This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Apigee X Using On Prem DNS Servers

Posted on 10-22-2021 02:15 PM
nathanzimmerman
Bronze 4
Bronze 4
Reply posted on --/--/---- --:-- AM

Similar case to: https://www.googlecloudcommunity.com/gc/Apigee/Apigee-X-runtime-DNS/td-p/161752
Running on Apigee X.
Have a private on prem service that I'm trying to hit from Apigee. Let's say it's https://user-api.example.com/api/v1. Proxy is configured to send a request to that URL.

Currently I have:

  • Apigee X installed and working. I'm able to hit public endpoints.
  • Single client VPC with single subnet (no other services in other gcp projects that I need to connect to).
  • Partner inteconnect set up to connect to private on-prem network.
  • DNS private forwarding zone created pointing to on prem DNS resolution server IPs. (I verified I can send a dig request from a vm in client VPC to host resolved through on prem DNS servers).
  • Proxy in Apigee pointing to url that needs to be resolved through on prem DNS servers.

Ran the peering command in the above linked community post at the top of this page (omitting service so it uses the default servicenetworking.googleapis.com in the command)

gcloud services peered-dns-domains create example-com --network=my-network --dns-suffix=example.com.

 Getting 503s in Apigee trying to hit the on-prem service using the url to that service that needs to be resolved by on prem DNS servers. Note, that I can send a curl request from a vm in my vpc to the on prem url and get a 400 (as expected). Wondering if there is some config that I'm missing for the request to work from Apigee given that it's working if I curl from a vm inside client VPC.

Solved Solved
1 8 3,525
Topic Labels
Jump to Solution
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
gonzalezruben
Staff
In response to nathanzimmerman
Reply posted on --/--/---- --:-- AM

Use the GCP console to navigate to your VPC network details (the one that is already peered with Apigee), then switch to the 'Private Service Connection' tab and take a look at the "Allocated IP Ranges for Services'. You should be able to see at least one range allocated to 'servicenetworking-googleapis-com'. Update your router advertised routes using this range.

View solution in original post

Jump to Solution
8 REPLIES 8

Posted on --/--/---- --:-- AM
gonzalezruben
Staff
Reply posted on --/--/---- --:-- AM

Are you advertising the Apigee instance IP range in the cloud router?

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
nathanzimmerman
Bronze 4
Bronze 4
In response to gonzalezruben
Reply posted on --/--/---- --:-- AM

Right now I'm advertising the single subnet IP range that is in my VPC peered with Apigee and 35.199.192.0/19 (Google source for DNS requests) in the cloud router. What steps are needed to get the Apigee instance IP range?

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
gonzalezruben
Staff
In response to nathanzimmerman
Reply posted on --/--/---- --:-- AM

Use the GCP console to navigate to your VPC network details (the one that is already peered with Apigee), then switch to the 'Private Service Connection' tab and take a look at the "Allocated IP Ranges for Services'. You should be able to see at least one range allocated to 'servicenetworking-googleapis-com'. Update your router advertised routes using this range.

Jump to Solution

Posted on --/--/---- --:-- AM
nathanzimmerman
Bronze 4
Bronze 4
In response to gonzalezruben
Reply posted on --/--/---- --:-- AM

The Apigee instance IP range I just looked up would then be the source of requests coming to the on prem routers correct? Had the source of requests as coming from my VPC subnet range. Might need to do some reconfiguration on my end.

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
gonzalezruben
Staff
In response to nathanzimmerman
Reply posted on --/--/---- --:-- AM

Correct. Just add the new route. Christian's recommendation below is also a valid one. Make sure you have e2e connectivity before trying out dns resolution.

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
nathanzimmerman
Bronze 4
Bronze 4
In response to gonzalezruben
Reply posted on --/--/---- --:-- AM

Hey @gonzalezruben wanted to thank you for your responses so far. Just wanted to confirm a couple more details. If I add the instance IP range to advertisements do I still need to advertise the client VPC? Or am I safe to remove that from the cloud router advertisements?

Also, when sending a request to a proxy over the internet hitting https://httpbin.org/ip I do see the Apigee instance IP and then one IP address after:
<My IP> <LB IP> <Apigee Instance IP> <Additional IP>
I assume that Additional IP is the result of Cloud NAT allowing the resource to create an outbound connection to the internet. Since I'll be connecting to on-prem through interconnect am I correct in assuming that on prem would receive the Apigee Instance IP as the source without that additional IP?
Thanks again for your other responses, trying to get a better understanding of everything before I make any big updates.


Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
gonzalezruben
Staff
In response to nathanzimmerman
Reply posted on --/--/---- --:-- AM

The traffic from the instance to on-prem will come from IPs that belong to the peering connection range. The NAT ip (default or self-provisioned) is available for egress traffic (Internet).

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
cjking
Staff
Reply posted on --/--/---- --:-- AM

If you configure Apigee to hit the target via IP address does it work? That should confirm that  the network side of it is working and it really is a DNS issue.

I'd also suggest grabbing a trace to confirm that the target DNS name your proxy is trying to hit is the one you're expecting (eg, no typos).

Jump to Solution
0 Likes