I have anAppEngine standard environment in project A, it’s VPC is peered with the VPC in Project B. I’d like to know if it’s possible to call the appspot.com domain of Project A’s AppEngine from a compute node in Project B’s VPC without incurring network egress charges? It’s the same region.
Hi @edwardr ,
Welcome to Google Cloud Community!
Since you have the VPC peering established for both projects A and B, below are the next steps for your case:
On Project A, configure App Engine Ingress: Set the ingress setting to internal-and-cloud-load-balancing. This restricts access to only the VPC network.
Create internal HTTP(S) load balancer:
- Create a Serverless NEG pointing to your App Engine app.
- Create a backend service for the load balancer using the Serverless NEG.
- Configure appropriate health checks.
- Create an internal HTTP(S) load balancer that uses the backend service you created. Note the internal IP address assigned to the load balancer.
For Project B: Configure DNS: In Project B’s Cloud DNS, create an A record mapping your App Engine app’s domain to the internal IP address of the Cloud Load Balancer in Project A.
From the Compute Engine instance in Project B, send a request to your App Engine app’s domain. The traffic should be routed through the internal load balancer, keeping it within Google’s network.
For more detailed insights you may reach out to Google Cloud Support for assistance.
Was this helpful? If so, please accept this answer as “Solution”. If you need additional assistance, reply here within 2 business days and I’ll be happy to help.
Hi, thanks for your reply. I have already tried that route, but It looks like Serverless NEG can only point to cloud run, not AppEngine.
Alternatives to Avoid Egress Charges,
To minimize or eliminate egress costs, consider the following:
1. Use App Engine Internal Routing (Private IP)
App Engine Standard does not support VPC-native private IPs, but App Engine Flexible does.
If you migrate to App Engine Flexible, you can configure it with a VPC connector and use internal DNS resolution.
2. Use a Private Google Access (PGA) Endpoint
If you want to keep App Engine Standard, you can set up Private Google Access on Project B’s VPC.
Then, deploy a Cloud Load Balancer in Project A (with an internal backend).
This allows traffic to flow within Google’s network, reducing egress charges.