x-transitive-peering

Apigee X with Transitive Peering

Provisions a basic network appliance VM that allows accessing an Apigee X endpoint from a transitively peered VPC network.

Some background information and explanations can be found in this community article.

This sample contains:

• Apigee Basic Setup with internal Endpoint
• Internal HTTP Backend MIG with ILB
• Network Appliance MIG with custom routes for backend and the Apigee IP range.
• Firewalls

To validate or demo the setup:

1. In a browser open the Apigee UI
2. Ensure you are in the correct Apigee Organization
3. Create an passthrough API proxy with base path /internal and a hostname of http://BACKEND_ILB_IP
4. Create and ssh into a temporary bastion VM in the backend network or use one of the backend VMs directly.
5. Set the ENDPOINT_IP variable to your internal Apigee Endpoint and call the API proxy with: curl https://test.api.example.com/internal/get --resolve test.api.example.com:443:${ENDPOINT_IP} -kv

Setup Instructions

Please see the main README for detailed instructions.

Providers

Name	Version
google	n/a

Modules

Name	Source	Version
apigee-x-core	../../modules/apigee-x-core	n/a
backend-example	../../modules/development-backend	n/a
backend-vpc	github.com/terraform-google-modules/cloud-foundation-fabric//modules/net-vpc	v16.0.0
peering-apigee-backend	github.com/terraform-google-modules/cloud-foundation-fabric//modules/net-vpc-peering	v16.0.0
project	github.com/terraform-google-modules/cloud-foundation-fabric//modules/project	v16.0.0
routing-appliance	../../modules/routing-appliance	n/a
vpc	github.com/terraform-google-modules/cloud-foundation-fabric//modules/net-vpc	v16.0.0

Resources

Name	Type
google_compute_firewall.allow-appliance-ingress	resource
google_compute_firewall.allow-backend-ingress	resource

Inputs

Name	Description	Type	Default	Required
apigee_envgroups	Apigee Environment Groups.	map(object({ hostnames = list(string) }))	null	no
apigee_environments	Apigee Environments.	map(object({ display_name = optional(string) description = optional(string) node_config = optional(object({ min_node_count = optional(number) max_node_count = optional(number) })) iam = optional(map(list(string))) envgroups = list(string) }))	null	no
apigee_instances	Apigee Instances (only one instance for EVAL orgs).	map(object({ region = string ip_range = string environments = list(string) }))	null	no
apigee_network	Apigee VPC name.	string	n/a	yes
appliance_forwarded_ranges	CDIR ranges that should route via the network appliance	map(object({ range = string priority = number }))	{}	no
appliance_name	Name for the routing appliance	string	"routing-appliance"	no
appliance_region	GCP Region for Routing Appliance (ensure this matches appliance_subnet.region).	string	n/a	yes
appliance_subnet	Subnet to host the routing appliance	object({ name = string ip_cidr_range = string region = string secondary_ip_range = map(string) })	n/a	yes
ax_region	GCP region for storing Apigee analytics data (see https://cloud.google.com/apigee/docs/api-platform/get-started/install-cli).	string	n/a	yes
backend_name	Name for the Demo Backend	string	"demo-backend"	no
backend_network	Peered Backend VPC name.	string	n/a	yes
backend_region	GCP Region Backend (ensure this matches backend_subnet.region).	string	n/a	yes
backend_subnet	Subnet to host the backend service	object({ name = string ip_cidr_range = string region = string secondary_ip_range = map(string) })	n/a	yes
billing_account	Billing account id.	string	null	no
peering_range	Peering CIDR range	string	n/a	yes
project_create	Create project. When set to false, uses a data source to reference existing project.	bool	false	no
project_id	Project id (also used for the Apigee Organization).	string	n/a	yes
project_parent	Parent folder or organization in 'folders/folder_id' or 'organizations/org_id' format.	string	null	no
support_range	Support CIDR range of length /28 (required by Apigee for troubleshooting purposes).	string	n/a	yes

Outputs

No outputs.