short overview of psc, neg and apigee

psc_neg_apigee.md

Private Service Connect (service-centric approach)

Private Service Connect allows private consumption of services across VPC networks that belong to different groups, teams, projects, or organizations. You can publish and consume services using IP addresses that you define and that are internal to your VPC network.

• Secure: Traffic stays on Google's backbone
• Simple & performant: Just need an endpoint, and get line-rate performance
• Agile: Focus on the service; unburden network teams

Private Service Connect lets you send traffic to Google APIs using a Private Service Connect endpoint that is private to your VPC network

URL maps

Google Cloud HTTP(S) load balancers and Traffic Director use a Google Cloud configuration resource called a URL map to route HTTP(S) requests to backend services or backend buckets.

For example, with an external HTTP(S) load balancer, you can use a single URL map to route requests to different destinations based on the rules configured in the URL map:

• Requests for https://example.com/video go to one backend service.
• Requests for https://example.com/audio go to a different backend service.
• Requests for https://example.com/images go to a Cloud Storage backend bucket.
• Requests for any other host and path combination go to a default backend service.

How URL maps work

When a request arrives at the load balancer, the load balancer routes the request to a particular backend service or a backend bucket based on the rules defined in the URL map.

URL map components

• A hostname is the domain name portion of a URL; for example, the hostname portion of the URL http://example.net/video/hd is example.net.
• A path is the portion of a URL following the hostname and optional port number; for example, the path portion of the URL http://example.net/video/hd is /video/hd.

Use Private Service Connect to access Google APIs with consumer HTTP(S) service controls

You can create a Private Service Connect endpoint with consumer HTTP(S) service controls using an internal HTTP(S) load balancer. The internal HTTP(S) load balancer provides the following features:

• You can choose which services are available using a URL map; filtering by path lets you do more fine-grained checks.
• You can rename services, for example spanner.example.com, and map them to URLs of your choice.
• You can configure the load balancer to log all requests to Cloud Logging.
• You can use customer-managed TLS certificates.
• You can enable data residency in-transit by connecting to regional endpoints for Google APIs from workloads in that same region.

Use Private Service Connect to publish and consume managed services

Private Service Connect lets a service producer offer services to a service consumer. A service producer VPC network can support multiple service consumers.

There are two types of Private Service Connect endpoints that can connect to a published service:

• Private Service Connect endpoint (based on a forwarding rule)

  With this endpoint type, consumers connect to an internal IP address that they define. Private Service Connect performs network address translation (NAT) to route the request to the service producer.

A Private Service Connect endpoint based on a forwarding rule lets service consumers send traffic from the consumer's VPC network to services in the service producer's VPC network

• Private Service Connect endpoint with consumer HTTP(S) servicecontrols (based on a global external HTTP(S) load balancer)

  With this endpoint type, consumers connect to an external IP address. Private Service Connect uses a network endpoint group to route the request to the service producer.

  • Using a global external HTTP(S) load balancer as a policy enforcement point has the following benefits:
  • You can rename services and map them to URLs of your choice.
  • You can configure the load balancer to log all requests to Cloud Logging.
  • You can use customer-managed TLS certificates. or Google-managed certificates.

If the service producer has made a service available in multiple regions, client traffic can be load balanced across those regions. The service is deployed in multiple regions, the load balancer can route traffic to a NEG in the closest healthy region

A Private Service Connect endpoint based on a forwarding rule lets service consumers send traffic from the consumer's VPC network to services in the service producer's VPC network

• If your service is consumed by Private Service Connect endpoints that are based on a forwarding rule, we recommend that you configure the Private Service Connect subnet with a prefix length of /22 or shorter (for example,/21).

• If your service is consumed by Private Service Connect endpoints that are based on a global external HTTP(S) load balancer, the subnet is not used. You can configure the Private Service Connect subnet with a prefix length of /29 to create a subnet with the smallest supported size.

