connector are on the same network "default".
  • App Engine running in europe-west

Redis isntance: enter image description here

VPC-connector: enter image description here

The app.yml

runtime: nodejs
env: flex

automatic_scaling:

// or this but without env: flex (standard)
vpc_access_connector:
  name: "projects/project-ID/locations/europe-west/connectors/connector-name"

beta_settings:
    cloud_sql_instances: project-ID:europe-west3:name

env_variables:
  REDISHOST: '10.47.29.131'
  REDISPORT: '6379'

// removed this when trying without env: flex (standard)
network:
  name: default
  session_affinity: true

I followed these instructions to set everything up: https://cloud.google.com/memorystore/docs/redis/connect-redis-instance-standard

Digging deeper, I found: https://cloud.google.com/vpc/docs/configure-serverless-vpc-access where they mention something about permissions and serverless-vpc-access-images, and while trying to follow the instructions: https://cloud.google.com/compute/docs/images/restricting-image-access#trusted_images I couldn't find "Define trusted image projects." anywhere

What am I missing here?

1
google-app-enginegoogle-cloud-platformredis
Had the same issue, be sure to add permission for "Compute Engine VM" to the service account you're using for deployment of the app.yedpodtrzitko
The account I'm deploying with, has the Owner-permission on the whole project. Shouldn't that be sufficient?ad_on_is
This is an IP addressing issue and not an IAM issue - Owner does not help with IP addressing problems. More details on what the address is (private, public, same VPC, etc).John Hanley
@ad_on_is afaik that's not enough. The account I'm using is also owner, and yet I had to add the Compute Engine privileges there...yedpodtrzitko
@yedpodtrzitko I added "Compute Admin" to both, the owner service-account and to the appengine-service-account, which had no effect.ad_on_is

1 Answers

1
votes

Well, turns out, the problem was the region I've selected for the Redis instance.

From Documentation:

Important: In order to connect to a Memorystore for Redis instance, the connecting client must be located within the same region as the instance.

A region is a specific geographical location where you can run your resources. Each region is subdivided into several zones.

For example, the us-central1 region in the central United States has zones us-central1-a, us-central1-b, us-central1-c, and us-central1-f.

Althouh the documentation clearly says, that AppEngine and Memorystore have to be in the same region, my assumption on what regions actually are, was false.

When I created the AppEngine, I created it in europe-west, which is the same as europe-west1. On the other hand, when I created the redis instance, I used europe-west3, with the assumption that west3 is the same region as west, which is not.

Since the AppEngines region cannot be changed, I created another redis-instance in europe-west1 and now everything works.

So, the redis region must be exactly the same as the AppEngine region. region1 is the same as region, but region2 or region3 are not the same as region.