API Gateway and Backend Kubernetes
2,207 views
Skip to first unread message
bill sayegh
Mar 19, 2021, 12:06:56 AM3/19/21
to api-gateway-users
Hi
Is it possible to setup the API Gateway to a Kubernetes microservice container.
I cannot find any documentation reference where you can point the api to the backend PODS.
Any help would be appreciated.
Thanks
Bill
Marian Diaconu
Mar 30, 2021, 10:05:20 AM3/30/21
to api-gateway-users
I'd need to the the same as well.
Based on this stackoverflow we cannot set a kubernetes service IP to x-google-backend.address when creating an api config for a gatway.
Is there any workaround for this? Does Google generate any FQDN for kubernetes services?
Is it possible to do this at all?
If not, then why on API Gateway home page it says that
<Take advantage of all the operational benefits of serverless technology, such as flexible deployment and scalability. API Gateway manages APIs for Cloud Functions, Cloud Run, App Engine, Compute Engine, and GKE.>
Thanks!
Based on this stackoverflow we cannot set a kubernetes service IP to x-google-backend.address when creating an api config for a gatway.
Is there any workaround for this? Does Google generate any FQDN for kubernetes services?
Is it possible to do this at all?
If not, then why on API Gateway home page it says that
<Take advantage of all the operational benefits of serverless technology, such as flexible deployment and scalability. API Gateway manages APIs for Cloud Functions, Cloud Run, App Engine, Compute Engine, and GKE.>
Thanks!
Marian Diaconu
Mar 30, 2021, 10:32:22 AM3/30/21
to api-gateway-users
OK, nevermind, this has already been asnnwered here: https://groups.google.com/g/api-gateway-users/c/ZuYQvm2xaY8
Sorry
Josh Einhorn
Mar 30, 2021, 10:47:17 AM3/30/21
to Marian Diaconu, api-gateway-users
Hi Bill and Marian,
Your observations are accurate... API Gateway can currently only route requests to public addresses, which effectively disqualifies GKE so Cloud Endpoints is the currently recommended solution for GKE workloads. Sorry for the inconvenience; as stated in that other thread you linked, we're keenly aware of this limitation and are still evaluating options and priorities.
-Josh
--
You received this message because you are subscribed to the Google Groups "api-gateway-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to api-gateway-us...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/api-gateway-users/02ddec2a-9a79-429d-a251-80f2d0c4c2e7n%40googlegroups.com.
| Josh Einhorn | | Software Engineer | | joshe...@google.com | | 1-215-837-1102 |
Rania Mohamed
Mar 30, 2021, 12:05:10 PM3/30/21
to Josh Einhorn, Marian Diaconu, api-gateway-users
Hi Bill,
API Gateway the serverless option which is based on envoy is not support any non serverless services for now but besides Cloud Endpoint I would also consider IAP & GKE Ingress + neg both can offer the proxy option as API GAteway while Cloud endpoint I would more choose it if we are building an API Specs and not just Proxy gateway as we do today in API Gateway.
so if it is more on building api spec swager like and complying with openAPI specs I would suggest to use Cloud Endpoint but if it is more of proxy like the API Gateway then Please check the GKE Ingress + NEG option it is very clean and standard and follow the same design pattern as API Gateway:
Please let me know in case you have any questions or concerns, would always be glad to help out with anything :) .
thanks,
-rania
To view this discussion on the web visit https://groups.google.com/d/msgid/api-gateway-users/CADSR2kQRvRqqq2ABYjTn9eeA0jkXpZg4ftVcpni73m%2BPcrD9JA%40mail.gmail.com.
Marian Diaconu
Mar 30, 2021, 2:25:49 PM3/30/21
to api-gateway-users
Wow guys, many thanks for your prompt answers.
My use case is that we want to put Authorization through Auth0 on the API GAteway. Therefore we want to simplify our APIs, by putting that prcess on a different component (the Gateway)
Rania, Do you think is possible to do that with the setup your mentioning?
My use case is that we want to put Authorization through Auth0 on the API GAteway. Therefore we want to simplify our APIs, by putting that prcess on a different component (the Gateway)
Rania, Do you think is possible to do that with the setup your mentioning?
Rania Mohamed
Mar 31, 2021, 3:53:08 PM3/31/21
to Marian Diaconu, api-gateway-users
Hi Billy,
Yes, you can do the Auth thru IAP, I did with customers already and for NEG and Ingress I did tested with ASM and it is working perfectly :), CE also I tested and it support authentication and authorization :), I think for simplicity ASM + Ingress Controller +NEG is the simple one and cleanest one and expandable and flexible :).
Please forgive me for the late response I have just seen the message :), please let me know in case you have any questions or concerns, always happy to help out with anything at all :).
thanks,
-rania
To view this discussion on the web visit https://groups.google.com/d/msgid/api-gateway-users/b30bc679-ff37-4bec-920f-3f553f6b1f0en%40googlegroups.com.
bill sayegh
Mar 31, 2021, 4:51:01 PM3/31/21
to api-gateway-users
Hi Rania
Appreciate your reply.
Our basic requirement is to point our domain name to the api gateway and then use the api gateway to do all the routing to the backend Kube services, much like we currently do with the Ingress service and remove the Ingress configuration.
I am envisaging the api gateway will become a security layer later with threat intelligence, white listing, business analytics reporting etc.
We don't want to have to expose the Ingress if we route via the api gateway. From my research is not currently supported.
If this feature is not currently available and on the development road map, its OK we can wait till google has something that is easy to use and administer.
For now we are happy to stay on the Ingress and our backend will do all the api authentication.
Just to double check, is it possible to use the api gateway to route authenticate and route URL to the backend services and and turn off the Ingress ?
Thanks
Bil
Rania Mohamed
Apr 1, 2021, 5:08:56 AM4/1/21
to bill sayegh, api-gateway-users
Hi Bill,
Today API Gateway doesn't support routing except for serverless services or public URL, so we can not do the routing in API Gateway to GKE services without either exposing the service or an associated ingress and/or NEG.
My understanding that we want to remove the routing rules in the ingress and place it in a more load balancer or API Gateway, which is tight to a domain and then the forward rules takes care of routing to the proper backend service.
If So I don't think that API Gateway or cloud endpoint are possible solutions as again to my understanding we want to secure the services/workloads running in GKE keeping them private, in such case I would recommend a very silly suggestion :):
- If you are okay with enabling the VPC-native for your cluster then use a NEG and expose the service using NEG which is secured and controlled by GKE CP and then link it to GLB and do the routing to the NEG using the routing rules in the GLB.
- If you are not okay with VPC-native option then place your cluster behind a network and do the routing thru GLB & the network policy.
Frankly I think that standalone NEG is a better option and still the authentication and authorization can happen using the Service mesh enabling the mtls and observability.
Please let me know in case you have any questions, or concerns, always happy to help out with anything at all :).
thanks,
-rania
To view this discussion on the web visit https://groups.google.com/d/msgid/api-gateway-users/62372763-f49a-405b-99f1-7a9dbcbad76en%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages