This sample shows how to expose an Apigee instance to the internet using a Google Cloud external HTTP(S) Load Balancer and Private Service Connect.
With Apigee X, customers have full control over whether or not to expose their runtime instances externally. Apigee X instances are not exposed to the internet by default, however customers may choose to serve traffic to external API consumers by placing an external HTTP(S) load balancer in front of Apigee. Customers may then leverage other features of Google Cloud Load Balancing such as Cloud Armor WAF & DDoS protection for additional security in front of their APIs.
When following the Apigee X provisioning wizard, you will be prompted to configure access routing for your newly created instance. If you choose the internal option, the instance is only accessible internally via your GCP VPC network. If you subsequently decide you wish to expose it externally, this sample shows how to add the load balancer. The sample creates a sample environment and environment group, then reserves a static IP address and creates a load balancer with a Google managed TLS certificate and an external hostname using nip.io to resolve to the IP.
This sample makes use of GCP's Private Service Connect (aka PSC) capability to connect an external load balancer to the Apigee X instance. Apigee supports PSC for both northbound (ingress) and southbound (egress) connectivity. This sample only deals with use of PSC for northbound connections from the internet.
Each Apigee X instance contains a PSC Service Attachment. Information about the attachment can be found on the Instances page in the Apigee management UI, or via the organizations.instances.get API method.
Customers can connect an external load balancer to this attachment using a PSC network endpoint group, or PSC NEG for short. PSC provides a fully managed option to establish connectivity, which does not involve the use of network bridge VMs. The high level architecture is depicted in the diagram below:
- An Apigee X instance already provisioned. If not, you may follow the steps here.
- Your account must have permissions to configure access routing and create Apigee environment and environment groups. See the predefined roles listed here.
- Make sure the following tools are available in your terminal's
$PATH(Cloud Shell has these preconfigured)- gcloud SDK
- curl
- jq
- npm
Use the following GCP CloudShell tutorial, and follow the instructions.
- Clone the
apigee-samplesrepo, and switch theexposing-to-internetdirectory
git clone https://github.com/GoogleCloudPlatform/apigee-samples.git
cd exposing-to-internet- Edit
env.shand configure the following variables:
PROJECTthe project where your Apigee organization is locatedNETWORKthe VPC network where the PSC NEG will be deployedSUBNETthe VPC subnet where the PSC NEG will be deployed
Now source the env.sh file
source ./env.sh- Deploy the environment, environment group and load balancing components:
./deploy.shPlease note the script may take some time to complete while certificate provisioning occurs.
To run the tests, first retrieve Node.js dependencies with:
npm installEnsure the following environment variables have been set correctly:
RUNTIME_HOST_ALIAS
and then run the tests:
npm run testTo manually test the instance via the external load balancer URL, wait a minute and then make the following request:
curl https://$RUNTIME_HOST_ALIAS/healthz/ingress -H 'User-Agent: GoogleHC'You should see an HTTP 200 status returned along with the response body "Apigee Ingress is healthy" which indicates the instance is accessible via the external URL. If you see an SSL error, wait a second and try again.
If you want to clean up the artifacts from this example, first source your env.sh script, and then run
./clean-up.sh