Thanks for the question and great observation on the product page! The answer is actually a bit complicated:
Use Cloud Endpoints for GKE
. API Gateway will later provide a seamless migration path for all uses of ESPv2 on GKE/GCE (and most uses of ESP), but in the short term, Endpoints is a better architectural option than API Gateway for GKE.
If you have API backends on GAE, Cloud Run, or GCF in addition to GKE:
If you desire a single API surface composing together these backends, you can
use API Gateway, but it will require a non-trivial and error-prone workaround. API Gateway cannot yet
route requests to RFC 1918 IP addresses
, so the only way to configure GKE (or GCE) as a backend is to expose a public IP address with a DNS hostname. This can be done by:
1. Following GKE's documentation on exposing a public IP ingress, noting that if you do not secure your new public endpoint with encryption (i.e. TLS), all requests sent to this GKE cluster through this address will be in plain text (not encrypted).
3. You will also need a DNS hostname for your public IP address to use with the TLS configuration. Google does offer a DNS provider
, but you're free to use any of your choice.
4. Since API Gateway sends requests over the public internet, requests are only secured using OIDC tokens signed by the Service Account the Gateway runs as
. As such, it is expected your backend enforces the requirement that incoming requests have an appropriate token. This can be easily achieved using IAP
; configuring API Gateway for this is nearly identical to the App Engine tutorial
Endpoints will be merged with API Gateway such that existing Endpoints customers will have a seamless migration path to using API Gateway as the proxy. I cannot share the specifics here, but as mentioned above, though it is feasible to use API Gateway for GKE, we recommend using Cloud Endpoints for GKE/GCE based workloads. We will clarify our product page on this matter.