Apigee X trial: how to call hello-world proxy

guycrets · 02-07-2021 04:35 AM

With Apigee X becoming available, immediately took it for a spin. The Evaluation Setup is self-explanatory, well done!

But once things are nicely up-and-running, I'm puzzled how to invoke the sample /hello-world API proxy. Can find the internal IP.

$ curl -H "$AUTH" -X GET -H "Content-Type:application/json"  https://apigee.googleapis.com/v1/organizations/my-project/instances{ 
"instances": [  { 
"name": "eval-europe-west1-b", 
"location": "europe-west1-b", 
"host": "10.120.0.2", 
"port": "443", 
"state": "ACTIVE"  }  ]}

Had a quick try with below command, but of course not working.

curl https://my-project.apigee.net/hello-world
--resolve my-project-eval.apigee.net:443:10.120.0.2

The docs suggest to create a "new virtual machine inside your VPC network"... but unclear how.

Any suggestion to call proxies with the Apigee X Evaluation Setup?

ylesyuk

The documentation link you mentioned is for Paid Orgs installation process.

The correct evaluation link is: https://cloud.google.com/apigee/docs/api-platform/get-started/eval-orgs#access

The last paragraph of the page contains Accessing API proxies link. By following it you can find detailed instructions on how to set up an internal VM on your private network and invoke the proxy.

Beware, you still will not be able to call the proxy externally. For this you need to follow steps at the following link: https://cloud.google.com/apigee/docs/api-platform/get-started/install-cli#external.

It effectively tells you how to install an envoy proxy and create a global load balancer to expose your Trial instance to the Internet.

There is a shortcut for all this process, a simple bash wrapper script creates Envoy proxy and Load Balancers by following documentation steps.

https://github.com/apigee/devrel/tree/main/tools/apigee-x-trial-provision

WARNING: Even that Apigee X eval org is free, both ways (provisioning a VM or setting up Envoy and Load Balancers) cost money, therefore you better use GCP trial accounts with $300 credit.

guycrets

Getting close but not yet there. Had to make 1 change/correction: REGION

export APIGEE_ENDPOINT=$(curl --silent -H "Authorization: Bearer $(token)"  -X GET -H "Content-Type:application/json" https://apigee.googleapis.com/v1/organizations/$ORG/instances/eval-$REGION | jq .host --raw-output)

should rather be ZONE:

export APIGEE_ENDPOINT=$(curl --silent -H "Authorization: Bearer $(token)"  -X GET -H "Content-Type:application/json" https://apigee.googleapis.com/v1/organizations/$ORG/instances/eval-$ZONE   |jq .host --raw-output)

Keep getting "502 Server Error"... Also with curl -k --http1.1 https://my-project-eval.apigee.net/hello-world -v --resolve "my-project-test-eval.apigee.net:443:$RUNTIME_IP"

Will give it a 2nd try in the coming days...

ylesyuk

It IS pretty close.

Just to clarify.

1. To troubleshoot your request to Management API, do

echo $(curl --silent -H "Authorization: Bearer $(token)"  -X GET -H "Content-Type:application/json" https://apigee.googleapis.com/v1/organizations/$ORG/instances/eval-$ZONE   |jq .host --raw-output)

Make sure that Bearer $(token) resolved into a correct value. Based on the syntax you're using, you need to have a bash function defined in your session:

function token { echo -n "$(gcloud config config-helper --force-auth-refresh | grep access_token | grep -o -E '[^ ]+$')" ; }

So, execute this line to define token bash function, then a previous curl. Remove --silent to see what's generated. This function does auto-refresh of your token. If you use a static value $TOKEN, then after 60 minutes it will expire and your request would fail and you need to fetch a new token, then repeat it. With this function, token will be auto-refreshed.

2. Test request

If you're calling from a private network VM, then RUNTIME_IP was reported by your original post's curl request to Management API; as well as a hostname configured at Environment Group.

The doc says, you should see there: PROJECT_NAME-eval.apigee.net, ergo should be: my-project-eval.apigee.net

So you can open https://apigee.google.com, navigate to Admin/Environments then Groups and double-check the hostname you need to use. Therefore

RUNTIME_IP=10.120.0.2
RUNTIME_HOSTNAME=<value-from-env-group>

curl -k --http1.1 https://$RUNTIME_HOSTNAME/hello-world -v --resolve "$RUNTIME_HOSTNAME:443:$RUNTIME_IP"

Right now your hostname in URL and hostname in resolve do not match (my-project-eval.apigee.net and my-project-test-eval.apigee.net) . that is wrong to process correct TLS/SNI certificate match.

dchiesa1

Guy, I feel your pain. I'm sorry about the state of the docs that tell you "go create a new VM and invoke your proxy endpoint from there." We are working on fixing that! Please bear with us. Yuriy's guidance (his answer below) will set you straight!

guycrets

Learning point: easiest way to setup an apigee-x-trial that is reachable from outside, use the apigee-ngsaas-trial-install.sh script. And not the Apigee X Evaluation Setup.

One attention point when using the Cloud Shell terminal: the script takes a long time to execute, causing your shell to close. I solved this by restarting the script after the organization was provisioned. Then opening the console at https://apigee.google.com/edge.

@ylesyuk: thanks!

guycrets

BTW, a large number of GCP objects are created:

2 VM instance (apigee-envoy-xxxxx)
Instance group (apigee-envoy-europe-west1)
Instance template (apigee-envoy-europe-west1)
Forwarding rule (apigee-envoy-https-lb-rule)
Load balancer (apigee-envoy-proxy-map)
With backend (apigee-envoy-backend)
Target proxy (apigee-envoy-https-proxy)
SSL cert (apigee-ssl-cert)
Static IP address (lb-ipv4-vip-1)

Seems to cost €0.07/hour.

robert

Using the envoy proxy approach is good but seems a bit too much work for me for eval. I'm lazy. 🙂

Easiest way I've found is to use the bitnami nginx vm from the marketplace and configure it with an external IP. It's a micro instance and costs about $5 per month. Then, with one config file setting, I configure nginx as a reverse proxy straight to the instance IP. Total work is about 10 minutes and it's super easy to do.

if interested, here's the link to the image--> Bitnami Nginx

mxr576

If you are even lazier... 🙂 You can also use this or any other VM instances to directly call an API proxy with CURL like:

curl https://[APIGEE_PROJECT_NAME]-eval.apigee.net/[PROXY_PATH] --resolve "[APIGEE_PROJECT_NAME]-eval.apigee.net:[APIGEE_INSTANCE_IP]" -k --http1.1

Where both [APIGEE_HOST] and [APIGEE_IP] can be found https://console.cloud.google.com/apigee/instances/eval-instance/details

ylesyuk

@Robert Johnson

Happily upvoted your answer: a quick and pragmatic approach to be able to access your APIs externally.

The difference in those approaches would be in what you want to demonstrate and what you want to try.

The ingress control is a not-a-single-size-fits-all use cases as well as there-are-many-ways-to-skin-that-cat.

Even that Apigee X trial org won't allow to to scale throughput beyond certain limit, some still would want to see how scaling ingress works.

CloudArmour is another use case to bother with installation of GCLB, as it is automatically supported by

Those are some of the reasons why an official documentation follows GCLB/Envoy proxies solution.

Eventually, Apigee X private instances will support PSC that would eliminate need for envoy proxies.

Mutual TLS and multi-cloud are two other use cases that would require a specialised external load balancers treatment.