Connecting Google Cloud Platform's compute engine and app engine via VPC connector

0
votes

I'd like to know in detail how to connect google compute engine virtual machine instance and app engine.

I've set up a virtual machine instance on Google compute engine, and my Postgres server is running there, following this tutorial: https://cloud.google.com/community/tutorials/setting-up-postgres

I've deployed my flask app under the same project on Google Cloud Platform, creating an app engine instance.

I searched on how to connect compute engine and app engine together, and it seems it should be possible through a VPC connector: connect Google App Engine and Google Compute Engine

This is what my VPC connector looks like:

Serverless VPC access

Name            Network Region          IP address range Min. throughput Max. throughput
connector-name  default europe-west2    10.8.0.0/28      200             300

On my compute engine, I have my VM instance like so:

Name        Zone            Internal IP         External IP 
some-name   europe-west2-c  10.154.0.2 (nic0)   34.89.113.193

On my flask app, I'm trying to connect to my remote DB like so:

    db = PostgresqlExtDatabase(
        "some-name", # databse name
        user="postgres",
        password="some-password",
        host="10.154.0.2", # remote host internal ip
        port=5432,
    )
    db.connect()

This is my app.yaml for the vpc access part, I've followed this reference: https://cloud.google.com/appengine/docs/standard/python/connecting-vpc#configuring

vpc_access_connector:
  name: projects/some-name/locations/europe-west2/connectors/connector-name

If I understood correctly, if the VPC connector is present, I should just be able to connect using the internal IP address of my VM instance(this case, 10.154.0.2)?

The problem is, when the app is deployed for production, It is still complaining that it cannot connect:

2020-09-26 12:54:51 default[20200926t134815]    Is the server running on host "10.154.0.2" and accepting
2020-09-26 12:54:51 default[20200926t134815]    TCP/IP connections on port 5432?

If it's connected internally I assume I don't have to add that internal IP to firewall rules, although I did try that as well. As for firewall rules, I have allowed my local machine's IP address so I can connect to the remote Postgres server via PgAdmin.

I've actually tried External IP(34.89.113.193) as well although that doesn't make sense to me.

I'm a bit of a noob on networks and backend stuff in general, any help would be much appreciated.

UPDATED 1 This is my firewall rules:

Direction
Ingress, Egress

Action on match
Allow

Source filters
IP ranges
92.40.176.9/32
78.146.103.141/32
10.154.0.2

Protocols and ports
tcp:5432

Image for reference: Screenshot for the list of firewall rules

2
postgresqlgoogle-app-enginegoogle-cloud-platformgoogle-compute-enginevpc
Do you use the same VPC (name: default)? If so, can you share your firewall rules?guillaume blaquiere
I think so, under the 'VPC network' menu, on 'VPC networks' tab I have a 'default' with lots of regions, and then under 'Serverless VPC access' tab I have the connector that is using the same default network - I've updated the firewall rules. Thanks!broccolicheese
When connecting to the remote DB in this manner, I'm supposed to use VM's internal IP address(10.154.0.2), not the connector's IP address(10.8.0.0), right?broccolicheese
Yes you use the correct internal IP. You share your firewall rule to access to the database from outside (can you share the target? Is it a tag? all wm?). In addition, can you share the others firewall rules?guillaume blaquiere

2 Answers

1
votes

It turns out the firewall / postgres configurations were all ok, but because this VPC connector method was on beta, I needed to run:

gcloud beta app deploy

instead of the usual

gcloud app deploy.

This command then updated gcloud Beta Commands and prompted me to enable API:

API [appengine.googleapis.com] not enabled on project [742932836941]. Would you like to enable and retry (this will take a few minutes)? (y/N)?

After enabling this everything worked fine.

0
votes

Per the information provided seems like both VPC firewall rules and the connector are well configured.

However, based on the messages

2020-09-26 12:54:51 default[20200926t134815] Is the server running on host "10.154.0.2" and accepting 2020-09-26 12:54:51 default[20200926t134815] TCP/IP connections on port 5432?

Seems like the VM or server using 10.154.0.2 is not accepting requests on port 5432 or the port has not been opened, you can use this site to do a port scan.

Based on the guide you followed to create PostgreSQL you are using Ubuntu as OS, therefore I suggest you open the port in ubuntu and see if the issue persists.