Skip to content

Instantly share code, notes, and snippets.

@bechampion

bechampion/apigee.md

Created July 27, 2022 09:14
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save bechampion/101caeadb02400da6e9cb0ecc48562ef to your computer and use it in GitHub Desktop.
Save bechampion/101caeadb02400da6e9cb0ecc48562ef to your computer and use it in GitHub Desktop.
Download ZIP
Raw
apigee.md

Apigee

  • Proxies http
  • Logic similar to cloudflare page rules
  • all this bundles into an api product
  • api key mtls auth
  • Terraform seems to support this
  • Canary and rate limiting
  • Quotas per partner
  • formatting options on return , xml json yaml etc
  • Apigee needs a /22 and peer against your vpc

Instances APIGEE

When you create a deployment , a new instance is created on the subnet that you given to it:

$ gcloud compute addresses list --project pse-jeronimo-garcia                   NAME                                    ADDRESS/RANGE  TYPE      PURPOSE      NETWORK  REGION        SUBNET  STATUS
google-managed-services-default         10.94.48.0/22  INTERNAL  VPC_PEERING  default                        RESERVED

That peers against the vpc , warning. Then to find out the instance ip you need to go to apigeee -> Admin -> Instances

img

Host Names

So that’s for the ip , now the hostname is in (for mocking) Admin -> Groups

img

So now if you curl from inside the vpc you get this:

root@nginx:/# curl --resolve pse-jeronimo-garcia-eval.apigee.net:443:10.94.48.2  https://pse-jeronimo-garcia-eval.apigee.net/mytest -k  | more
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  4096    0  4096    0     0   8241      0 --:--:-- --:--:-- --:--:--  8224<!DOCTYPE html>
<html>
    <head>
        <meta http-equiv='Content-Type' content='text/html; charset=utf-8'>
<META name="y_key" content="22bfb5c7cba5067d" >
<meta name="verify-v1" content="oEmeNkJftgH9TJ7cLQjQriD/mF1zRLpI4ZKYNxzrBqI=" >
<meta http-equiv="Last-Modified" content="0" >
<META NAME="revisit-After" content="7 days" >
<meta name="author" content="WWW.COM.AR - Hosting" >
<META NAME="robots" CONTENT="All" >

Proxies

Keep in mind that my proxy “mytest” has a target which is www.com.ar

img

Hooks

LoadBalancers facing apigee

So basically you need:

  • L7 https lb
  • backend service -> NEG -> NE(vm)
  • VM Running something (or mig)

That vm needs to either be running iptables or haproxy something eg:

echo "1" > /proc/sys/net/ipv4/ip_forward
apt install -y conntrackd
systemctl start conntrackd.service
iptables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to-destination  10.94.48.2:443
iptables -t nat -A OUTPUT -d 0/0 -p tcp -m tcp --dport 443 -j DNAT --to-destination 10.94.48.2:443
iptables -t nat -A POSTROUTING -j MASQUERADE

^^ this works , i think we can get the ip from returns from terraform.

  • 10.154.0.7/32 is the ip address from the vm doing the mangling
  • 10.94.48.2 is the ip of the proxy env in apigee

Basically that’s how it would work , pretty lame to be fair.

$ curl --resolve www.com.ar:443:35.214.82.4 https://www.com.ar/mytest -k -I
HTTP/2 200
date: Fri, 22 Apr 2022 13:27:08 GMT
server: Apache/2.4.41 (Ubuntu)
content-type: text/html; charset=UTF-8
x-request-id: 7223c42f-2984-4162-afcb-7a4f45fbac84
via: 1.1 google
alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000

35.214.82.4 is the l7 ip -> 10.154.0.7(linux vm running iptables) -> 10.94.48.2 (apigee only taking /mytest on www.com.ar sni)

Need to investigate MIGs to put under the NEG , with custom startup scripts metadata startup script happens in googlecomputeinstancetemplate , then call the mig. There’s a chance i can feed the ip address of the apigee proxy to make this dynamic.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment