Endpoints API target to INTERNAL IP of VM Instance

[dbdbdb]

Is it possible to configure Endpoints to target to a Compute Engine with INTERNAL IP?

I followed the Echo API java example and expose with Endpoints, everything works great. I can successfully sent a request to a FQDN (echo-api.endpoints.[PROJECT_ID].cloud.goog).

But I don't want to leave a External IP in this VM instance. Because I still can sent a request directly to the External IP bypassing the Endpoints.

When I try to set the External IP to None on this VM Instance, and setting the target value to Internal IP in openapi.yaml, my Echo service is not accessible with Endpoints DNS anymore.

So, Is it possible to target a Endpoint API to an Internal IP of a VM Instance of Compute Engine?

thanks!

[John Daughtry]

That's a great question.

We do not support using Endpoints DNS with an Internal IP. However, sending requests directly to the External IP shouldn't bypass Endpoints at all. When requests arrive on the VM, the request should be processed by ESP before being passed along to your backend. Here is a link to an explanation of how ESP processes the request once received.

Cheers,

John

--
You received this message because you are subscribed to the Google Groups "Google Cloud Endpoints" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endpoints+unsub...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-endpoints/ed71fc9e-e4b6-495f-9d4e-fe0405ccb775%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[daniel...@gmail.com]

Hello John,

Thanks for your response.
But isn't a security issue my API backend facing the internet?

Thanks!

[Wesley Wong]

If you were following the echo example, there are a few things to note:

- The backend starts up listening to port 8081

- ESP is started up listening to port 80 and forwards requests from 80 to 8081

- There was a firewall rule to allow http/https traffic (port 80/443)

- An external IP was given

Given these, when an external client calls the external IP on port 80/443, it will hit ESP first. Because of the firewall, no one externally should be able to hit port 8081 directly (the backend) on the external IP.

The DNS portion simply sets up DNS records so that your cloud.goog domain is directed to the external IP, which will then be serviced by ESP first.

Does that make sense?

Thanks,

Wesley

--
You received this message because you are subscribed to the Google Groups "Google Cloud Endpoints" group.

To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endp...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-endpoints/76bb2415-b107-4b69-bbb1-3cd8d4cf0849%40googlegroups.com.

[daniel...@gmail.com]

Hello Wesley,

Yes, it make sense now.

But I tried to configure the Endpoints target to a Load Balance. This load balance points to a Instance Group which have two API server.

Even this, I need the External IP of VM Instance?

Architecture:

Enpoints -> Load Balance -> VM Instance

thanks!

On Thursday, September 21, 2017 at 5:10:00 PM UTC-3, Wesley Wong wrote:

If you were following the echo example, there are a few things to note:

- The backend starts up listening to port 8081

- ESP is started up listening to port 80 and forwards requests from 80 to 8081

- There was a firewall rule to allow http/https traffic (port 80/443)

- An external IP was given

Given these, when an external client calls the external IP on port 80/443, it will hit ESP first. Because of the firewall, no one externally should be able to hit port 8081 directly (the backend) on the external IP.

The DNS portion simply sets up DNS records so that your cloud.goog domain is directed to the external IP, which will then be serviced by ESP first.

Does that make sense?

Thanks,

Wesley

On Thu, Sep 21, 2017 at 12:05 PM <daniel...@gmail.com> wrote:

Hello John,

Thanks for your response.
But isn't a security issue my API backend facing the internet?

Thanks!

--
You received this message because you are subscribed to the Google Groups "Google Cloud Endpoints" group.

To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endpoints+unsub...@googlegroups.com.

[Wesley Wong]

When you say "configure the Endpoints target to a Load Balance", how did you do that?

In terms of the architecture, you will want this instead:

Load Balancer -> VM Instance (inside the VM is Endpoints -> backend)

Note that the Echo example starts both Endpoints and the backend on the same VM instance.

Thanks,

Wesley

To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endp...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-endpoints/76bb2415-b107-4b69-bbb1-3cd8d4cf0849%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

You received this message because you are subscribed to the Google Groups "Google Cloud Endpoints" group.

To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endp...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-endpoints/08fa6827-0564-4baf-8f7c-b16aa4d26ad3%40googlegroups.com.

[daniel...@gmail.com]

I configured the openapi.yaml pointing the target with LB frontend public IP.

But this made the request enter in looping: LB -> (some vm instance in group) -> ESP (port 80 of VM) -> LB again (because the target in openapi.yaml) -> ESP > LB...

Is this the best practice for a set o APIs in production mode (with compute engine): LB -> (some of various VMs in the group each one with external IP) -> Enpoints (ESP port 80) -> API code (port 8080) ?

Since ESP is a Nginx, features like gzip, cache, etc is configured in it?

Thanks for the patience :)

To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endpoints+unsub...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-endpoints/76bb2415-b107-4b69-bbb1-3cd8d4cf0849%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Google Cloud Endpoints" group.

To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endpoints+unsub...@googlegroups.com.

[Lizan Zhou]

On Thu, Sep 21, 2017 at 4:51 PM, <daniel...@gmail.com> wrote:

I configured the openapi.yaml pointing the target with LB frontend public IP.

But this made the request enter in looping: LB -> (some vm instance in group) -> ESP (port 80 of VM) -> LB again (because the target in openapi.yaml) -> ESP > LB...

Is this the best practice for a set o APIs in production mode (with compute engine): LB -> (some of various VMs in the group each one with external IP) -> Enpoints (ESP port 80) -> API code (port 8080) ?

Yes this is the suggested practice. See:

https://cloud.google.com/endpoints/docs/openapi/architecture-overview 

Since ESP is a Nginx, features like gzip, cache, etc is configured in it?

You can configure these features in your customized nginx.conf. 

https://cloud.google.com/endpoints/docs/openapi/specify-proxy-startup-options

To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endpoints+unsubscri...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-endpoints/76bb2415-b107-4b69-bbb1-3cd8d4cf0849%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Google Cloud Endpoints" group.

To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endpoints+unsubscri...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-endpoints/08fa6827-0564-4baf-8f7c-b16aa4d26ad3%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

You received this message because you are subscribed to the Google Groups "Google Cloud Endpoints" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endpoints+unsub...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-endpoints/b9210301-00af-4895-a8a4-36e5c5a34a8f%40googlegroups.com.

[Wesley Wong]

Just to be clear, you're talking about this target?

    host: "echo-api.endpoints.[PROJECT_ID].cloud.goog"
    x-google-endpoints:
    - name: "echo-api.endpoints.[PROJECT_ID].cloud.goog"
      target: "[IP_ADDRESS]"

If so, this is telling the DNS to point the echo-api.endpoints.[PROJECT_ID].cloud.goog domain to the IP_ADDRESS. It is not telling Endpoints to direct incoming traffic to the IP_ADDRESS.

The Endpoints running on your VM instance will forward traffic locally to port 8081.

The picture would be:

echo-api.endpoints.[PROJECT_ID].cloud.goog -> LB (because of the target IP_ADDRESS) -> VM instance -> Endpoints on port 80 -> backend on port 8081

There should be no loops. Can you please verify the above is what you are doing?

Lizan answered your other questions.

Thanks,

Wesley

To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endp...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-endpoints/76bb2415-b107-4b69-bbb1-3cd8d4cf0849%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Google Cloud Endpoints" group.

To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endp...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-endpoints/08fa6827-0564-4baf-8f7c-b16aa4d26ad3%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

You received this message because you are subscribed to the Google Groups "Google Cloud Endpoints" group.

To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endp...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-endpoints/b9210301-00af-4895-a8a4-36e5c5a34a8f%40googlegroups.com.

[daniel...@gmail.com]

Hi Wesley,

Yes. this target.

Maybe there is no loop. I tried to disable the VM External IP because the VM is behind the LB and the request did not reach the backend.

Thanks,

To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endpoints+unsub...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-endpoints/76bb2415-b107-4b69-bbb1-3cd8d4cf0849%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Google Cloud Endpoints" group.

To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endpoints+unsub...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-endpoints/08fa6827-0564-4baf-8f7c-b16aa4d26ad3%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Google Cloud Endpoints" group.

To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endpoints+unsub...@googlegroups.com.