Re: [google-appengine] Re: need to connect App Engine Std to GCE via internal IP address

2017-04-24 Thread 'Lorne Kligerman' via Google App Engine 
Understood, thanks for the write up!



On Mon, Apr 24, 2017 at 4:45 PM, Robert Dyas 
wrote:

> Yes, but in addition to that consider it a feature request that the
> incoming IP address from GAE std to GCE will be easily identifiable (or a
> range). The reason for this is we have some servers that will still be
> accepting requests over their external IP that will be required to be
> encrypted, while the internal ones from GAE can come in unencrypted . To do
> this with MariaDB we need to see the incoming IP address ... so if its
> something like if its in 10.xxx.xxx.xxx we know its internal, and if not
> then its external and requires encryption.
>
>
> On Monday, April 24, 2017 at 7:30:26 PM UTC-4, Lorne Kligerman wrote:
>>
>> More details to come, however we will provide a mechanism to be sure that
>> only your App Engine app can connect to your own GCE VMs.
>>
>> On Mon, Apr 24, 2017 at 1:41 PM, Robert Dyas 
>> wrote:
>>
>>> Question: will the IP address from App Engine Std appear as though its
>>> on the internal GCE network? Hopefully yes so that its easy to filter
>>> incoming requests as coming from a trusted source or not.
>>>
>>> On Sunday, April 23, 2017 at 5:27:25 PM UTC-4, Lorne Kligerman wrote:
>>>
 Hey folks,

 I'm glad to report that this is something that we're actively working
 on!
 Nothing to report at the moment on timing but when ready for some
 testing I'll be sure to send a note here.  Stay tuned!

 Cheers,
 Lorne.
 Product Manager - App Engine

 On Saturday, April 22, 2017 at 7:15:31 AM UTC-7, Robert Dyas wrote:
>
> Yep, that helps. Thank you. I also bet that if you ran a test
> connecting over a 7 day period you would see lots of times where that
> ~200-400ms becomes ~1,000 to ~2,000+ms. When I run this same test
> machine-2-machine using the internal IP addresses on GCE, the time is 
> close
> enough to zero that I don't care. The net difference in our app is a 
> single
> request (a client can make up to 3 for a complex ERP screen) takes
> ~400-900ms (open tls connection, all the back and forth) whereas the same
> thing tested GCE to GCE via intenal ip takes 10ms (with high 
> consistency.).
> Multiply those numbers by 3x for our biggest customers (most complex apps)
> and you are looking at ~30ms vs ~2,000mm wait per click (which gets old.)
> They do tolerate this because they are coming from really nasty systems,
> but we want to provide the best possible cloud experience.
>
> I really hope someone at Google is monitoring this thread. If we could
> allocate our GAE std setup to the default GCE network for our project and
> avoid all this socket overhead it would be a very, very, very good thing.
>
>
>
> On Saturday, April 22, 2017 at 9:05:28 AM UTC-4, Evan Jones wrote:
>>
>> I just took a quick look at the trace viewer for ~5 requests. It
>> looks like sending/receiving data on an existing connection takes around
>> 1-5 ms for the Send and Receive calls.
>>
>> For creating a new connection: I see times like:
>>
>> CreateSocket: 3-5 ms
>> Resolve: 1 ms
>> Connect: 2-12 ms
>>
>> ... a whole bunch of additional Send/Receives that I assume are due
>> to the fact we use TLS connections, so there is a handshake that is
>> required.
>>
>> This whole process can take ~200-400 ms; some of which is "our fault"
>> because our server takes some time to execute the TLS handshake (I'm
>> guessing this adds ~50 ms, looking at the traces).
>>
>> Hope that helps!
>>
>>
>>
>> On Friday, April 21, 2017 at 5:56:55 PM UTC-4, Robert Dyas wrote:
>>>
>>> Do you have any idea how much slower creating a new connection is?
>>> This is probably our issue.
>>>
>>> We don't use connection pooling currently as each user is logged in
>>> to the db with their own credentials (ERP type app), but it might be 
>>> worth
>>> exploring if the pooling and driver can handle that. It would be great 
>>> to
>>> know how much slower you found creating the connection is vs write to 
>>> open
>>> connection...
>>>
>>>
>>>
>>> On Wednesday, April 19, 2017 at 8:24:59 PM UTC-4, Evan Jones wrote:

 My understanding is that App Engine Standard can only talk to
 things that are accessible via a "public" Internet IP address, so I'm 
 not
 sure I'm going to be able to provide any magic suggestions. However, I 
 will
 mention that in our experience we can get "reasonable" latency. In
 particular, we collect application-specific metrics by sending them 
 from
 our Python App Engine Standard code to compute engine, over an SSL
 encrypted socket (this is using the socket API directly). The App

Re: [google-appengine] Re: need to connect App Engine Std to GCE via internal IP address

2017-04-24 Thread Robert Dyas 
Yes, but in addition to that consider it a feature request that the 
incoming IP address from GAE std to GCE will be easily identifiable (or a 
range). The reason for this is we have some servers that will still be 
accepting requests over their external IP that will be required to be 
encrypted, while the internal ones from GAE can come in unencrypted . To do 
this with MariaDB we need to see the incoming IP address ... so if its 
something like if its in 10.xxx.xxx.xxx we know its internal, and if not 
then its external and requires encryption.


On Monday, April 24, 2017 at 7:30:26 PM UTC-4, Lorne Kligerman wrote:
>
> More details to come, however we will provide a mechanism to be sure that 
> only your App Engine app can connect to your own GCE VMs.
>
> On Mon, Apr 24, 2017 at 1:41 PM, Robert Dyas  > wrote:
>
>> Question: will the IP address from App Engine Std appear as though its on 
>> the internal GCE network? Hopefully yes so that its easy to filter incoming 
>> requests as coming from a trusted source or not.
>>
>> On Sunday, April 23, 2017 at 5:27:25 PM UTC-4, Lorne Kligerman wrote:
>>
>>> Hey folks,
>>>
>>> I'm glad to report that this is something that we're actively working on!
>>> Nothing to report at the moment on timing but when ready for some 
>>> testing I'll be sure to send a note here.  Stay tuned!
>>>
>>> Cheers,
>>> Lorne.
>>> Product Manager - App Engine
>>>
>>> On Saturday, April 22, 2017 at 7:15:31 AM UTC-7, Robert Dyas wrote:

 Yep, that helps. Thank you. I also bet that if you ran a test 
 connecting over a 7 day period you would see lots of times where that 
 ~200-400ms becomes ~1,000 to ~2,000+ms. When I run this same test 
 machine-2-machine using the internal IP addresses on GCE, the time is 
 close 
 enough to zero that I don't care. The net difference in our app is a 
 single 
 request (a client can make up to 3 for a complex ERP screen) takes 
 ~400-900ms (open tls connection, all the back and forth) whereas the same 
 thing tested GCE to GCE via intenal ip takes 10ms (with high 
 consistency.). 
 Multiply those numbers by 3x for our biggest customers (most complex apps) 
 and you are looking at ~30ms vs ~2,000mm wait per click (which gets old.) 
 They do tolerate this because they are coming from really nasty systems, 
 but we want to provide the best possible cloud experience.

 I really hope someone at Google is monitoring this thread. If we could 
 allocate our GAE std setup to the default GCE network for our project and 
 avoid all this socket overhead it would be a very, very, very good thing.



 On Saturday, April 22, 2017 at 9:05:28 AM UTC-4, Evan Jones wrote:
>
> I just took a quick look at the trace viewer for ~5 requests. It looks 
> like sending/receiving data on an existing connection takes around 1-5 ms 
> for the Send and Receive calls.
>
> For creating a new connection: I see times like:
>
> CreateSocket: 3-5 ms
> Resolve: 1 ms
> Connect: 2-12 ms
>
> ... a whole bunch of additional Send/Receives that I assume are due to 
> the fact we use TLS connections, so there is a handshake that is required.
>
> This whole process can take ~200-400 ms; some of which is "our fault" 
> because our server takes some time to execute the TLS handshake (I'm 
> guessing this adds ~50 ms, looking at the traces).
>
> Hope that helps!
>
>
>
> On Friday, April 21, 2017 at 5:56:55 PM UTC-4, Robert Dyas wrote:
>>
>> Do you have any idea how much slower creating a new connection is? 
>> This is probably our issue.
>>
>> We don't use connection pooling currently as each user is logged in 
>> to the db with their own credentials (ERP type app), but it might be 
>> worth 
>> exploring if the pooling and driver can handle that. It would be great 
>> to 
>> know how much slower you found creating the connection is vs write to 
>> open 
>> connection...
>>
>>
>>
>> On Wednesday, April 19, 2017 at 8:24:59 PM UTC-4, Evan Jones wrote:
>>>
>>> My understanding is that App Engine Standard can only talk to things 
>>> that are accessible via a "public" Internet IP address, so I'm not sure 
>>> I'm 
>>> going to be able to provide any magic suggestions. However, I will 
>>> mention 
>>> that in our experience we can get "reasonable" latency. In particular, 
>>> we 
>>> collect application-specific metrics by sending them from our Python 
>>> App 
>>> Engine Standard code to compute engine, over an SSL encrypted socket 
>>> (this 
>>> is using the socket API directly). The App Engine standard traces show 
>>> these packet writes taking about ~1-2 ms, but we certainly see that 
>>> creating a *new* connection is much, much slower. With a connection 
>>> pool,

Re: [google-appengine] Re: need to connect App Engine Std to GCE via internal IP address

2017-04-24 Thread 'Lorne Kligerman' via Google App Engine 
More details to come, however we will provide a mechanism to be sure that
only your App Engine app can connect to your own GCE VMs.

