As you may know, the google App engine Standard doesn’t have the possibility to use a static IP address, but it’s possible to set the static IP address by attaching the proxy/VPN to it. The easiest and most realistic way would be to create a separate Google Cloud Virtual Machine and force it to work as a Proxy server. You need to have two IP addresses attached to the VM instance, the internal IP address (and the subnetwork for it) and the static external address.
Inside the VM instance, you need to set up, configure and run the daemon of the SQUID proxy app. Don’t forget to set the right VM firewall rules for the external connections to your proxy.
In my case, the VM instance is a proxy server and it is also connected to the 3rd party VPN service. So every time I send a request to my proxy server, I should reach that request’s endpoint with the IP of the VPN service, that’s the goal.
Problem
When the VPN connection is turned on at the VM instance – the proxy connection stops working. Since this proxy and VM instance’s purpose is to support the work of my main App Engine application, I can send the requests from it, directly, so the request from GAE will be sent via local proxy with an address of 10.8.0.2. If I would like to send it from elsewhere, for example from my local machine while developing the app, I need to be able to send the request via an external IP proxy, in my case, it’s 35.*.*.164. In both cases, the traffic will be lost and you will be not able to get the request’s response until you do the right routing inside the VM instance. The google cloud did not make it automatically for us, so we need to get our hands dirty.
Solution
Let’s start with the local routing, which means sending the request thru a local proxy, 10.8.0.2, and getting a response with VPN’s external IP address. To make it work, we need to add the local routing to the local subnet:
sudo route add -net 10.8.0.0/24 gw 10.8.0.1 ens4
Next, we must do the routing for external access:
sudo route add 46.*.*.122 gw 10.8.0.1 netmask 0.0.0.0 metric 10 dev ens4
Pay attention to the metric, which is the priority of traffic routing. The 46.*.*.122 is my local IP address. You may have a question, why don’t I open all of the IP addresses to route or subnetwork of addresses? because it would not work. The routing works on external IPs only if you add them one by one.
Conclusion
The google cloud has the worst documentation and guides ever, there is no explanation of how to make external/internal subnetwork routing inside the VM instance, The google cloud has a lot of settings in networking, such as NAT, firewall, routes, traffic distribution and etc. However, they’re not helpful and completely misunderstood. I have lost a week to make it work, I have tried different approaches and there was no clear answer to my questions all over the internet, nor StackOverflow, no superuser, no UbuntuHelp, no Reddit.
If you need additional info regarding firewalls or Ubuntu setup, config inside the VM instance – please let me know in the comments, because this article is only about those 2 additional routes and 0 information about Google Cloud additional setup that makes these routes work
Leave a Reply