GKE as Backend? Is possible now?

Skip to first unread message

Alberto Valencia Carrasco

Sep 22, 2020, 3:27:25 AM9/22/20
to api-gateway-users
Hi all.

In the principal pruduct page, talk about the  bakend in GKE and Compute Engine.

"Fully managed gateway

Take advantage of all the operational benefits of serverless technology, such as flexible deployment and scalability. API Gateway manages APIs for Cloud FunctionsCloud RunApp EngineCompute Engine, and GKE."

In the documentation is only examples with Cloud Functions, AppEngine and CloudRun.

I can now use ApiGateway with GKE?

Thanks in advanced.

Josh Einhorn

Sep 22, 2020, 7:11:17 PM9/22/20
to Alberto Valencia Carrasco, api-gateway-users
Hi Alberto,

Thanks for the question and great observation on the product page! The answer is actually a bit complicated:

Short-term recommendation:
Use Cloud Endpoints for GKE. API Gateway will later provide a seamless migration path for all uses of ESPv2 on GKE/GCE (and most uses of ESP), but in the short term, Endpoints is a better architectural option than API Gateway for GKE.

If you have API backends on GAE, Cloud Run, or GCF in addition to GKE:
If you desire a single API surface composing together these backends, you can use API Gateway, but it will require a non-trivial and error-prone workaround. API Gateway cannot yet route requests to RFC 1918 IP addresses, so the only way to configure GKE (or GCE) as a backend is to expose a public IP address with a DNS hostname. This can be done by:

1. Following GKE's documentation on exposing a public IP ingress, noting that if you do not secure your new public endpoint with encryption (i.e. TLS), all requests sent to this GKE cluster through this address will be in plain text (not encrypted). 
2. Setting up TLS can be achieved using Google Cloud Load Balancer's SSL policies.
3. You will also need a DNS hostname for your public IP address to use with the TLS configuration. Google does offer a DNS provider, but you're free to use any of your choice.
4. Since API Gateway sends requests over the public internet, requests are only secured using OIDC tokens signed by the Service Account the Gateway runs as. As such, it is expected your backend enforces the requirement that incoming requests have an appropriate token. This can be easily achieved using IAP; configuring API Gateway for this is nearly identical to the App Engine tutorial.

Endpoints will be merged with API Gateway such that existing Endpoints customers will have a seamless migration path to using API Gateway as the proxy. I cannot share the specifics here, but as mentioned above, though it is feasible to use API Gateway for GKE, we recommend using Cloud Endpoints for GKE/GCE based workloads. We will clarify our product page on this matter.


You received this message because you are subscribed to the Google Groups "api-gateway-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to api-gateway-us...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/api-gateway-users/51509c26-2f17-445e-9d81-6afe3b8fd525n%40googlegroups.com.

Josh Einhorn | Software Engineer | joshe...@google.com | 1-215-837-1102

Alberto Valencia Carrasco

Sep 23, 2020, 6:12:31 AM9/23/20
to api-gateway-users
Hi Josh.  Thanks for your response ¡¡¡   

Gracias ¡¡¡

Denis Loginov

Mar 6, 2021, 1:41:32 AMMar 6
to api-gateway-users
Any updates on this atm?
Reply all
Reply to author
0 new messages