This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Networking patterns for OPDK on GCP

‎12-21-2022 12:19 PM - edited ‎12-29-2022 08:26 AM

epbgonzalez
Staff
0 0 274

In this article I will go through the process of exposing Apigee Edge Private Cloud, also known as OPDK, to external clients on GCP.

I just recently went through this exercise with one of my customers, and while there may be additional deployment options, like multi-region, etc. I won’t be covering those, but this should give you an idea of the different options available. In this case I am assuming that OPDK is deployed in a Compute Engine VM inside the customer’s GCP environment.

HTTPS Load Balancer to expose Apigee to the public internet. 

This has certain advantages, with an easy click of a button always on DDoS protection thanks to Cloud Armor

Client (TLS) -> L7 XLB (TLS) -> Apigee OPDK

epbgonzalez_7-1671644328772.png

Key Points

  • Connection from external client to Apigee OPDK via Google Cloud External HTTP LB (L7 XLB) and Cloud Armor
  • GCP L7 XLB will forward the X-Forwarded-For headers and Apigee will automatically set the proxy.client.ip variable
  • For multi-region deployments, Network Bridge MIGs and Apigee OPDK Instances can be created in multiple regions. L7 XLB is global and a single XLB can target these multi-regional resources. 
  • Cloud Armor can be used for DDoS volumetric protection and WAF. It can also be used for IP allow-listing for specific source (client) IPs

 

Apigee OPDK with L4 XLB / Cloud Armor (northbound)

Client (mTLS) -> L4 XLB -> Apigee OPDK (TLS)

epbgonzalez_8-1671644328780.png

* If the Router requires the true client IP, enable proxy_protocol on the ELB so that it passes the client IP in the TCP packet. On the Router, you must also set the listenOption on the virtual host to proxy_protocol. For more detailed information, check out the docs page.

Key points

  • Connection from external client to Apigee OPDK via Google Cloud External TCP LB and Cloud Armor. L4 XLB talks to Apigee OPDK Instance
  • For global deployments, Apigee OPDK Instances can be deployed in multiple regions. L4 XLB (with premium tier) is global and a single LB with a global IP can target these multi-regional resources
  • L4 XLB will proxy packets to Apigee OPDK where mTLS can be terminated
  • Apigee OPDK supports proxy_protocol so it can properly set proxy.client.ip variable
  • Cloud Armor can be used for DDoS volumetric protection and WAF. It can also be used for IP allow-listing for specific source (client) IPs.

 

Apigee OPDK with Third Party WAF (northbound)

Client (mTLS) ->Third Party WAF (mTLS) -> Apigee OPDK (TLS)

epbgonzalez_9-1671644328774.png

 

 

Key points

  • Connection from external client to Apigee OPDK via third-party WAF (e.g. Akamai) + Google Cloud External TCP LB (L4 XLB) + OPDK (VM)
  • WAF can provide DDoS protection and can handle HA load-balancing before forwarding to GCP components, which are replicated in multiple regions (L4 XLBs, Apigee OPDK instances).


Here are the setup steps

  1. Create an unmanaged/managed instance group for OPDK VMs

 

epbgonzalez_10-1671644328755.png

  1. Create a health check on port 8080 (Management server)

epbgonzalez_11-1671644328758.png

  1. Create a load balancer and a backend service (in this example we used the TCP load balancer, but it could also be the HTTPS load balancer)

epbgonzalez_12-1671644328783.png

  1. Create a XLB L7 Load Balancer and a backend service

epbgonzalez_13-1671644328781.png

This step is required if using the TCP load balancer, because it uses the proxy protocol

 

Modify the Virtual Host Configuration for the TCP Load balancer to support the proxy protocol

As described in the docs, your virtual host configuration should look like this. Pay special attention to the listenOptions section:

 

curl -i -u yourusername@company.com http://{yourOpdkManagementServerIP}:8080/v1/organizations/myorg/environments/prod/virtualhosts/default
Enter host password for user 'yourusername@company.com':
HTTP/1.1 200 OK
Content-Type: application/json
X-Apigee.user: yourusername@company.com 
X-Apigee.organization: myorg
X-Apigee.environment: prod
X-Apigee.backends: management-server
Date: Mon, 12 Sep 2022 16:47:55 GMT
Vary: Accept-Encoding, User-Agent
Content-Length: 222

{
  "hostAliases" : [ "opdk-prod.company.com" ],
  "interfaces" : [ ],
  "listenOptions" : [ "proxy_protocol" ],
  "name" : "default",
  "port" : "9001",
  "retryOptions" : [ ],
  "useBuiltInFreeTrialCert" : false
}

 

 

If you are also using an HTTPS LoadBalancer to expose Apigee, you will also need to create a different virtual host listening on a different port to have a dual configuration. In most cases, you would choose to use only one virtual host configuration.

 

 

curl -i -u  yourusername@company.com  http://{yourOpdkManagementServerIP}:8080/v1/organizations/myorg/environments/prod/virtualhosts/https
Enter host password for user 'yourusername@company.com':
HTTP/1.1 200 OK
Content-Type: application/json
X-Apigee.user: yourusername@company.com
X-Apigee.organization: myorg
X-Apigee.environment: prod
X-Apigee.backends: management-server
Date: Mon, 12 Sep 2022 16:51:05 GMT
Vary: Accept-Encoding, User-Agent
Content-Length: 203

{
  "hostAliases" : [ "opdk-http.company.com" ],
  "interfaces" : [ ],
  "listenOptions" : [ ],
  "name" : "https",
  "port" : "9002",
  "retryOptions" : [ ],
  "useBuiltInFreeTrialCert" : false
}

 

 



Topic Labels
Contributors
0 Likes
Version history
Last update:
‎12-29-2022 08:26 AM
Updated by: