Solved: Isolate the traffic by environment and process by ...

mohamedrafeek01 · 01-10-2019 11:47 AM

Requirement:

We need to isolate the traffic by environment and processed by dedicated Router and MP for each Env. In production, we will have 'PROD' and 'PILOT' ENVIRONMENT under only one ORG and the traffic should not cross the environments.

Setup:

1. Installed 5 node Apigee with 2 RMP, 3 CASS and 2 PG.

2. Created ORG1 and PROD environment using setup-org and assigned MP1 for this environment.

3. Created Virtual host 'default' with host alias 'api-prod.com' under PORD env.

4. Created PILOT environment with Virtual host 'default' with host alias 'api-pilot.com' under PILOT env and assigned MP2 to this environment.

5. On boarded a proxy and deployed to both environments.

6. We can see the request processed by MP1 if we pass host header 'api-prod.com' and MP2 if we pass host header 'api-pilot.com'.

Issue:

The requirement is we need to separate the traffic even at Router level and raise fault if traffic goes to wrong Router rather than passed to correct MP. (Expectation is assign Router1 to PROD and Router2 to PILOT env). We need to assign Router1 to server traffic only for 'api-prod.com' and Router2 for 'api-pilot.com'. We see the Apigee sends the traffic to appropriate MP based on the host header.

Is there anyway to associate Router also to an Environment ? or is there any alternate approach for this requirement.

We do not want more ORG or another Apigee setup, this is to satisfy the Security requirements on our company.

Appreciate any help or lead to resolve this.

ncardace

For Message Processors.

The approach for the Message Processors for pinning down to specific environments in a certain organization requires the use of Management API calls to remove them as servers from an environment, post installation, if the environment was already created when the installation of the MP was performed. The environment creation operation will affect and involve all MP's in the organization (you can see this in the output of the new environment creation operation using the apigee-service add-env command). As you correctly do, you can decouple/dissociate one or more MP's from a given Org/env by performing the corresponding management API calls:

https://apidocs.apigee.com/management/apis/delete/organizations/%7Borg_name%7D/environments/%7Benv_n...

For Routers.

All Routers in the same organization get the deployment information regarding all virtualhosts for all environments in that organization.

The way to achieve what you need is to have different virtualhost TCP ports associated to each environment, then physically either not to expose the unwanted ports to the Load Balancers exposing the API traffic for the unwanted environment in each Router cluster (and leverage firewall rules), or use local iptables rules to specifically whitelist/blacklist TCP ports to achieve the correct Router to environment/TCP virtualhost port mapping.

View solution in original post

dchiesa1

Your question is clear.

You cannot associate a Router to a particular environment, directly.

Normally a router gets all vhost configuration for an organization. And each router can route to every registered MP in all environments.

One solution is to physically prevent network access between the router environment and the MPs that you want to exclude. This could be via a network firewall between the router and the MP, or via iptables deny rules on the router machine.

One possible alternative solution: use distinct pods to keep traffic separate. I don't know for sure if this will work, though.

I would like to invite @NICOLA , or maybe @Carlos Frias , to comment here.

ahaseen

Router component is organization and environment agnostic. As Dino suggested you could either create different gateway pods or restrict the traffic via network firewall / iptables to isolate the traffic. A given router instance will dispatch the API requests only to the MP instances that belong to the same gateway pod.

ncardace

For Message Processors.

The approach for the Message Processors for pinning down to specific environments in a certain organization requires the use of Management API calls to remove them as servers from an environment, post installation, if the environment was already created when the installation of the MP was performed. The environment creation operation will affect and involve all MP's in the organization (you can see this in the output of the new environment creation operation using the apigee-service add-env command). As you correctly do, you can decouple/dissociate one or more MP's from a given Org/env by performing the corresponding management API calls:

https://apidocs.apigee.com/management/apis/delete/organizations/%7Borg_name%7D/environments/%7Benv_n...

For Routers.

All Routers in the same organization get the deployment information regarding all virtualhosts for all environments in that organization.

The way to achieve what you need is to have different virtualhost TCP ports associated to each environment, then physically either not to expose the unwanted ports to the Load Balancers exposing the API traffic for the unwanted environment in each Router cluster (and leverage firewall rules), or use local iptables rules to specifically whitelist/blacklist TCP ports to achieve the correct Router to environment/TCP virtualhost port mapping.

dchiesa1

Very clear, thank you!

mohamedrafeek01

Thanks for the suggestions @Dino, @Nicola, @ahaseen. I going to try TCP port / iptables rule.

Isolate the traffic by environment and process by dedicated Router and MP for each Env.