x-controlled-internet-egress

Apigee X with Internet Traffic routed to a firewall appliance

In this example we are routing internet traffic to a mocked firewall appliance (a VM with NATing via iptables) to illustrate how all internet egress traffic can be centrally inspected before leaving the VPC.

To turn off direct internet egress traffic for the Apigee service network (by forcing all egress traffic to go through the firewall appliance of this sample) run the following command after you provisioned this sample:

gcloud services vpc-peerings enable-vpc-service-controls \
  --network=NETWORK --project=PROJECT_ID

Setup Instructions

Set the project ID where you want your Apigee Organization to be deployed to:

PROJECT_ID=my-project-id

cd samples/... # Sample from above
cp ./x-demo.tfvars ./my-config.tfvars

Decide on a backend and create the necessary config. To use a backend on Google Cloud Storage (GCS) use:

gsutil mb "gs://$PROJECT_ID-tf"

cat <<EOF >terraform.tf
terraform {
  backend "gcs" {
    bucket  = "$PROJECT_ID-tf"
    prefix  = "terraform/state"
  }
}
EOF

Validate your config:

terraform init
terraform plan --var-file=./my-config.tfvars -var "project_id=$PROJECT_ID"

and provision everything (takes roughly 25min):

terraform apply --var-file=./my-config.tfvars -var "project_id=$PROJECT_ID"

Providers

Name	Version
google	n/a

Modules

Name	Source	Version
apigee-x-core	../../modules/apigee-x-core	n/a
mock-firewall	github.com/terraform-google-modules/cloud-foundation-fabric//modules/compute-vm	v28.0.0
nat	github.com/terraform-google-modules/cloud-foundation-fabric//modules/net-cloudnat	v28.0.0
project	github.com/terraform-google-modules/cloud-foundation-fabric//modules/project	v28.0.0
vpc	github.com/terraform-google-modules/cloud-foundation-fabric//modules/net-vpc	v28.0.0

Resources

Name	Type
google_compute_firewall.allow_glb_to_mig_bridge	resource
google_compute_route.egress_via_firewall	resource
google_compute_route.firewall_to_internet	resource

Inputs

Name	Description	Type	Default	Required
apigee_envgroups	Apigee Environment Groups.	map(object({ hostnames = list(string) }))	null	no
apigee_environments	Apigee Environments.	map(object({ display_name = optional(string) description = optional(string) node_config = optional(object({ min_node_count = optional(number) max_node_count = optional(number) })) iam = optional(map(list(string))) envgroups = list(string) type = optional(string) }))	null	no
apigee_instances	Apigee Instances (only one instance for EVAL orgs).	map(object({ region = string ip_range = string environments = list(string) }))	null	no
ax_region	GCP region for storing Apigee analytics data (see https://cloud.google.com/apigee/docs/api-platform/get-started/install-cli).	string	n/a	yes
billing_account	Billing account id.	string	null	no
firewall_appliance_subnet	Subnet for the mocked egress firewall appliance.	object({ name = string ip_cidr_range = string region = string secondary_ip_range = map(string) })	n/a	yes
firewall_appliance_tags	Network Tags for the mocked egress firewall appliance.	list(string)	[ "egress-fw" ]	no
firewall_appliance_zone	GCP Compute Zone for the mocked egress firewall appliance.	string	n/a	yes
network	Name of the VPC network to peer with the Apigee tennant project.	string	n/a	yes
peering_range	Service Peering CIDR range.	string	n/a	yes
project_create	Create project. When set to false, uses a data source to reference existing project.	bool	false	no
project_id	Project id (also used for the Apigee Organization).	string	n/a	yes
project_parent	Parent folder or organization in 'folders/folder_id' or 'organizations/org_id' format.	string	null	no
support_range	Support CIDR range of length /28 (required by Apigee for troubleshooting purposes).	string	n/a	yes

Outputs

No outputs.