0

I found the following snippet on api gateway marketing page. enter image description here

So I was setting up API gateway for my app running on compute engine. As I couldn't find any documentation on how to configure compute engine on API engine, I created the following configuration with the internal DNS.enter link description here

swagger: "2.0"
info:
  title: API Endpoints
  description: API Endpoints
  version: 1.0.1
schemes:
  - https
produces:
  - application/json
paths:
  /indexes:
    get:
      summary: Return Search Indexes
      operationId: searchIndexes
      x-google-backend:
        address: http://my_internal_dns_for_compute_engine.c.myproject.internal/indexes
        path_translation: APPEND_PATH_TO_ADDRESS
      responses:
        "200":
          description: A successful response
          schema:
            type: string
        "403":
          description: Failed to authenticate

When I deployed the config using gcloud, I got the following error

Waiting for API Config [my-api-config-v6] to be created for API [my-api]...failed.
ERROR: (gcloud.beta.api-gateway.api-configs.create) Wait for Service Config creation: Backend URL "http://my_internal_dns_for_compute_engine.c.myproject.internal/indexes" is forbidden: cannot route requests to an internal address.

So looks like internal DNS is not supported(obviously).

My compute engine instance can only be accessed through a VPC network. How do I connect my api gateway with the VPC network and how do I access my compute engine through it ?

vzurd
  • 704
  • 1
  • 9
  • 21

1 Answers1

2

Today, you can't achieve this. Your API gateway is a serverless service and you can't plug a serverless VPC connector on it. I already discussed this with Google (because it's the same problem with Cloud Scheduler, Cloud Task and PubSub push subscription for example) and something should happen soon. Stay tuned!!

Anyway, to solve now your issue, you have 2 solutions (at least, one sure and one to test)

  • The first (sure) solution is to have a "proxy". Another compute engine with public access, or a Cloud Function/Cloud Run/App Engine service with a serverless VPC connector. The Cloud Function/Cloud Run/App Engine is better because you can secure the access with IAM (no public access)
  • The second (to test) solution is to deploy Cloud Endpoint, I mean ESPv2 on Cloud Run instead of using API gateway. In fact, API Gateway is, for now, a managed solution of ESPv2 on Cloud Run. And if you plug a serverless VPC connector on Cloud Run, it should work. I wrote an article on the ESPv2 & Cloud Run usage. if I have time, I will test it with the serverless VPC connector and let you know. Else, have a try on your side.

EDIT 1

I have tested the second solution and it works with the internal IP (and with a serverless VPC connector on the Cloud Run Endpoint service with ESPv2 deployed), not with the internal DNS name.

guillaume blaquiere
  • 33,758
  • 2
  • 11
  • 37