This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Apigee Hybrid Runtime/ Message processor IP for restricting

Posted on 11-16-2022 02:12 AM
adarshprabhu
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

We are setting up Apigee Hybrid for a bank on GCP. They want to restrict the IP address of Apigee from which the requests are made to the backend targets. They don't want to allow the IPs of the runtime cluster, but want a smaller range (message processor IP or setup something that routes traffic). 

Could you please direct us to the righ

0 1 103
Topic Labels
0 Likes
1 REPLY 1

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

It sounds to me like you want a GCP Cloud NAT Gateway. Think of Cloud NAT as a part of GCP that will be adjacent to your use of Apigee.  It's independent of Apigee, and it can provide to that Apigee runtime, a common, smaller set of source IP addresses, to allow the remote firewalls to restrict inbound calls by source address. 

As the documentation for that capability states:

If you use manual NAT IP address assignment to configure a Cloud NAT gateway, you can confidently share a set of common external source IP addresses with a destination party. For example, a destination service might only allow connections from known external IP addresses.

NAT is the approach most customers use in order to address the challenge you described. 

Because you're installing Apigee hybrid into GCP, I am assuming you will use GKE.  Here's an example of configuring Cloud NAT for GKE

 

0 Likes
Top Solution Authors
View all