examlab .net The most efficient path to the most valuable certifications.
Support
In this note ≈ 18 min

Cloud Run & App Engine

3,560 words · ≈ 18 min read ·

Explore the serverless world of Google Cloud. Learn the differences between Cloud Run and App Engine, how to deploy applications, manage versions, and optimize for cost and performance.

Do 20 practice questions → Free · No signup · ACE

Introduction to Cloud Run and App Engine

In the modern cloud era, the goal of many developers is to "just write code" and not worry about the underlying servers. This is the promise of Cloud Run and App Engine, Google Cloud's two flagship serverless application hosting platforms. For the Associate Cloud Engineer, understanding when to use each platform and how to manage their lifecycles is a fundamental skill.

Cloud Run and App Engine both offer a "Scale-to-Zero" model, meaning you only pay when your code is actually running. However, they differ significantly in their approach: App Engine is a platform-as-a-service (PaaS) that follows a more traditional web application model, while Cloud Run is a container-as-a-service (CaaS) that brings the power of containers to the serverless world. Mastering these two services allows you to build highly scalable, cost-effective, and low-maintenance applications.

白話文解釋(Plain English Explanation)

To differentiate between the various hosting options in Cloud Run and App Engine, let's look at three analogies.

1. The Pre-built Apartment vs. The Shipping Container Home (The Platforms)

  • App Engine Standard is like a fully furnished, pre-built apartment. The layout is fixed, and the appliances are provided for you. You just move in and start living. It's fast and easy, but you can't tear down the walls.
  • App Engine Flexible is like an apartment where you can choose your own appliances and paint the walls, but it takes a bit longer to set up.
  • Cloud Run is like a high-tech shipping container home. You build the entire home exactly how you want it inside the container, and Google Cloud provides the "land" (infrastructure) to plug it in and run it.

In Cloud Run and App Engine, your choice depends on how much control you need over your "living environment" (the runtime and OS).

2. The Automatic Sprinkler System (Scaling)

Think about watering a garden:

  • Compute Engine is like manually holding a hose. You have to be there to turn it on and off.
  • Cloud Run and App Engine are like an automatic, smart sprinkler system.

When the soil gets dry (traffic increases), the sprinklers turn on automatically. When the soil is wet enough (traffic drops), the sprinklers turn off completely. You don't pay for water you don't use. This "scale-to-zero" capability is the defining feature of Cloud Run and App Engine.

3. The Pizza Delivery Service (Deployment)

Consider how you get a pizza:

  • App Engine is like a specialized pizza delivery app where you just pick the toppings (your code) from a list, and they handle everything else.
  • Cloud Run is like a gourmet meal kit where you prep everything (containerize your app) and they just provide the stove to cook it.

Both get you a meal (a running application), but the "prep work" (packaging) is different. Cloud Run and App Engine cater to different developer workflows.

Google App Engine (GAE): The Original Serverless

App Engine is Google's original serverless offering, predating most other cloud services.

App Engine Standard Environment

The Standard environment uses specific runtimes (e.g., Python 3.10, Node.js 18) provided by Google. It scales extremely fast and is the most cost-effective option for applications that stay within the provided language versions.

App Engine Flexible Environment

The Flexible environment runs your code inside Docker containers on Compute Engine VMs. This allows you to use any language version or library, but it scales slower than Standard and cannot scale to zero instances.

Versions and Services Architecture

An App Engine application is composed of multiple "Services," each having multiple "Versions." This allows you to run different parts of your app (e.g., frontend, backend, worker) independently.

Google Cloud Run: Modern Serverless with Containers

Cloud Run is built on the Knative open-source standard, offering incredible portability.

Cloud Run Services vs. Cloud Run Jobs

  • Cloud Run Services: Used for web apps and APIs that respond to requests.
  • Cloud Run Jobs: Used for data processing or administrative tasks that run to completion and then stop.

Knative and the Portability of Cloud Run

Because Cloud Run uses standard Docker containers, you can easily move your application from Cloud Run to a GKE cluster or even to another cloud provider without changing your code.

