LinkedIn
Twitter
The purpose of this article is to provide you step by step instructions on how to create multiple ingress gateways in Apigee Hybrid.
UPDATE: This tutorial only applies to Apigee Hybrid 1.7 or older versions. For Apigee Hybrid 1.8 follow the official documentation.
Why multiple gateways?
Now before you go and create multiple ingress gateways (and multiple load balancers with your cloud provider), make sure you need it. Load balancers cost money, and it’s yet another thing you need to manage. A single load balancer can work well with a lot of scenarios, however there are cases where you might have one private or internal load balancer and a second public one. Or like in the case of one of my customers, one of the requirements was that they needed to have different networks for each partner.
The scenario with a single load balancer would look like the figure below:
We have a single ingress gateway - a Kubernetes service with LoadBalancer type and a Pod running Envoy. The fact that the service is of LoadBalancer type causes creating an actual load balancer instance and gives us an external IP address.
With the Istio Gateway resource, and the virtual host configuration, we can expose multiple different services from the cluster on different domain names or sub-domains.
Now consider a different scenario where you want two separate load balancer instances running - shown in the figure below:
In this scenario, we have two different external IPs that point to two different ingress gateways that run inside the same Kubernetes cluster. Let’s look at how to achieve this.
To make these changes, you need to modify your IstioOperator.yaml configuration file. This file should be under your hybrid-files directory if you followed the instructions in our official documentation.
Make the following changes to your configuration file:
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
spec:
components:
ingressGateways:
- name: istio-ingressgateway1
enabled: true
k8s:
service:
type: LoadBalancer
loadBalancerIP: $STATIC_IP1
ports:
- name: status-port
port: 15021 # for ASM 1.7.x and above, else 15020
targetPort: 15021 # for ASM 1.7.x and above, else 15020
- name: http2
port: 80
targetPort: 8080
- name: https
port: 443
targetPort: 8443
- name: istio-ingressgateway2
enabled: true
k8s:
service:
type: LoadBalancer
loadBalancerIP: $STATIC_IP2
ports:
- name: status-port
port: 15021 # for ASM 1.7.x and above, else 15020
targetPort: 15021 # for ASM 1.7.x and above, else 15020
- name: http2
port: 80
targetPort: 8080
- name: https
port: 443
targetPort: 8443
You will need different certificates for each LB, so you have 2 options. You can store the certificates locally, or create kubernetes secrets:
Include the following sections to your configuration file overrides.yaml:
virtualhosts:
- name: test-env-group
sslCertPath: ./certs/keystore-test.pem
sslKeyPath: ./certs/keystore-test.key
- name: prod-env-group
sslCertPath: ./certs/keystore-prod.pem
sslKeyPath: ./certs/keystore-prod.key
#Or if you prefer to use k8s secrets instead
virtualhosts:
- name: test-env-group
minTLSProtocolVersion: "1.3"
maxTLSProtocolVersion: "1.3"
sslSecret: ssl-secret-test
- name: prod-env-group
minTLSProtocolVersion: "1.3"
maxTLSProtocolVersion: "1.3"
sslSecret: ssl-secret-prod