In this article I will go through the process of exposing Apigee Edge Private Cloud, also known as OPDK, to external clients on GCP.
I just recently went through this exercise with one of my customers, and while there may be additional deployment options, like multi-region, etc. I won’t be covering those, but this should give you an idea of the different options available. In this case I am assuming that OPDK is deployed in a Compute Engine VM inside the customer’s GCP environment.
HTTPS Load Balancer to expose Apigee to the public internet.
This has certain advantages, with an easy click of a button always on DDoS protection thanks to Cloud Armor.
Client (TLS) -> L7 XLB (TLS) -> Apigee OPDK
Key Points
Apigee OPDK with L4 XLB / Cloud Armor (northbound)
Client (mTLS) -> L4 XLB -> Apigee OPDK (TLS)
* If the Router requires the true client IP, enable proxy_protocol on the ELB so that it passes the client IP in the TCP packet. On the Router, you must also set the listenOption on the virtual host to proxy_protocol. For more detailed information, check out the docs page.
Key points
Client (mTLS) ->Third Party WAF (mTLS) -> Apigee OPDK (TLS)
Key points
Here are the setup steps
This step is required if using the TCP load balancer, because it uses the proxy protocol
As described in the docs, your virtual host configuration should look like this. Pay special attention to the listenOptions section:
curl -i -u yourusername@company.com http://{yourOpdkManagementServerIP}:8080/v1/organizations/myorg/environments/prod/virtualhosts/default
Enter host password for user 'yourusername@company.com':
HTTP/1.1 200 OK
Content-Type: application/json
X-Apigee.user: yourusername@company.com
X-Apigee.organization: myorg
X-Apigee.environment: prod
X-Apigee.backends: management-server
Date: Mon, 12 Sep 2022 16:47:55 GMT
Vary: Accept-Encoding, User-Agent
Content-Length: 222
{
"hostAliases" : [ "opdk-prod.company.com" ],
"interfaces" : [ ],
"listenOptions" : [ "proxy_protocol" ],
"name" : "default",
"port" : "9001",
"retryOptions" : [ ],
"useBuiltInFreeTrialCert" : false
}
If you are also using an HTTPS LoadBalancer to expose Apigee, you will also need to create a different virtual host listening on a different port to have a dual configuration. In most cases, you would choose to use only one virtual host configuration.
curl -i -u yourusername@company.com http://{yourOpdkManagementServerIP}:8080/v1/organizations/myorg/environments/prod/virtualhosts/https
Enter host password for user 'yourusername@company.com':
HTTP/1.1 200 OK
Content-Type: application/json
X-Apigee.user: yourusername@company.com
X-Apigee.organization: myorg
X-Apigee.environment: prod
X-Apigee.backends: management-server
Date: Mon, 12 Sep 2022 16:51:05 GMT
Vary: Accept-Encoding, User-Agent
Content-Length: 203
{
"hostAliases" : [ "opdk-http.company.com" ],
"interfaces" : [ ],
"listenOptions" : [ ],
"name" : "https",
"port" : "9002",
"retryOptions" : [ ],
"useBuiltInFreeTrialCert" : false
}