This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Disabling Apigee X Internet Egress With VPC Service Controls

Posted on 03-13-2024 11:36 AM
chrishannah
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hello,

I have a client requirement that all Apigee southbound traffic must go through a network appliance deployed in GCP. We have northbound traffic making it to Apigee through the network appliance. We have an API proxy using https://mocktarget.apigee.net as the target endpoint. We are trying to use the approach documented here for disabling Apigee's default internet egress route so that it will follow the routes we've exported in the Apigee peering connection.

We ran the command for the NETWORK that is peered with Apigee. The gcloud CLI reported that the operation was successful.

 

gcloud services vpc-peerings enable-vpc-service-controls \
  --network=$NETWORK --project $PROJECT_ID \
  --service servicenetworking.googleapis.com

 

When we ran a test to verify that the traffic is no longer reaching the internet from Apigee, but the calls are still succeeding. We had a network security engineer running a sniffer to verify the Apigee southbound traffic is not reaching network appliance.

Are there any additional steps that we can try to troubleshoot this?

We have also tried using the new forward proxy functionality. It seems we can get that to work for internet bound traffic. However, we are having trouble getting it to work for internal traffic. We're not sure what to change on the firewall settings to get it working at this point. So, we're trying to get our original plan working by deleting Apigee's default route using the command above.

Thanks in advance for any help or guidance.

Solved Solved
2 2 155
Topic Labels
Jump to Solution
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
chrishannah
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

We got this working by removing our default route (0.0.0.0/0) and adding two new routes: 0.0.0.0/1 & 128.0.0.0/1

If I'm being honest, I'm not entirely sure why the default route 0.0.0.0/0 wasn't doing the trick, but changing the routes exported in the VPC peering connection seems to have resolved our issue.

View solution in original post

Jump to Solution
2 REPLIES 2

Posted on --/--/---- --:-- AM
iambaskar
Staff
Reply posted on --/--/---- --:-- AM

Hi,

At the high level, running the command you mentioned `gcloud services vpc-peerings enable-vpc-service-controls ...` should block the egress traffic to internet as the command removes the default route. 

Unfortunately, I won't be able to help much without looking into the org & proxy configurations. Please provide more details on the org & proxy if possible or feel free to create a support ticket with those informations. We can take a look at it. 

References:

Thanks,
Baskar.

Jump to Solution

Posted on --/--/---- --:-- AM
chrishannah
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

We got this working by removing our default route (0.0.0.0/0) and adding two new routes: 0.0.0.0/1 & 128.0.0.0/1

If I'm being honest, I'm not entirely sure why the default route 0.0.0.0/0 wasn't doing the trick, but changing the routes exported in the VPC peering connection seems to have resolved our issue.

Jump to Solution