Check HealthMonitor request to server

I use HealthMonitor in Loadbalancer to check if server is up or down but APIGEE cannot connect to back-end server.

1. How can I check health monitor request APIGEE sent to back-end server?

2. Is there any way to check cloud APIGEE log ?

Thank you.

0 4 582
4 REPLIES 4

There is no direct way that I know of to check the health monitor request. Also, you do not have access to the system logs of the Apigee Edge cloud system that might show you what happened to individual Health Monitor events.

The best approach I can suggest is to simplify the situation. Break it down, and take things away until you can figure out how to get it working. Maybe you could use a different back-end that is exposed differently, just to sort out how to get the Health Monitor working.

For example you could use a local backend connected with ngrok.

I don't think ngrok is a magic solution, I suggest it only because it may allow you to monitor events and logs directly in your terminal session. Of course you can monitor logs for cloud-based hosted systems too, with heroku logs, if you use Heroku for a test backend, or with Google App Engine's console, if you were to choose App Engine for a "test" backend.

@Dino-at-Google Thanks, I think the problem might be https related. I can see APIGEE requests come to Checkpoint log but Checkpoint cannot pass the requests to nginx. Nginx may reject these requests. Not sure if there is mismatch between healthmonitor and my nginx configurations.

- My nginx has enabled TLS but does not support http

- APIGEE target server is configured as one-way TLS enabled but do not include truststore so APIGEE will not validate backend server cert.

1. Is there a way to check Healthmonitor client TLS compatible version as my service is using TLS 1.2 ?

2. In API doc (https://docs.apigee.com/api-platform/deploy/load-balancing-across-backend-servers#configuringatargetserverfortlsssl) it says:

"The HTTPMonitor supports backend services configured to use HTTP and one-way HTTPS protocols. However, it does not support two-way HTTPS, also called two-way TLS/SSL."

"HTTP and one-way HTTPS", does it mean my service has to support both HTTP and one-way HTTPS or only one of them ?

APIGEE target server is configured as one-way TLS enabled but do not include truststore so APIGEE will not validate backend server cert.

I think your assumption here may be incorrect. If TLS is enabled, Apigee will attempt to verify the trust of the backend system. If you do not specify a Truststore, Apigee does not specify which truststore it will use, but it will try to verify trust. So... don't do that! Don't enable TLS and then fail to specify a truststore. It isn't rejected by Apigee, but it's a bad idea. Also don't rely on the idea that if there is no explicit Truststore, then Apigee won't verify trust. I don't think the behavior is documented to be that way, and I'm certain that the behavior is not that way in practice.

This could be your problem right here. If your backend is presenting an untrusted cert, and if you are using HTTPS with TLS enabled, Apigee will fail to connect to the healthcheck endpoint.

does it mean my service has to support both HTTP and one-way HTTPS or only one of them ?

Your backend needs to support the protocol that you specify in the healthcheck endpoint - either HTTP or HTTPS. If you use HTTPS in the HealthMonitor, then the backend must support 1-way TLS.

Appreciate your time, the issue resides in my back-end server TLS certificate, it lacks of intermediate cert so we have to rebundle the cert so that APIGEE can handshake with server