Migrate Shared VPC connector to Direct VPC egress

This page is for networking specialists who want to migrate Shared VPC network traffic from using Serverless VPC Access connectors to using Direct VPC egress when sending traffic to a Shared VPC network.

Direct VPC egress is faster and can handle more traffic than connectors, delivering lower latency and higher throughput because it uses a new, direct network path instead of connector instances.

Before migration, we recommend that you familiarize yourself with Direct VPC egress prerequisites, limitations, IP address allocation, and IAM permissions.

Connectors continue to incur charges even if they have no traffic and are disconnected. For details, see pricing. If you no longer need your connector, be sure to delete it.

Migrate services to Direct VPC egress gradually

When you migrate App Engine services from Serverless VPC Access connectors to Direct VPC egress, we recommend that you do so in a gradual transition.

To transition gradually:

1. Follow the instructions in this section to update your service to use Direct VPC egress.
2. Split a small percentage of traffic to determine if the traffic routes correctly.
3. Update the traffic split to send all traffic to the new version using Direct VPC egress.

To migrate traffic with Direct VPC egress for a service, use the Google Cloud CLI:

1. Open your service's app.yaml file and remove any existing vpc_access_connector configurations. For example:

   vpc_access_connector:
     name: projects/PROJECT_ID/locations/REGION/connectors/CONNECTOR_NAME
   

2. Add the following vpc_access configuration section in your app.yaml file, specifying the fully qualified resource names for the Shared VPC network and subnet in the host project:

   vpc_access:
     network_interface:
       network: projects/HOST_PROJECT_ID/global/networks/VPC_NETWORK
       subnet: projects/HOST_PROJECT_ID/regions/REGION/subnetworks/SUBNET_NAME
       tags:
           - NETWORK_TAGS
     vpc_egress: EGRESS_SETTING

   Replace the following:

   • HOST_PROJECT_ID: the ID of your Shared VPC host project.

   • VPC_NETWORK: the name of your Shared VPC network.

   • REGION: the region for your App Engine service, which must match the region of your subnet.

   • SUBNET_NAME: the name of your subnet.

   • Optional: NETWORK_TAGS: a list of network tags to associate with your App Engine service's instances for use in firewall rules and routing policies.

   • Optional: EGRESS_SETTING: controls how outbound traffic is routed. This field supports the following configuration settings:

     • all-traffic: All outbound requests are routed through the VPC network.
     • private-ranges-only (default): Only traffic to internal IP addresses is routed through the VPC network. Internet traffic uses the default App Engine path.

3. Re-deploy your service to App Engine by running the following command:

   gcloud beta app deploy

4. After verifying that your service connects to the VPC network correctly, delete the old Serverless VPC Access connector to stop incurring costs.

What's next

• Learn more about the Best practices for IP management.
• Learn how to secure your App Engine app.