Migrate standard VPC connector to Direct VPC egress

Direct VPC egress is faster and can handle more traffic than Serverless VPC Access connectors, delivering lower latency and higher throughput because it uses a new, direct network path instead of connector instances.

Before you migrate, we recommend that you familiarize yourself with the following:

• Required roles for migrating to Direct VPC
• Direct VPC egress limitations
• IP address management

Migrate services to Direct VPC egress

Connectors continue to incur charges even if they have no traffic and are disconnected. For details, see pricing. If you no longer need your connector, be sure to delete it.

Migrate services to Direct VPC egress gradually

When you migrate App Engine services from Serverless VPC Access connectors to Direct VPC egress, we recommend that you do so in a gradual transition.

To transition gradually:

1. Follow the instructions in this section to update your service to use Direct VPC egress.
2. Split a small percentage of traffic to determine if the traffic routes correctly.
3. Update the traffic split to send all traffic to the new version using Direct VPC egress.

To migrate traffic with Direct VPC egress for a service, use the Google Cloud CLI:

1. Open your service's app.yaml file and remove any existing vpc_access_connector configurations. For example:

   vpc_access_connector:
     name: projects/PROJECT_ID/locations/REGION/connectors/CONNECTOR_NAME
   

2. Add the following vpc_access configuration section in your app.yaml file:

   vpc_access:
     network_interface:
       network: NETWORK
       subnet: SUBNET
       tags:
           - NETWORK_TAGS
     vpc_egress: EGRESS_SETTING

   Replace the following:

   • NETWORK: the name of the existing network your application instances connect to, for example, default.

   • SUBNET: the name of the existing subnetwork your application instances connect to, for example, default.

   • Optional: NETWORK_TAGS: a list of network tags to associate with your App Engine service's instances for use in firewall rules and routing policies.

   • Optional EGRESS_SETTING: controls how outbound traffic is routed. This field supports the following configuration settings:

     • all-traffic: All outbound requests are routed through the VPC network.
     • private-ranges-only (default): Only traffic to internal IP addresses is routed through the VPC network. Internet traffic uses the default App Engine path.

3. Re-deploy your service to App Engine by running the following command. The deployed version won't handle any live traffic initially:

   gcloud beta app deploy --no-promote

4. To determine if traffic routes correctly, split a small percentage of traffic to the new version that uses Direct VPC egress.

5. After verifying that traffic is routed correctly, migrate all traffic to the new version.

6. If you no longer need your Serverless VPC Access connector, delete it to stop incurring costs.

What's next

• Learn more about the best practices for IP management.
• Learn how to secure your App Engine app.