You can send egress (outbound) traffic from an App Engine service to a VPC network using either of the following methods:
This document helps networking specialists compare these methods to determine which solution best meets their requirements for performance, cost, and management.
Both Direct VPC egress and Serverless VPC Access connectors allow access to resources with an internal IP address, such as Compute Engine VM instances and Memorystore instances.
We recommend using Direct VPC egress since it brings enhanced infrastructure and simpler VPC egress configuration to App Engine. For key benefits, see Direct VPC egress.
Serverless VPC Access connectors also let you send requests to your VPC network and receive the corresponding responses without using the public internet. Compared to Direct VPC egress, the setup requires additional maintenance and cost with lower throughput, but connectors are still a suitable option if your application requires lower cold start latency when scaling from zero or has limited IP address availability.
Inbound and outbound requests
When using Direct VPC egress or Serverless VPC Access connectors, outbound connections initiated by App Engine services route directly to and from their destination.
Inbound requests sent from your VPC network to App Engine route through a custom load balancer, not through Direct VPC egress or Serverless VPC Access connectors.
Key differences
The following table compares the key capabilities, performance characteristics, and costs for Direct VPC egress and Serverless VPC Access connectors.
| Feature | Direct VPC egress | Serverless VPC Access connector |
|---|---|---|
| Latency | Lower | Higher |
| Throughput | Higher | Lower |
| IP allocation | Uses more IP addresses in most cases | Uses fewer IP addresses |
| Cost | No additional VM charges | Incurs additional VM charges |
| Scaling speed | Instance autoscaling is slower, including starting from zero (cold start latency), while creating new VPC network interfaces. | Network latency occurs during VPC network traffic surges while more connector instances are created. |
| Network tags | Finer granularity. Each service can have its own unique sets of tags; firewall rules applied separately. | Less granularity. Shared across App Engine services that use the same connectors; firewall rules applied at the connector level. |
| Firewall Rules Logging | Firewall Rules Logging for App Engine egress traffic doesn't include the resource name. | Firewall Rules Logging for App Engine egress traffic includes the connector instance name, not the name of the App Engine service. |
| Google Cloud console | Not supported | Supported |
| Google Cloud CLI | Supported | Supported |
| Launch stage | Preview | GA |
Pricing
For pricing information, see App Engine pricing.
With Serverless VPC Access connectors, you pay for two types of charges: Compute (billed as Compute Engine VMs) and network egress (billed as traffic from VMs). With Direct VPC egress, you pay only for network egress (at the same rate as connectors). You don't pay any compute charges.
If you use Serverless VPC Access connectors, you can view your associated costs as follows:
- Go to the Cloud Billing Reports page in the Google Cloud console.
- If prompted, select the billing account associated with your Google Cloud project project.
- In the Filters panel, under Labels, add a label
filter with the key
serverless-vpc-access. - In the Value field, select the names of the connectors that you want to filter for.
What's next
- Configure Direct VPC egress
- Configure Serverless VPC Access connectors
- Compare Direct VPC egress between App Engine and Cloud Run
- Connect to a Shared VPC network