🇪🇺 EU egress for App Engine, no VPC setup

🇪🇺 Static IP for Google App Engine

App Engine services get dynamic GCP egress by default, and the native fix needs a Serverless VPC Access connector, Cloud Router, and Cloud NAT. Route outbound calls through two fixed EU IPs with one env var, no GCP networking to configure.

app.yaml

# app.yaml env_vars

env_variables:

  HTTPS_PROXY: "https://user:pass@eu-01.outboundgateway.com:8443"

# main.py

import requests

r = requests.get(

  "https://api.partner.eu/data")

Why App Engine services need a predictable egress

Google's managed serverless platform is great for scaling, but getting a fixed outbound IP means building out a stack of GCP networking components.

Dynamic GCP egress by default

App Engine Standard and Flex services route outbound traffic through Google Cloud IP pools that rotate. A partner API or firewall that only allows known IPs blocks your service's requests.

Native static IP is a multi-piece project

The standard fix is a Serverless VPC Access connector plus a Cloud Router, Cloud NAT, and a reserved external IP. That's four GCP components to create, configure, and maintain just to pin an address.

US cloud, not EU

Even with VPC Access and Cloud NAT configured, your App Engine service's outbound traffic still leaves from Google Cloud (US-owned infrastructure). For GDPR-minded teams, the native path doesn't solve the data-residency side.

Extra cost and latency

Routing all outbound traffic through a Serverless VPC Access connector increases egress through the connector, which incurs additional charges and adds latency. That's a real cost for something that should be a simple config change.

When a partner API rejects your service's call

"Your App Engine app called us from a Google IP we've never seen. It's blocked."

You need a fixed address your partners can trust, not a rotating GCP pool they have to chase.

The Solution

Route App Engine outbound calls through a fixed EU IP pair

App Engine service

HTTPS Proxy

(Static EU IP)

Whitelisted API

Every outbound HTTPS call from your App Engine service leaves from the same pair of EU addresses. Two IPs with automatic failover, no Serverless VPC Access or Cloud NAT to configure.

One env var in app.yaml. If your code uses requests or fetch, setting HTTPS_PROXY is all it takes.
No Serverless VPC Access connector, no Cloud Router, no Cloud NAT. The proxy is application-level, so it works in Standard and Flex.
EU egress where Google offers none natively. Your service's outbound traffic leaves from European infrastructure, not US cloud.

What this gives an App Engine deployment

Two fixed EU addresses to whitelist, with automatic failover. Your partners see one stable identity, not a rotating set of Google Cloud IPs.
Skips the GCP networking stack. No Serverless VPC Access connector, no Cloud Router, no Cloud NAT, no reserved external IP. One env_variables entry in app.yaml.
No extra egress charges or latency from the VPC connector. The proxy routes at the application level, not through a VPC hop.
EU egress where Google has none. The App Engine runtime egresses from Google Cloud (US); OutboundGateway routes the same traffic through European infrastructure.
TLS passthrough. Your API tokens and request payloads stay unreadable at the proxy.

Who it's built for

App Engine developers

Running services on App Engine Standard or Flex that call partner APIs behind IP allowlists and need a fixed outbound address.

EU teams on GCP

Using App Engine for EU-regulated workloads who need service outbound calls to leave from European infrastructure, not US cloud.

Teams without GCP networking bandwidth

Who need a fixed IP but don't want to build and maintain Serverless VPC Access connectors, Cloud Routers, and Cloud NAT instances.

Compliance-minded teams

Accountable for where their App Engine services send data, who want a documented EU egress rather than rotating Google Cloud IPs.

Implementation

Set HTTPS_PROXY in your app.yaml. Outbound HTTPS calls then leave through your fixed EU IP.

Python (App Engine Standard)

Add HTTPS_PROXY to env_variables in app.yaml. The requests library reads it automatically.

