Traffic/Resource isolation in edge private cloud installation solution

Not applicable

Organisation Structure

We are going to migrate to new architecture with Apigee Edge as our Api gateway platform. We will be using the on-premises installation. We have different business units within the enterprise,so we are thinking of either of the following solutions

First approach: Create an organisation for each business unit. Say Org A, Org B, Org C etc. Each Org will have 4 different environments - DEV,TEST,UAT and Prod. Is it possible to isolate traffic between environments within a org(we want to isolate production traffic) in edge on premises installation? It seems possible to allocate message processors to specific environment. What about Router and other components?

Second approach: Create organisation for prod and non-prod separately.Say Unit A- Prod, Unit A- NonProd, Unit B- Prod, Unit B- NonProd etc. Non-Prod organisation will comprise of DEV,TEST and UAT environments.

Which approach do you think is the better and most feasible that allows traffic/resource isolation for production.

Solved Solved
1 1 368
1 ACCEPTED SOLUTION

rmishra
Participant V

In most private installations that i have managed or worked on, i always recommend that you keep your production traffic physically distinct from your non production traffic.

This is not unique to apigee, it's just good hygiene if you use any platform which spreads beyond 1 or 2 servers.

You want a separate physical installation for Production because:

  1. It helps you test upgrades before you upgrade your production environment . While you can perform upgrades on a simpler, smaller installation. It really derisks your upgrade if you test it on a similar topology as production
  2. Regulatory and Compliance considerations - Depending on the industry and compliance teams you work with, some will prefer/mandate that you keep production physically distinct than non prod environments

In Apigee Parlance, I would recommend you do the following

Production Planet

Org A for Business Unit A

- Prod Env.

- Staging Env. (To replicate production issues)

Non Production Planet

Org A for Business Unit A

- Dev Env.

- QA Env.

- Test Env.

Obviously, you could break it down to more planets, but that depends on how much infrastructure you can pay for and maintain.

If you want to physically isolate traffic between environments in a Planet, i would recommend isolating Message Processors. You can do this by registering environments with MP's. You can look at Apigee's documentation for the same. I don't think separating routers by environment makes much sense (unless you have compliance reasons to do so)

HTH

View solution in original post

1 REPLY 1

rmishra
Participant V

In most private installations that i have managed or worked on, i always recommend that you keep your production traffic physically distinct from your non production traffic.

This is not unique to apigee, it's just good hygiene if you use any platform which spreads beyond 1 or 2 servers.

You want a separate physical installation for Production because:

  1. It helps you test upgrades before you upgrade your production environment . While you can perform upgrades on a simpler, smaller installation. It really derisks your upgrade if you test it on a similar topology as production
  2. Regulatory and Compliance considerations - Depending on the industry and compliance teams you work with, some will prefer/mandate that you keep production physically distinct than non prod environments

In Apigee Parlance, I would recommend you do the following

Production Planet

Org A for Business Unit A

- Prod Env.

- Staging Env. (To replicate production issues)

Non Production Planet

Org A for Business Unit A

- Dev Env.

- QA Env.

- Test Env.

Obviously, you could break it down to more planets, but that depends on how much infrastructure you can pay for and maintain.

If you want to physically isolate traffic between environments in a Planet, i would recommend isolating Message Processors. You can do this by registering environments with MP's. You can look at Apigee's documentation for the same. I don't think separating routers by environment makes much sense (unless you have compliance reasons to do so)

HTH