This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Apigee Proxy -> GKE backend firewall setup

Posted on 02-25-2022 02:09 PM
JacobHume
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

I've been trying to set up a connection from my Apigee proxy to my backend services hosted on GKE in the same project and region as my Apigee instance. However, it doesn't seem to make a connection, timing out when testing in the debug section of Apigee with a 503.

I can confirm that I can hit the backend, which has an internal load balancer configured in GKE, configured with a static internal IP, when I use a Compute VM in the same region. This leads me to believe there is some firewall issue here that prevents the Apigee proxies from making the same connection, but I'm not sure what it could be.

Thanks!

Solved Solved
0 3 441
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
markjkelly
Staff
Reply posted on --/--/---- --:-- AM

Hi @jacob - Have you checked the firewall rules for your project? You may need to create a firewall rule to allow communication from your Apigee instance(s) to targets in your network like your service running on GKE.

The Pre-populated rules in the default network will allow your Compute VMs to connect to services deployed on GKE in the default network, but not necessarily allow Apigee instances to connect to those services.

Within the Apigee UI, under Admin > Instances > Edit Instance, you can locate your instance IP ranges. You can then create a new, or update an existing, firewall rule to allow communication from these IP ranges into the network your GKE services are running on.

You can also obtain your Apigee Instance(s) information via the API here.

 

View solution in original post

Jump to Solution
3 REPLIES 3

Posted on --/--/---- --:-- AM
markjkelly
Staff
Reply posted on --/--/---- --:-- AM

Hi @jacob - Have you checked the firewall rules for your project? You may need to create a firewall rule to allow communication from your Apigee instance(s) to targets in your network like your service running on GKE.

The Pre-populated rules in the default network will allow your Compute VMs to connect to services deployed on GKE in the default network, but not necessarily allow Apigee instances to connect to those services.

Within the Apigee UI, under Admin > Instances > Edit Instance, you can locate your instance IP ranges. You can then create a new, or update an existing, firewall rule to allow communication from these IP ranges into the network your GKE services are running on.

You can also obtain your Apigee Instance(s) information via the API here.

 

Jump to Solution

Posted on --/--/---- --:-- AM
JacobHume
Bronze 3
Bronze 3
In response to markjkelly
Reply posted on --/--/---- --:-- AM

Thanks,

Using the organizations.instances.list API method you linked, I was able to find that my IP range was

      "ipRange": "10.109.128.0/22,10.60.137.16/28"

 so I created a firewall rule that looked like the following:

Screen Shot 2022-02-28 at 2.40.58 PM.png

My GKE clusters are on the default network as well, so I'm not sure if I'm missing something else here.

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
JacobHume
Bronze 3
Bronze 3
In response to JacobHume
Reply posted on --/--/---- --:-- AM

After examining my proxy more closely, it turned out I was pointing to the wrong target endpoint, which was still causing me issues after I added this rule. After I fixed the misconfigured proxy, everything worked correctly!

Jump to Solution
Top Solution Authors
View all