This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Peering and hybrid confusion

Posted on 03-04-2022 07:25 AM
GCPexplorer
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

Hi,

I'm looking into a solution where we want to expose our previously on-premise APIs to be public with Apigee. The APIs have to stay on premise but will be publically available. Peering over VPN or VLAN seems to be the way it's done as described in the article below (note hybrid in the link) https://cloud.google.com/vpc/docs/configure-private-google-access-hybrid

So we'll have Public facing APIs with Apigee which in turn will call the on premise APIs/back end.

What's confusing is that I find other "hybrid" https://cloud.google.com/apigee/docs/hybrid/v1.3/what-is-hybrid which in my understanding is not much to do with the solution I'm after as I don't think we need the runtime plain to be deployed outside of GCP. 

Please clarify this is just multiple meaning of the word hybrid in similar context, or am I missing something here?

Many thanks.  

Solved Solved
0 5 1,335
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
dchiesa1
Staff
In response to GCPexplorer
Reply posted on --/--/---- --:-- AM

The crux of my question boil down to: How do we connect the VPC for this tenant into our own on-premise datacenter. Can you post any links to documentation on how to do it?

Got it.

Yes, this approach is pretty standard. There's nothing "Apigee specific" about the network connectivity options from your VPC. You will just use general networking for Google Cloud. That means you can use VPN, or Direct Interconnect, or Partner Interconnect. This landing page describes the options. (And yes, it has the word "hybrid" in the URL, but it does not refer to Apigee hybrid).  And I suppose, that page will lead you to the specific instructions for those options.

Stepping back, as part of the process of provisioning an Apigee X organization, also described as "enabling a GCP project for Apigee X", you will specify a GCP VPC. This is a VPC that you operate, that belongs to your GCP organization. You have full control over it. Today, it is required that this VPC be peered with a Google-managed VPC that hosts the Apigee X runtime, and you do that as part of the Apigee X provisioning process*. You can then connect the VPC that you "own and operate" to datacenters via any of the GCP networking options.

The diagram looks like this.

screenshot-20220307-091855.png

* in the relatively near future, I expect that this VPC peering will not be required.  The Google-managed VPC that runs Apigee will connect into your own VPC via Private Service Connect. But that is not yet available. So for now, peering is the way you must connect these VPCs. 

 

 

View solution in original post

Jump to Solution
5 REPLIES 5

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

Yes I think there is some confusion.  

The first page of documentation you linked, entitled "Configuring Private Google Access for on-premises hosts", states:

Private Google Access for on-premises hosts provides a way for on-premises systems to connect to Google APIs and services by routing traffic through a Cloud VPN tunnel or a Cloud Interconnect attachment (VLAN). Private Google Access for on-premises hosts is an alternative to connecting to Google APIs and services over the internet.

That is not the scenario you described. Also, it has nothing to do with Apigee.  I concede that there is the word "hybrid" in the URL, but the page does not refer to Apigee hybrid. So I advise you to disregard that page, for the purposes of this discussion.

 

If you would like to expose the APIs for services that are currently running in an on-premises (private) datacenter, you can manage the exposure of those APIs through Apigee. There are a couple options: 

  • Apigee hybrid - in which you run the Apigee gateways in your on-prem datacenter.  You are responsible for keeping the gateways up, running, healthy, and up-to-date.  
  • Apigee X - in which Google runs the Apigee gateways for you in a dedicated "tenant".  You can connect the VPC for this tenant into your own datacenter to allow the Apigee gateways to reach your on-prem services. 

 

I think you want the latter.  Apigee X.   You don't want to manage your own gateways (aka "runtime plane"). It sounds like you want Google to do that for you.  That's Apigee X.

Jump to Solution

Posted on --/--/---- --:-- AM
GCPexplorer
Bronze 3
Bronze 3
In response to dchiesa1
Reply posted on --/--/---- --:-- AM

Thanks for your response.

I can see how I went off track there.

Yes Apigee X is what should be sufficient for our case. The crux of my question boil down to: How do we connect the VPC for this tenant into our own on-premise datacenter. Can you post any links to documentation on how to do it? 

My understanding is we can do it with VPN or VLAN https://cloud.google.com/network-connectivity/docs/vpn/concepts/overview but I still feel Apigee connection to legacy on-premise should be a pretty standard usecase I can't see on https://cloud.google.com/apigee/docs/api-platform/get-started/configure-service-networking

I'm fishing for some reassurance on how it's done in detail, links to instructions would be much appreciated.

Many thanks

 

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
dchiesa1
Staff
In response to GCPexplorer
Reply posted on --/--/---- --:-- AM

The crux of my question boil down to: How do we connect the VPC for this tenant into our own on-premise datacenter. Can you post any links to documentation on how to do it?

Got it.

Yes, this approach is pretty standard. There's nothing "Apigee specific" about the network connectivity options from your VPC. You will just use general networking for Google Cloud. That means you can use VPN, or Direct Interconnect, or Partner Interconnect. This landing page describes the options. (And yes, it has the word "hybrid" in the URL, but it does not refer to Apigee hybrid).  And I suppose, that page will lead you to the specific instructions for those options.

Stepping back, as part of the process of provisioning an Apigee X organization, also described as "enabling a GCP project for Apigee X", you will specify a GCP VPC. This is a VPC that you operate, that belongs to your GCP organization. You have full control over it. Today, it is required that this VPC be peered with a Google-managed VPC that hosts the Apigee X runtime, and you do that as part of the Apigee X provisioning process*. You can then connect the VPC that you "own and operate" to datacenters via any of the GCP networking options.

The diagram looks like this.

screenshot-20220307-091855.png

* in the relatively near future, I expect that this VPC peering will not be required.  The Google-managed VPC that runs Apigee will connect into your own VPC via Private Service Connect. But that is not yet available. So for now, peering is the way you must connect these VPCs. 

 

 

Jump to Solution

Posted on --/--/---- --:-- AM
GCPexplorer
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

That's perfect thanks this https://cloud.google.com/hybrid-connectivity  is exactly what I was after. Thanks

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
abdelrhmanaf
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

I have a similar architecture with two projects in the cloud one connected to on-prem with VPN and the other to Apigeex by peering I need to connect to Apigeex from on-prem without making a new VPN tunnel due to cost concerns.

Jump to Solution
0 Likes