How to make a load balancer accessible only to the Apigee Edge proxy service in kubernetes?

I am using a load balancer to expose a service in kubernetes and Apigee Edge proxy service to create a proxy for the same.

I am aware of a few ways in which access to the proxy can be restricted. However, I am looking for a way to allow only the proxy server to connect to the load balancer and access the backend service i.e only requests that are coming through the proxy should be allowed to access the service.

IP whitelisting does not seem to be a good solution as the IP assigned to the Apigee Edge server can change (It is a rare case but it happens according to this Apigee community answer here).

So, how to restrict the service to be accessed only by the Apigee Edge server?

P.S. I do not wanna use Apigee Microgateway for this, is this achievable with Apige Edge?

Solved Solved
0 4 1,229
1 ACCEPTED SOLUTION

As suggested by @Dino-at-Google in this question, two-way TLS between Apigee and Backend server was the most secure method to achieve this. Refer this documentation on how to configure Two way SSL between backend and Apigee Proxy.

View solution in original post

4 REPLIES 4

sidd-harth
Participant V

You want to make some changes on Kubernetes so that only calls/requests from Apigee Proxy should be able to access Services. Correct me if I am wrong.

is this achievable with Apige Edge?

I am confused with this question because whatever you do in Apigee you need to make changes in kubernetes. IMO this is related to Kubernetes and you should check in Kubernetes forums.

I don't have a definite answer wrt kubernetes, but it is easily achievable with Istio on Kubernetes.

With Istio installed and istio-enabled app deployed on Kubernetes, in your Apigee proxy send a custom header while calling Kubernetes.

In kubernetes define a couple of Istio rules which would only route the requests to the services if it finds the custom header in request.

As suggested by @Dino-at-Google in this question, two-way TLS between Apigee and Backend server was the most secure method to achieve this. Refer this documentation on how to configure Two way SSL between backend and Apigee Proxy.

If you are on GCP, try to use Cloud Armor on the External Load Balancer which is bound to your Kubernetes Ingress or if you use Istio Gateway. You can easily whitelist only the Apigee MP IPs. ON top of it, try to use mTLS b/w apigee and external LB.

Simply having a custom header passed from apigee to your Kubernetes External LB is not secure as you are opening things up for potential intrusion.

Hi  , Is there any video on this topic that I can see  to understand how can it be achieved using APIGEE x ?