App Engine services get dynamic GCP egress by default, and the native fix needs a Serverless VPC Access connector, Cloud Router, and Cloud NAT. Route outbound calls through two fixed EU IPs with one env var, no GCP networking to configure.
# app.yaml env_vars
env_variables:
HTTPS_PROXY: "https://user:pass@eu-01.outboundgateway.com:8443"
# main.py
import requests
r = requests.get(
"https://api.partner.eu/data")
Google's managed serverless platform is great for scaling, but getting a fixed outbound IP means building out a stack of GCP networking components.
App Engine Standard and Flex services route outbound traffic through Google Cloud IP pools that rotate. A partner API or firewall that only allows known IPs blocks your service's requests.
The standard fix is a Serverless VPC Access connector plus a Cloud Router, Cloud NAT, and a reserved external IP. That's four GCP components to create, configure, and maintain just to pin an address.
Even with VPC Access and Cloud NAT configured, your App Engine service's outbound traffic still leaves from Google Cloud (US-owned infrastructure). For GDPR-minded teams, the native path doesn't solve the data-residency side.
Routing all outbound traffic through a Serverless VPC Access connector increases egress through the connector, which incurs additional charges and adds latency. That's a real cost for something that should be a simple config change.
"Your App Engine app called us from a Google IP we've never seen. It's blocked."
You need a fixed address your partners can trust, not a rotating GCP pool they have to chase.
App Engine service
HTTPS Proxy
(Static EU IP)
Whitelisted API
Every outbound HTTPS call from your App Engine service leaves from the same pair of EU addresses. Two IPs with automatic failover, no Serverless VPC Access or Cloud NAT to configure.
app.yaml. If your code uses requests or fetch, setting HTTPS_PROXY is all it takes.
env_variables entry in app.yaml.
Running services on App Engine Standard or Flex that call partner APIs behind IP allowlists and need a fixed outbound address.
Using App Engine for EU-regulated workloads who need service outbound calls to leave from European infrastructure, not US cloud.
Who need a fixed IP but don't want to build and maintain Serverless VPC Access connectors, Cloud Routers, and Cloud NAT instances.
Accountable for where their App Engine services send data, who want a documented EU egress rather than rotating Google Cloud IPs.
Set HTTPS_PROXY in your app.yaml. Outbound HTTPS calls then leave through your fixed EU IP.
Add HTTPS_PROXY to env_variables in app.yaml. The requests library reads it automatically.
# app.yaml
runtime: python311
env_variables:
HTTPS_PROXY: "https://user:pass@eu-01.outboundgateway.com:8443"
PARTNER_API_TOKEN: "your_token"
# main.py
import os
import requests
# requests honours HTTPS_PROXY from the environment
r = requests.get(
"https://api.partner.eu/data",
headers={"Authorization": f"Bearer {os.environ['PARTNER_API_TOKEN']}"},
)
print(r.status_code) # 200, from your fixed EU IP
Same pattern in Node. Pass the proxy explicitly with https-proxy-agent.
// app.yaml env_variables set the same way
// server.js
const { HttpsProxyAgent } = require('https-proxy-agent');
const agent = new HttpsProxyAgent(process.env.HTTPS_PROXY);
// Every request leaves through your fixed EU IP
const res = await fetch('https://api.partner.eu/data', {
headers: { 'Authorization': `Bearer ${process.env.PARTNER_API_TOKEN}` },
agent,
});
Two IPs, no GCP networking to maintain
Your account comes with two static IP addresses (for example 51.xx.xx.10 and 51.xx.xx.11). Whitelist both on your partner API. If one proxy node is briefly unavailable, traffic shifts to the other. No VPC connector, no Cloud NAT to babysit.
📖 Want the longer version? Worked examples, error handling, and other languages are in the Python SSL Proxy Guide, Node.js Guide, and the rest of the docs.
App Engine runs on Google Cloud (US). For GDPR-minded teams, a fixed EU egress gives your services a sovereign outbound path.
The proxy runs in EU data centres, so your App Engine service's outbound traffic leaves from European infrastructure instead of a US Google Cloud region.
Because TLS passes straight through, the proxy never decodes your API tokens or request payloads. It forwards encrypted bytes; it doesn't read them.
App Engine traffic doesn't bounce through US infrastructure on its way to a partner API, keeping the data path inside the EU.
When a reviewer asks where your App Engine service calls from, the answer is two fixed EU addresses, not a list of rotating Google Cloud IPs.
Two addresses to register, with automatic failover. No rotating Google Cloud pool to chase.
Skip Serverless VPC Access, Cloud Router, and Cloud NAT. One env_variables entry and it works.
European data centres and a GDPR-conscious setup, giving your App Engine services a predictable EU address.
Works on both App Engine Standard and Flex, because the proxy is just an environment variable your code reads.
TLS passthrough means the proxy can't read your traffic. Tokens and request data stay private.
Starting from €29/month. Flexible plans for every scale. Cancel anytime.
Stop letting dynamic GCP egress block your services' calls, and skip the VPC networking stack. Put your App Engine outbound traffic behind one stable, GDPR-conscious EU address.
€29/month starter plan • 7-day refund policy • Direct founder support
Yes, but it's a multi-piece GCP networking project. You need a Serverless VPC Access connector, a Cloud Router, a Cloud NAT instance, and a reserved external IP, all configured together. It also incurs extra egress charges and adds latency. OutboundGateway skips all that: one HTTPS_PROXY env var in your app.yaml gives you a fixed pair of EU IPs.
Yes. Add HTTPS_PROXY to env_variables in your app.yaml, and standard HTTP clients like requests (Python) or https-proxy-agent (Node.js) pick it up. The App Engine runtime exposes environment variables to your code, so no networking-layer configuration is needed.
Cloud NAT still routes through Google Cloud (US-owned infrastructure). Even if your VPC is in an EU region, the underlying cloud is US-owned. OutboundGateway routes through European data centres owned by an EU company, so your App Engine service's outbound traffic stays within EU jurisdiction without any VPC connector or Cloud NAT setup.
Happy to talk through how a two-IP EU egress fits your App Engine setup, whether it's Standard, Flex, or a mix.
Contact Our Founders →