This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Apigee X southbound connectivity - handling custom routing rules

Posted on 04-05-2022 10:06 AM
sunilomanakutta
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

We had the below scenario for APIGEE X southbound/backend connectivity.

The customer had custom routes  in the VPC one of which   routes all traffic originating within the VPC goes via a designated firewall for all outbound connections. The VPC had multiple subnets one of which was used for APIGEE X peering.

We did a Eval setup as described below

APIGEE X peering with customer VPC using subnet #1 in customer VPC.

Subnet#2 of customer VPC has linux VMs running  httpd for testing.

Testing results were as below

APIGEE X was able to hit the apache running on linux vms in subnet#2.

However APIGEE X was not seen sending outbound traffic towards the designated  firewall. Instead APIGEE X could hit Internet backends without traversing firewall.

Following this we enabled VPC service controls and also exported custom routes in customer VPC as mentioned in https://www.googlecloudcommunity.com/gc/Cloud-Product-Articles/Network-and-Routing-Configuration-to-...

However what we then found is after the above changes Internet backends were not connecting at all - we had expected the internal backend calls to be routed via firewall.

If anyone has experience with a similar issue can you please tell us how to meet the objectives - ie that is have all outbound connections  from APIGEE (including Internet) go via specific firewall as mentioned in the custom routing rule of the customer VPC. 

 

 

Solved Solved
0 4 541
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
strebel
Staff
Reply posted on --/--/---- --:-- AM

Yeah that's indeed an issue: https://cloud.google.com/vpc/docs/vpc-peering#considerations mentions the challenge of route propagation in a transitive peering scenario.
You'd either have to move the firewall to the central peering VPC or (I'd stay away from this option if possible) implement another IP forwarding appliance in the between the apigee-peered vpc and the one that hosts the firewall.

View solution in original post

Jump to Solution
4 REPLIES 4

Posted on --/--/---- --:-- AM
strebel
Staff
Reply posted on --/--/---- --:-- AM

Hi Sunil, you're on the right track.

As you said: you enable VPC service controls then you have to set the routes explicitly.


In my setup I have:
* a route 0.0.0.0/0 that points to my firewall (this will be used by Apigee)
* another route for 0.0.0.0/0 that points to the default internet egress gateway and is tagged for my firewall.

* Ensure VPC firewalls are set for ingress traffic to the firewall appliance

I am planning on doing a little terraform example for this: https://github.com/apigee/terraform-modules/issues/30.

 

Jump to Solution

Posted on --/--/---- --:-- AM
sunilomanakutta
Bronze 3
Bronze 3
In response to strebel
Reply posted on --/--/---- --:-- AM

Thanks for your reply @strebel 

-- for the point -  a route 0.0.0.0/0 that points to my firewall (this will be used by Apigee) --

We do have the route for 0.0.0.0/0 that points to our firewall.   However we dont have the egress route that you mentioned. We will try this and revert back.

One point is that  this firewall is in a different VPC which in turn is peered with the shared vpc . Apigee is peered with this same shared VPC.  Will this be an issue ? Does the firewall have to be in the shared VPC itself ?  

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
strebel
Staff
Reply posted on --/--/---- --:-- AM

Yeah that's indeed an issue: https://cloud.google.com/vpc/docs/vpc-peering#considerations mentions the challenge of route propagation in a transitive peering scenario.
You'd either have to move the firewall to the central peering VPC or (I'd stay away from this option if possible) implement another IP forwarding appliance in the between the apigee-peered vpc and the one that hosts the firewall.

Jump to Solution

Posted on --/--/---- --:-- AM
sunilomanakutta
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

When we peered Apigee with the VPC having the firewall - then the default route rule (0.0.0.0/0 to firewall) started working.  Thanks for your inputs @strebel 

 

Jump to Solution
0 Likes
Top Solution Authors
View all