Service attachments

Service producers expose their service through a service attachment.

• To expose a service, a service producer creates a service attachment that refers to the service's load balancer forwarding rule.
• To access a service, a service consumer creates an endpoint that refers to the service attachment.

The service attachment URI has this format: projects/SERVICE_PROJECT/regions/REGION/serviceAttachments/SERVICE_NAME

Each load balancer can be referenced only by a single service attachment. You cannot configure multiple service attachments that use the same load balancer.

VPC Service Controls (vpc-sc)

VPC Service Controls improves your ability to mitigate the risk of data exfiltration from Google Cloud services such as Cloud Storage and BigQuery. You can use VPC Service Controls to create perimeters that protect the resources and data of services that you explicitly specify.

Using Private Service Connect with Apigee

This architectural pattern eliminates the need to create managed instance groups to forward requests from the global load balancer to Apigee. With the PSC routing method, API proxy requests pass through a global external HTTP(S) load balancer that you install in a VPC to a single point of attachment in the Apigee VPC, called a Service Attachment.

Note the following restrictions for PSC configuration:
* You can only use PSC steps for fresh Apigee X installations. You cannot use these steps with an existing Apigee instance.
* PSC provisioning is available for CLI installs only; support for PSC in the provisioning wizard is not currently available.
* You cannot use VPC Service Controls if you provision Apigee X using this method.
* Only one PSC network endpoint group (NEG) can be attached to the external global load balancer.
* Global external HTTP(S) load balancer (classic) is not supported for this configuration.
* When configuring external routing using PSC, note that the number of PSC NEGs you can create in the same project to connect to an Apigee service attachment in a region is limited to 10. See External routing (PSC).

Access Google APIs using Private Service Connect with consumer HTTP(S) service controls

You can create a Private Service Connect endpoint with consumer HTTP(S) service controls using an internal HTTP(S) load balancer, which lets you maintain consistent policies across multiple service producers.

Access managed services using Private Service Connect with consumer HTTP(S) service controls

Network Endpoint Groups

Abstraction layer that enables container native load balancing

• Load Balancers can not identify pods in a node (VM) it only identifies instance group or nodes. So this is where NEGs comes in. NEGs are integrated with the Kubernetes ingress controller running on GCP
• A network endpoint group (NEG) is a configuration object that specifies a group of backend endpoints or services. A common use case for this configuration is deploying services in containers. You can also distribute traffic in a granular fashion to applications running on your backend instances.

Types of NEGs

• Zonal NEG - One or more internal IP address endpoints that resolve to either VM or Pods.
• Internet NEG - A single internet-routable endpoint that is hosted outside of Google Cloud.
• Serverless NEG - A single endpoint within Google's network that resolves to an App Engine, Cloud Functions, API Gateway, or Cloud Run service.
• Hybrid connectivity NEG - One or more endpoints that resolve to on-premises services, server applications in another cloud.
• Private Service Connect NEG - A single endpoint that resolves to one of the following:
  • A Google-managed regional API endpoint
  • A managed service published using Private Service Connect

Apigee

• Apigee is a platform for developing and managing APIs. By fronting services with a proxy layer, Apigee provides an abstraction or facade for your backend service APIs and provides security, rate limiting, quotas, analytics, and more.
• It's part of google cloud.
• The Apigee Cross-Cloud API Platform allows your business to secure, manage, scale, analyze, and connect all your APIs. It gives you control over and visibility in to the APIs that connect applications and data across the enterpriseand across clouds.

Apigee services: The APIs that you use to create, manage, and deploy your API proxies. Apigee runtime: A set of containerized runtime services in a Kubernetes cluster that Google maintains. All API traffic passes through and is processed by these services.

API - It defines interaction between multiple software applications.

API gateway - An API gateway acts as a reverse proxy to accept all application programming interface (API) calls, aggregate the various services required to fulfill them, and return the appropriate result.