On Mon, Apr 24, 2017 at 1:41 PM, Robert Dyas 
wrote:

> Question: will the IP address from App Engine Std appear as though its on
> the internal GCE network? Hopefully yes so that its easy to filter incoming
> requests as coming from a trusted source or not.
>
> On Sunday, April 23, 2017 at 5:27:25 PM UTC-4, Lorne Kligerman wrote:
>
>> Hey folks,
>>
>> I'm glad to report that this is something that we're actively working on!
>> Nothing to report at the moment on timing but when ready for some testing
>> I'll be sure to send a note here.  Stay tuned!
>>
>> Cheers,
>> Lorne.
>> Product Manager - App Engine
>>
>> On Saturday, April 22, 2017 at 7:15:31 AM UTC-7, Robert Dyas wrote:
>>>
>>> Yep, that helps. Thank you. I also bet that if you ran a test connecting
>>> over a 7 day period you would see lots of times where that ~200-400ms
>>> becomes ~1,000 to ~2,000+ms. When I run this same test machine-2-machine
>>> using the internal IP addresses on GCE, the time is close enough to zero
>>> that I don't care. The net difference in our app is a single request (a
>>> client can make up to 3 for a complex ERP screen) takes ~400-900ms (open
>>> tls connection, all the back and forth) whereas the same thing tested GCE
>>> to GCE via intenal ip takes 10ms (with high consistency.). Multiply those
>>> numbers by 3x for our biggest customers (most complex apps) and you are
>>> looking at ~30ms vs ~2,000mm wait per click (which gets old.) They do
>>> tolerate this because they are coming from really nasty systems, but we
>>> want to provide the best possible cloud experience.
>>>
>>> I really hope someone at Google is monitoring this thread. If we could
>>> allocate our GAE std setup to the default GCE network for our project and
>>> avoid all this socket overhead it would be a very, very, very good thing.
>>>
>>>
>>>
>>> On Saturday, April 22, 2017 at 9:05:28 AM UTC-4, Evan Jones wrote:

 I just took a quick look at the trace viewer for ~5 requests. It looks
 like sending/receiving data on an existing connection takes around 1-5 ms
 for the Send and Receive calls.

 For creating a new connection: I see times like:

 CreateSocket: 3-5 ms
 Resolve: 1 ms
 Connect: 2-12 ms

 ... a whole bunch of additional Send/Receives that I assume are due to
 the fact we use TLS connections, so there is a handshake that is required.

 This whole process can take ~200-400 ms; some of which is "our fault"
 because our server takes some time to execute the TLS handshake (I'm
 guessing this adds ~50 ms, looking at the traces).

 Hope that helps!



 On Friday, April 21, 2017 at 5:56:55 PM UTC-4, Robert Dyas wrote:
>
> Do you have any idea how much slower creating a new connection is?
> This is probably our issue.
>
> We don't use connection pooling currently as each user is logged in to
> the db with their own credentials (ERP type app), but it might be worth
> exploring if the pooling and driver can handle that. It would be great to
> know how much slower you found creating the connection is vs write to open
> connection...
>
>
>
> On Wednesday, April 19, 2017 at 8:24:59 PM UTC-4, Evan Jones wrote:
>>
>> My understanding is that App Engine Standard can only talk to things
>> that are accessible via a "public" Internet IP address, so I'm not sure 
>> I'm
>> going to be able to provide any magic suggestions. However, I will 
>> mention
>> that in our experience we can get "reasonable" latency. In particular, we
>> collect application-specific metrics by sending them from our Python App
>> Engine Standard code to compute engine, over an SSL encrypted socket 
>> (this
>> is using the socket API directly). The App Engine standard traces show
>> these packet writes taking about ~1-2 ms, but we certainly see that
>> creating a *new* connection is much, much slower. With a connection pool,
>> our application sees reasonable latency.
>>
>> We also have some things making HTTP requests via the urlfetch API,
>> and again we see "reasonable" latency (although I should check what it
>> actually is, I haven't looked recently).
>>
>> I have no experience with JDBC on App Engine standard, so I can't
>> really help there.
>>
>> Good luck,
>>
>> Evan
>>
>>
>> On Wednesday, April 19, 2017 at 2:50:28 PM UTC-4, Robert Dyas wrote:
>>>
>>> I need to connect App Engine Std (AES) to GCE via an internal IP
>>> address.
>>>
>>>- Would GAE being issuing request and GCE, responses?  The other
>>>way around?  Both?
>>>- AES would issue the requests only
>>>- Are requests and responses tightly coupled like HTTP
>>>