- Proxies http
- Logic similar to cloudflare page rules
- all this bundles into an api product
- api key mtls auth
- Terraform seems to support this
- Canary and rate limiting
- Quotas per partner
- formatting options on return , xml json yaml etc
- Apigee needs a /22 and peer against your vpc
When you create a deployment , a new instance is created on the subnet that you given to it:
$ gcloud compute addresses list --project pse-jeronimo-garcia NAME ADDRESS/RANGE TYPE PURPOSE NETWORK REGION SUBNET STATUS
google-managed-services-default 10.94.48.0/22 INTERNAL VPC_PEERING default RESERVED
That peers against the vpc , warning. Then to find out the instance ip you need to go to apigeee -> Admin -> Instances
So that’s for the ip , now the hostname is in (for mocking) Admin -> Groups
So now if you curl from inside the vpc you get this:
root@nginx:/# curl --resolve pse-jeronimo-garcia-eval.apigee.net:443:10.94.48.2 https://pse-jeronimo-garcia-eval.apigee.net/mytest -k | more
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 4096 0 4096 0 0 8241 0 --:--:-- --:--:-- --:--:-- 8224<!DOCTYPE html>
<html>
<head>
<meta http-equiv='Content-Type' content='text/html; charset=utf-8'>
<META name="y_key" content="22bfb5c7cba5067d" >
<meta name="verify-v1" content="oEmeNkJftgH9TJ7cLQjQriD/mF1zRLpI4ZKYNxzrBqI=" >
<meta http-equiv="Last-Modified" content="0" >
<META NAME="revisit-After" content="7 days" >
<meta name="author" content="WWW.COM.AR - Hosting" >
<META NAME="robots" CONTENT="All" >
Keep in mind that my proxy “mytest” has a target which is www.com.ar
So basically you need:
- L7 https lb
- backend service -> NEG -> NE(vm)
- VM Running something (or mig)
That vm needs to either be running iptables or haproxy something eg:
echo "1" > /proc/sys/net/ipv4/ip_forward
apt install -y conntrackd
systemctl start conntrackd.service
iptables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to-destination 10.94.48.2:443
iptables -t nat -A OUTPUT -d 0/0 -p tcp -m tcp --dport 443 -j DNAT --to-destination 10.94.48.2:443
iptables -t nat -A POSTROUTING -j MASQUERADE
^^ this works , i think we can get the ip from returns from terraform.
- 10.154.0.7/32 is the ip address from the vm doing the mangling
- 10.94.48.2 is the ip of the proxy env in apigee
Basically that’s how it would work , pretty lame to be fair.
$ curl --resolve www.com.ar:443:35.214.82.4 https://www.com.ar/mytest -k -I
HTTP/2 200
date: Fri, 22 Apr 2022 13:27:08 GMT
server: Apache/2.4.41 (Ubuntu)
content-type: text/html; charset=UTF-8
x-request-id: 7223c42f-2984-4162-afcb-7a4f45fbac84
via: 1.1 google
alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
35.214.82.4 is the l7 ip -> 10.154.0.7(linux vm running iptables) -> 10.94.48.2 (apigee only taking /mytest on www.com.ar sni)
Need to investigate MIGs to put under the NEG , with custom startup scripts metadata startup script happens in googlecomputeinstancetemplate , then call the mig. There’s a chance i can feed the ip address of the apigee proxy to make this dynamic.