app engine unable to redirect traffic via cloud nat static ip address

Question

I am trying to send email using client's on-prem SMTP server using app engine standard. For this we have created Serverless VPC access connector in default network and Cloud NAT with static ip address to send egress traffic. Client has whitelisted static ip address and port. Following is code snippet in app engine

    msg.set_content('This is a HTML email')

    msg.add_alternative(cleared_html_content, subtype='html')
    try:
        context = ssl._create_unverified_context()
        print("starting conectn")
        with smtplib.SMTP('xx.xxxx.edu', 2525) as server:
            server.starttls(context=context)
            server.send_message(msg)
        print("sent almost")
    except Exception as e:
        print('Error: ', e)

Following is app.yaml

runtime: python37
entrypoint: gunicorn -t 120 -b :$PORT main:app
vpc_access_connector:
  name: projects/xxxxxxxxx/locations/us-central1/connectors/yyyyyyyyy

When i run my app using app engine url, I am getting following error in logs viewer

Error: (554, b"xxx.xxxxx.edu
Your access to this mail system has been rejected due to the sending MTA's poor reputation. If you believe that this failure is in error, please contact the intended recipient via alternate means."

Also i have created cloud function with same code as in app engine to test and surprisingly email was sent to intended recepient with out any issue. When i checked cloud NAT logs, it has all details when triggered via cloud function (in short it is using static ip address) but there are no logs related to app engine trigger. So i think my app engine traffic is not going via static ip address and not sure how to mention that in app.yaml

There might be code issue in email function as well but since it is working in cloud function, i really doubt about my app.yaml and not email python code. Any help is really appreciated

Answer 1

I understood that your SMTP IP was public. There is a caveat to know with serverless VPC connector.

With Cloud Function, and Cloud Run, you have the capacity to choose if only private IP or Public and Private IP are routed through the serverless VPC Connector

With app engine, I didn't find a clear description of the egress control, but I guess that only private IP (RFC1918) are routed through the VPC, and not the public one. And so, your Cloud Nat isn't used and thus you aren't authorised on the SMTP server of your school.

---

Edit 1:

You have 3 solutions to solve this

• You can create a Cloud Functions (or a Cloud Run service) that your App Engine calls when you need to send an email.
• You can switch from App Engine to Cloud Run (use the new beta command gcloud beta run deploy --source=. --region=<REGION> --platform=managed <Service Name>). Like this, you can deploy as with App Engine. The same Container engine builder as App Engine is used (Buildpack). You have to adapt the content of the app.yaml file (share it if you need help). However, up to now, IAP isn't compliant with Cloud Run. If you want to use it, wait!
• Create a VPN between your VPC and your school network. Like this, you will call your SMTP server with a private IP. On the smtp server, grant only the serverless VPC connector range to access it. And you no longer need a Cloud NAT configuration.