Deploying from Source vs. Deploying from Images

You can deploy to Cloud Run by providing a pre-built container image in Artifact Registry, or you can use "Google Cloud Build" to automatically build and deploy your source code.

Cloud Run is a managed compute platform that enables you to run containers that are invocable via requests or events. Source ↗

Choosing Between App Engine and Cloud Run

As an Associate Cloud Engineer, you must know which tool to pick for the job in the Cloud Run and App Engine category.

When to Use App Engine Standard

  • Your app is written in a supported language (Python, Java, Node.js, Go, PHP, Ruby).
  • You need the fastest possible scaling.
  • Your app has long periods of zero traffic (to save costs).

When to Use App Engine Flexible

  • You need to use a custom runtime or language version not supported by Standard.
  • Your app requires persistent disk access.
  • You need to access resources on your local network via a VPN.

When to Use Cloud Run

  • You already use Docker and containers.
  • You want to use a language or binary not supported by App Engine.
  • You want the best balance of flexibility and "scale-to-zero" cost savings.
  • You want to build an event-driven architecture using Eventarc.

Deploying to App Engine

Deploying to the Cloud Run and App Engine ecosystem is designed to be developer-friendly.

The app.yaml Configuration File

This file defines your App Engine settings, including the runtime, instance class, and environment variables.

runtime: python39
instance_class: F1
env_variables:
  DB_HOST: "my-db-host"

Deploying with gcloud app deploy

This command uploads your code and creates a new version of your service.

Traffic Splitting and Version Management

You can run multiple versions of your app simultaneously and use traffic splitting to perform A/B testing or canary releases.

App Engine applications are 'Regional' resources. Once you choose a region for your App Engine app, you CANNOT change it. This is a common exam point for Cloud Run and App Engine. Source ↗

Deploying to Cloud Run

Key Parameters for gcloud run deploy

When deploying to Cloud Run, you can specify the region, the service account to use, and whether to allow unauthenticated (public) access.

gcloud run deploy my-service \
    --image gcr.io/my-project/my-app \
    --platform managed \
    --region us-central1 \
    --allow-unauthenticated

Managing Revisions and Traffic

Every time you deploy to Cloud Run, a new immutable "Revision" is created. You can split traffic between revisions just like in App Engine.

Configuring Concurrency and Timeout

Unlike App Engine, Cloud Run allows a single instance to handle multiple concurrent requests (up to 1000). This is a major efficiency boost for Cloud Run and App Engine workloads.

The --allow-unauthenticated flag on gcloud run deploy does NOT make your service "less secure by default" — it grants the roles/run.invoker role to allUsers, which is what actually lets the public hit the URL. Removing the flag alone is not enough to lock down an already-public service; you must also revoke the allUsers IAM binding from the Cloud Run invoker role. Similarly, App Engine Flexible cannot scale to zero — it always keeps at least one instance running, so "scale-to-zero" answers must point to Standard or Cloud Run. Source ↗

Scaling Mechanisms in Serverless

Scaling is what makes Cloud Run and App Engine so powerful.

Scaling to Zero: The Cost Advantage

If no one is using your app, you don't pay anything. This is the primary driver for choosing serverless in the Cloud Run and App Engine space.

Cold Starts and How to Mitigate Them

A "Cold Start" happens when your app needs to start from zero instances to handle a request. This can cause a few seconds of latency.

  • Mitigation: Use "Min Instances" to keep a warm instance ready at all times.

Min Instances and Reserved Capacity

While "Min Instances" costs money, it eliminates cold starts and provides a baseline level of performance for your Cloud Run and App Engine apps.

Use 'min-instances' for critical services where latency is more important than the cost of keeping a single instance running. Source ↗

Networking for Serverless

Ingress Settings: Internal vs. All

You can restrict your Cloud Run and App Engine apps so they can only be reached from within your VPC or through a Load Balancer.

Serverless VPC Access Connector

If your serverless app needs to talk to a resource with a private IP (like a Cloud SQL instance or a VM), you MUST use a Serverless VPC Access Connector.