# app.yaml
runtime: python311
env_variables:
  HTTPS_PROXY: "https://user:pass@eu-01.outboundgateway.com:8443"
  PARTNER_API_TOKEN: "your_token"

# main.py
import os
import requests

# requests honours HTTPS_PROXY from the environment
r = requests.get(
    "https://api.partner.eu/data",
    headers={"Authorization": f"Bearer {os.environ['PARTNER_API_TOKEN']}"},
)

print(r.status_code)  # 200, from your fixed EU IP

Node.js (App Engine Flex)

Same pattern in Node. Pass the proxy explicitly with https-proxy-agent.

// app.yaml env_variables set the same way

// server.js
const { HttpsProxyAgent } = require('https-proxy-agent');

const agent = new HttpsProxyAgent(process.env.HTTPS_PROXY);

// Every request leaves through your fixed EU IP
const res = await fetch('https://api.partner.eu/data', {
  headers: { 'Authorization': `Bearer ${process.env.PARTNER_API_TOKEN}` },
  agent,
});

Two IPs, no GCP networking to maintain

Your account comes with two static IP addresses (for example 51.xx.xx.10 and 51.xx.xx.11). Whitelist both on your partner API. If one proxy node is briefly unavailable, traffic shifts to the other. No VPC connector, no Cloud NAT to babysit.

📖 Want the longer version? Worked examples, error handling, and other languages are in the Python SSL Proxy Guide, Node.js Guide, and the rest of the docs.

EU egress for App Engine services

App Engine runs on Google Cloud (US). For GDPR-minded teams, a fixed EU egress gives your services a sovereign outbound path.

European infrastructure

The proxy runs in EU data centres, so your App Engine service's outbound traffic leaves from European infrastructure instead of a US Google Cloud region.

GDPR-conscious by design

Because TLS passes straight through, the proxy never decodes your API tokens or request payloads. It forwards encrypted bytes; it doesn't read them.

No transatlantic detours

App Engine traffic doesn't bounce through US infrastructure on its way to a partner API, keeping the data path inside the EU.

An egress you can name

When a reviewer asks where your App Engine service calls from, the answer is two fixed EU addresses, not a list of rotating Google Cloud IPs.

Why teams route App Engine through OutboundGateway

A pair of fixed IPs

Two addresses to register, with automatic failover. No rotating Google Cloud pool to chase.

No GCP networking

Skip Serverless VPC Access, Cloud Router, and Cloud NAT. One env_variables entry and it works.

EU-hosted

European data centres and a GDPR-conscious setup, giving your App Engine services a predictable EU address.

Standard and Flex

Works on both App Engine Standard and Flex, because the proxy is just an environment variable your code reads.

Encrypted end to end

TLS passthrough means the proxy can't read your traffic. Tokens and request data stay private.

Flexible plans

Starting from €29/month. Flexible plans for every scale. Cancel anytime.

Give your App Engine services a fixed EU egress

Stop letting dynamic GCP egress block your services' calls, and skip the VPC networking stack. Put your App Engine outbound traffic behind one stable, GDPR-conscious EU address.

€29/month starter plan • 7-day refund policy • Direct founder support

Frequently asked questions

Doesn't App Engine support static IPs via Serverless VPC Access?

Yes, but it's a multi-piece GCP networking project. You need a Serverless VPC Access connector, a Cloud Router, a Cloud NAT instance, and a reserved external IP, all configured together. It also incurs extra egress charges and adds latency. OutboundGateway skips all that: one HTTPS_PROXY env var in your app.yaml gives you a fixed pair of EU IPs.

Does HTTPS_PROXY work in App Engine Standard?

Yes. Add HTTPS_PROXY to env_variables in your app.yaml, and standard HTTP clients like requests (Python) or https-proxy-agent (Node.js) pick it up. The App Engine runtime exposes environment variables to your code, so no networking-layer configuration is needed.

Why would I use this instead of Cloud NAT for EU data residency?

Cloud NAT still routes through Google Cloud (US-owned infrastructure). Even if your VPC is in an EU region, the underlying cloud is US-owned. OutboundGateway routes through European data centres owned by an EU company, so your App Engine service's outbound traffic stays within EU jurisdiction without any VPC connector or Cloud NAT setup.

Still weighing it up?

Happy to talk through how a two-IP EU egress fits your App Engine setup, whether it's Standard, Flex, or a mix.

Contact Our Founders →