Serverless VPC connector from appengine (europe-west1) to compute engine in us-central1

0
votes

I have an app engine standard (2nd gen) service in europe-west1. I also have a GKE service behind a load balancer in us-central1. To hit the load balancer I setup a VPC connector in europe-west1 and updated the app engine service's app.yaml with the necessary VPC connector config however the service cannot hit the load balancer. Request's fail with a timeout error.

Is there a zone/region limitation with serverless VPC connectors? I am able to successfully hit the load balancer from a serverless function in the same region with another VPC connector in that same region.

1
google-app-enginegoogle-cloud-platformgoogle-compute-enginevpc
A connector must be located in the same project and region as the serverless service that connects to it, unless you use Shared VPC.John Hanley
Thanks. In the documentation it says that only applies to some resources such as CloudSQL & Memorystore. Is that wrong and does it rather apply to all?john-ra
If you create a Cloud Function in the same region as your App Engine, you can use the same VPC connector (not need to create a new one). In this case, test if with your function you are able to reach your load balancer (same IP and port that you use in App Engine code). The problem can come from different VPC or firewall rulesguillaume blaquiere
Yes the function and connector are in the same region so it works as expected and is the case when the app engine service is also in the same region. I was unsure whether creating a connector automatically set inter-regional egress rules. I'm looking into updating the connector egress rules to hit the LB in us-central1 and if necessary ingress rules for the LB to accept requests from the europe-west1 connectorjohn-ra

1 Answers

0
votes

The question has more to do with outbound traffic from the VPC connector and not inbound traffic to the connector from the serverless service. The answer incorporates comments in the question.

The VPC connector firewall doesn't appear to restrict outbound traffic to the region the connector is in so the issue may be with the load balancer's firewall restricting inbound traffic to the region it's in.

What was confusing is even though the VPC connector and app engine service are in the same region the request to the connector fails with a timeout, indicating that the connector couldn't be hit. That interpretation is likely wrong and rather the connector was hit but timed out forwarding the request to the load balancer because of the load balancer's firewall restriction