For any ACE scenario where Cloud Run or App Engine needs to reach a private-IP resource (e.g., a Cloud SQL instance without a public IP, or a VM on an internal subnet), the answer is always a Serverless VPC Access Connector — public internet egress will not work, and adding the service account alone does not bridge the network. Pair this with 'Ingress: Internal' to keep the service reachable only from within your VPC or a Load Balancer. Source ↗

Custom Domains and Managed SSL

Both platforms make it easy to map your own domain name (e.g., www.myapp.com) and will automatically provision SSL certificates for you.

Managing Secrets and Environment Variables

Using Secret Manager with Serverless

Never store passwords in your code or app.yaml. Instead, use Secret Manager and mount the secrets as environment variables or files in your Cloud Run and App Engine apps.

Best Practices for Sensitive Data

Rotate your secrets regularly and use IAM roles to ensure that only the service account running your app has permission to read the secret.

Monitoring and Debugging Serverless Apps

Viewing Logs in Cloud Logging

All stdout and stderr logs from your Cloud Run and App Engine apps are automatically collected.

Error Reporting and Cloud Trace

Use Error Reporting to get alerts when your app crashes and Cloud Trace to find latency bottlenecks in your request flow.

Managing Serverless via gcloud CLI

  • gcloud app browse: Opens your running App Engine app in a browser.
  • gcloud run services list: Shows all your running Cloud Run services.
  • gcloud run revisions delete: Cleans up old, unused revisions to keep your Cloud Run and App Engine environment tidy.

To deploy to App Engine, use 'gcloud app deploy'. To deploy a container to Cloud Run, use 'gcloud run deploy'. Source ↗

Security Best Practices for Serverless

  1. Least Privilege: Always assign a dedicated Service Account to your Cloud Run and App Engine apps with only the minimum required permissions.
  2. Restrict Ingress: Use an Cloud HTTP(S) Load Balancer with Cloud Armor to protect your apps from DDoS attacks.
  3. Use IAP: For internal-only App Engine apps, use Identity-Aware Proxy to manage user authentication.

Common Exam Scenarios for ACE

Rolling Back a Failed Deployment

"Your latest deployment to Cloud Run is causing errors. How do you fix it instantly?" (Answer: Use traffic management to route 100% of traffic back to the previous healthy revision).

Connecting a Serverless App to a Cloud SQL DB

"You need your Cloud Run app to talk to a private Cloud SQL instance. What do you need?" (Answer: A Serverless VPC Access Connector).

Performing a Canary Release

"You want to test a new version of your App Engine app on 5% of your users. How do you do it?" (Answer: Use the traffic splitting feature in the Google Cloud Console or via gcloud app services set-traffic).

FAQ

Q1: Can I run multiple apps in one App Engine project? A1: No. A GCP project can only have one App Engine application, but that application can have many "Services."

Q2: Does Cloud Run support WebSockets? A2: Yes, Cloud Run supports WebSockets, which is a big advantage over App Engine Standard in some use cases.

Q3: Is Cloud Run faster than App Engine? A3: For "Cold Starts," App Engine Standard is typically faster. For "Warm" performance, it depends entirely on your code and container configuration.

Q4: Can I use local storage in Cloud Run? A4: You can use an in-memory filesystem (mounted at /tmp), but any data written there is lost when the instance stops. For persistence, use Cloud Storage or Cloud SQL.

Q5: Can I change the CPU and Memory after deploying to Cloud Run? A5: Yes, you can update the configuration, which will create a new Revision with the updated resources.

Summary Checklist for ACE

  • Understand when to use App Engine Standard vs. Flexible.
  • Know the difference between a Cloud Run Service and a Cloud Run Job.
  • Remember that App Engine regions are permanent for a project.
  • Be able to explain the "Scale-to-Zero" model and its cost benefits.
  • Understand how to perform traffic splitting for canary deployments.
  • Know that a VPC Access Connector is required for private network access.

Official sources

More ACE topics