Connecting to a Shared VPC network

If your organization usesShared VPC, you canconnect App Engine standard environment services directly to your Shared VPC networkby usingServerless VPC Access.This allows a standard environment service to access resources in yourShared VPC network, such as Compute Engine VM instances,Memorystore instances, and any other resources with an internal IPaddress.

Serverless VPC Access connectors incur a monthly charge. For more information, see Serverless VPC Accesspricing.

If your organization does not use Shared VPC, seeConnect to a VPC network.

Comparison of configuration methods

For Shared VPC, Serverless VPC Access connectors can beconfigured in two different ways. You can either set up connectors in eachservice project that has standard environment resources that need accessto your network, or you can set up shared connectors in the host project. Thereare advantages to each method.

Service projects

Advantages of creating connectors in the service projects:

  • Isolation: Each connector has dedicated bandwidth and is unaffected bybandwidth use of connectors in other service projects. This is good if youhave a service that experiences spikes in traffic, or if you need to ensurethat each service project is unaffected by connector use of other serviceprojects.
  • Chargebacks: Charges incurred by connectors are associated with theservice project containing the connector. This enables easier chargebacks.
  • Security: Allows you to follow the "principle of least privilege."Connectors must be granted access to the resources in your Shared VPCnetwork that they need to reach. By creating a connector in the serviceproject, you can limit what the services in the project can access by usingfirewall rules.
  • Team independence: Reduces dependency on the host project administrator.Teams can create and manage the connectors associated with their serviceproject. A user with the Compute EngineSecurity Admin role or acustomIdentity and Access Management (IAM) role with thecompute.firewalls.createpermission enabled for the host project must still manage firewall rules forthe connector.

To set up connectors in service projects, seeConfigure connectors in service projects.

Host project

Advantages of creating connectors in the host project:

  • Centralized network management: Aligns with the Shared VPC modelof centralizing network configuration resources in the host project.
  • IP address space: Preserves more of your IP address space. Connectorsrequire an IP address foreach instance, so having fewer connectors (and fewer instances in eachconnector) uses fewer IP addresses. This is good if you are concerned aboutrunning out of IP addresses.
  • Maintenance: Reduces maintenance, because each connector you create maybe used by multiple service projects. This is good if you are concernedabout maintenance overhead.
  • Cost for idle time: Can reduce the amount of connector idle time andassociated cost. Connectors incur costs even when they are not servingtraffic (seepricing). Having fewerconnectors may reduce the amount of resource you pay for when not servingtraffic, depending on your connector type and number of instances. This isoften cost effective if your use case involves a large number of services, andthe services are used infrequently.

To set up connectors in the host project, seeConfigure connectors in the host project.

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-12-15 UTC.