I have standard app engine which makes an api call to another app engine within same shared VPC and project but the response is 403 forbidden error. Also the standard app engine to which i am making api call as gcloud app services update service-name --ingress=internal-only but as soon as i updated the configuration of the appEngine as gcloud app services update service-name --ingress=all. All the API calls are successfull.
Note : as required by gcp a serverless connector as been created and it is being used.
Questions
1 . How to communicate between Standard AppEngine to another Standard AppEngine within shared VPC?
2 . How can i communicate between AppEngnies with gcloud app services update service-name --ingress=internal-only configuration.
When you set the ingress to internal, you tell to App Engine: accept the traffic only coming from the VPCs of this project.
Thus, you need to tell to your other App Engine services: Reach this (App Engine) service only through the VPC else you will be forbidden.
Firstly, when you deploy on serverless environment, App Engine, Cloud Run or Cloud Functions, you are on the Google Cloud VPC, not on your project VPC.
Therefore, you have to set the egress to your App Engine to use the VPC. You need to plug a VPC connector to make this bridge between the GOOGLE serverless VPC world and your VPC.
However, it won't work. Indeed, when you set that on App Engine, only the traffic to the private IP use the serverless VPC connector, but not the public IPs. You haven't the capacity to set the VPC egress to all to route all the traffic through the VPC, public and private (as you can do with Cloud Functions and Cloud Run)
Thus, the App Engine, with serverless VPC connector or not, will contact the internal App Engine service through internet and not through the VPC and you will get a 403 every time.
In conclusion, you can't do that with App Engine, have a look to Cloud Run or Cloud Functions for this type of set up. You can also review your security design and don't rely on the origine of the traffic (from the VPC) but on the authentication of the traffic (use identity token and IAM service to ensure the communication security).