This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

BigQuery service cannot be added to the VPC-SC perimeter in Apigee X GCP projects

‎05-18-2022 07:49 PM - edited ‎09-29-2022 09:57 PM

imesh
Staff
0 0 1,353

Problem

If VPC-SC is enabled in Apigee X GCP projects and if BigQuery service is included in the VPC-SC perimeter, the Analytics queries executed by the Apigee Management Plane will fail with the following errors:

On the UI you may see HTTP 500 Internal Server Errors when populating API proxies page. This failure can be verified by executing the following Apigee Management API request:

curl -H "Authorization: Bearer ---masked---"
"https://apigee.googleapis.com/v1/organizations/{masked}/environments/{masked}/stats/apiproxy?limit=14400&select=sum(message_count)&sort=DESC&sortby=sum(message_count)&timeRange=05%2F2%2F2022+01:00:00~05%2F3%2F2022+01:00:00&timeUnit=hour&tsAscending=true"
HTTP/2 500
date: Tue, 03 May 2022 01:20:40 GMT
...

{
"error": {
"code": 500,
"message": "unexpected server error",
"status": "INTERNAL",
"details": [
{
"@type": "type.googleapis.com/google.rpc.RequestInfo",
"requestId": "{masked}"
}
]
}
}

Internally, the above failure may occur due to the following reason:

E 2022-04-29 03:31:48.242863-0700 795428 dao.go:971] 
Returning BigQuery error, message: "error while executing interactive query, 
reqID: \"{masked}\"", 
errCode: "PERMISSION_DENIED", 
err: generic::permission_denied: 
VPC Service Controls: Request is prohibited by organization's policy. 
vpcServiceControlsUniqueIdentifier: {masked}.

Solution

We need to remove the BigQuery service from the VPC-SC perimeter to resolve this problem. That's because of the following reason. Please refer to the following message flow:

Apigee Management Plane (hosted in Google internal infrastructure) -> Apigee X Tenant Project -> BigQuery Service

As shown in the above message flow, the Apigee Management Plane talks to the BigQuery Service in the Apigee X Tenant project. The problem here is that the Apigee Management Plane is not part of the VPC-SC perimeter and if VPC SC is enabled in the consumer GCP project and BigQuery service is added to the VPC perimeter, the BigQuery queries executed by the Apigee Management Plane will fail with the above  above permission error.

Currently the solution to this issue is to remove the BigQuery service from the VPC-SC perimeter. Documentation reference: https://cloud.google.com/apigee/docs/api-platform/security/vpc-sc

Topic Labels
Contributors
0 Likes
Version history
Last update:
‎09-29-2022 09:57 PM
Updated by: