# How to Enable App Platform VPC App Platform is a fully managed Platform-as-a-Service (PaaS) that deploys applications from Git repositories or container images. It automatically builds, deploys, and scales components while handling all underlying infrastructure. App Platform apps in all regions support VPC networks, allowing you to connect apps to other VPC-enabled resources (such as DBaaS, Droplets, and Kubernetes) over a private network. For more details about VPC networks, see the [VPC product page](https://docs.digitalocean.com/products/networking/vpc/index.html.md). The App Platform VPC integration lets you: - Access resources over a secure private network instead of the public internet - Connect to VPC resources in any DigitalOcean datacenter using VPC peering VPC network access cannot be used with dedicated egress IPs, and Function components are not currently supported. Apps can only directly connect to VPCs in one specific datacenter in their region. This limitation exists because App Platform regions abstract away underlying datacenters, but VPC networks are tied to specific datacenter locations. As a result, apps can only connect to VPC networks that are in the same datacenter where the app is deployed. | App Spec Region | App Can Connect To VPCs In | |---|---| | `ams` | `ams3` | | `blr` | `blr1` | | `fra` | `fra1` | | `lon` | `lon1` | | `nyc` | `nyc1` | | `sfo` | `sfo3` | | `sgp` | `sgp1` | | `syd` | `syd1` | | `tor` | `tor1` | You can use [VPC peering](https://docs.digitalocean.com/products/networking/vpc/how-to/create-peering/index.html.md) to work around this limitation. Peering allows resources in different VPC networks, including those in other regions, to communicate over the private network. For example, if an app is deployed in the `nyc` region and connects to a VPC network in `nyc1`, you can peer that `nyc1` VPC network with another in `ams3`. This allows your app to privately access resources located in Amsterdam through the peered connection. ## Set Up VPC Peering 1. Create or use an existing VPC network in the app’s region based on the mapping above. For example, an app deployed in the `nyc` region must connect to a VPC network in `nyc1`. 2. Peer that VPC network with another VPC network in the region where your resources are located. For instance, peering a VPC network in `nyc1` with one in `ams3`. After you peer the VPCs, your app can use its regional VPC network to connect privately to resources in the peered VPC. To connect to a [database with trusted sources enabled](https://docs.digitalocean.com/products/databases/mysql/how-to/secure/index.html.md) through the VPC network, you must first add the app’s VPC egress private IP to the database’s list of trusted sources. ## Enable VPC Network Access VPC network access and dedicated egress IPs cannot be enabled at the same time. If your app is using dedicated egress IPs, you must release them before connecting to a VPC network. You can enable VPC network access for your app in the DigitalOcean Control Panel or using the app spec. ## DigitalOcean Control Panel To enable VPC network access, go to the [Apps page](https://cloud.digitalocean.com/apps), click your app, then click the **Networking** tab. If you are using dedicated egress IPs, click **Release dedicated egress IPs** in the **Public Network** area. In the **Private Network** area, click **Edit network**. ![Networking tab showing the Private Network and Public Network areas](https://docs.digitalocean.com/screenshots/app-platform/edit-private-network.7ff69c2675a7a66e3fb430af19c87907a2915b75534468b8a59f89cb2ed9735f.png) In the **Edit datacenter and VPC network** dialog, select **Connect app to VPC network**, then click **Save network settings**. Your app redeploys automatically. ## App Spec You can enable VPC network access for your app in the **App Settings** page. You can also use `doctl` with the public API. First, find the UUID of the VPC network you want to connect your app to. To list all DigitalOcean VPCs and their UUIDs, run the following [`doctl` command](https://docs.digitalocean.com/reference/doctl/how-to/install/index.html.md): ```bash doctl vpcs list ``` Alternatively, you can go to a specific VPC’s dashboard in the [control panel](https://cloud.digitalocean.com/networking/vpc) and check the URL in your browser. The following example URL displays the VPC network’s UUID as `your-id`: ``` https://cloud.digitalocean.com/networking/vpc/your-id/resources?i=c7a311 ``` After you get the VPC’s ID, update or add the `vpc` field in your [app spec](https://docs.digitalocean.com/products/app-platform/how-to/update-app-spec/index.html.md), replacing `your-id` with the UUID of the VPC you want to connect to: ```yaml vpc: id: your-id ``` Click **Save** and wait for your app to redeploy. Then, confirm you have successfully enabled VPC on your app by running the following command from the app’s terminal in the control panel: ```bash curl : ``` To change which VPC network your app is connected to, update the `id` field in the app spec and then click **Save**. To disconnect your app from the VPC network, remove the entire `vpc` field from the app spec and then click **Save**. After you save, the app will redeploy automatically.