This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Network bridge VM's health check is failing while provisioning Apigee using Terraform modules.

Posted on 09-01-2022 08:45 AM
PoornimaD
Staff
Reply posted on --/--/---- --:-- AM

One of my customers is using the Terraform modules [1] to provision their organization but the network bridge VM's health check is failing. 

[1] https://github.com/apigee/terraform-modules

@carlosrsantos 

Solved Solved
1 4 463
Topic Labels
Jump to Solution
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
carlosrsantos
Staff
Reply posted on --/--/---- --:-- AM

If the health check w/timeouts trying to reach the network bridge VM, here are a few things to review when facing:

  • Does VPC's firewall allow access on TCP port 443 to load balancer CIDR ranges?
  • Does the network bridge VM (name typically prefixed with "apigee-network-bridge") have the startup-script-url metadata property set?
  • Can network bridge VM download the startup script from Google Cloud Storage (at the time of this writing, URL is gs://apigee-5g-saas/apigee-envoy-proxy-release/latest/conf/startup-script.sh)? Validate that the subnet the VM is in either has network connectivity or has private access to Google services.
  • Did the startup script execute successfully? Check the VM's serial port output

If the network should not allow outbound internet connectivity, checkout the Private access options for services page for options, including enabling Private Google Access at the subnet, or using Private Service Connect.

View solution in original post

Jump to Solution
4 REPLIES 4

Posted on --/--/---- --:-- AM
carlosrsantos
Staff
Reply posted on --/--/---- --:-- AM

If the health check w/timeouts trying to reach the network bridge VM, here are a few things to review when facing:

  • Does VPC's firewall allow access on TCP port 443 to load balancer CIDR ranges?
  • Does the network bridge VM (name typically prefixed with "apigee-network-bridge") have the startup-script-url metadata property set?
  • Can network bridge VM download the startup script from Google Cloud Storage (at the time of this writing, URL is gs://apigee-5g-saas/apigee-envoy-proxy-release/latest/conf/startup-script.sh)? Validate that the subnet the VM is in either has network connectivity or has private access to Google services.
  • Did the startup script execute successfully? Check the VM's serial port output

If the network should not allow outbound internet connectivity, checkout the Private access options for services page for options, including enabling Private Google Access at the subnet, or using Private Service Connect.

Jump to Solution

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

I observed this problem, or a very similar problem, with a different customer, when the project/folder  settings required a DENYALL firewall setting for ingress and egress.  Basically the VMs were completely isolated by default.  When we adjusted the firewall settings on those VMs, they began responding healthy. 

Something to check.

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
PoornimaD
Staff
Reply posted on --/--/---- --:-- AM

Thanks @dchiesa1 @carlosrsantos. Customer just replied that after enabling Private Google Access on their subnet, they were able to provision it. 

Jump to Solution

Posted on --/--/---- --:-- AM
dchiesa1
Staff
In response to PoornimaD
Reply posted on --/--/---- --:-- AM

OUTSTANDING.  Thanks for the followup. 

Jump to Solution
0 Likes
Top Solution Authors
View all