apigee/ERR/2023_005

Product: Apigee API Management
Rule class: ERR - Something that is very likely to be wrong

Description

In order for the Apigee Managed Instance Group (MIG) to work correctly, network connection from the External Load Balancer (XLB) to the MIG must be allowed by the firewall rules

Remediation

Ensure that the following firewall rules are present on the project:

• By default during the installation of ApigeeX a firewall rule is created with the name: k8s-allow-lb-to-apigee-proxy

• IP address ranges 130.211.0.0/22 and 35.191.0.0/16 are the source IP address ranges for Google Load Balancing

• The target parameters needs to have the target-tags of the MIG which can be identifed from the MIG template.

• By default gke-apigee-proxy is the tag used by the MIG instance template.

Recreation Steps :

• Identify the Managed Instance Group name and list out the configuration for it.

  gcloud compute instance-templates describe {INSTANCE_NAME}

• Identify the tags used for the instance template from the above configuration

• Create the firewall rule with the target tag identifed from the Instance Template

  gcloud compute firewall-rules create FIREWALL_RULE_NAME \
    --description "Allow incoming from GLB on TCP port 443 to Apigee Proxy" \
    --project {PROJECT_ID} --network {VPC_NAME} --allow=tcp:443 \
    --source-ranges=130.211.0.0/22,35.191.0.0/16 --target-tags={MIG_INSTANCE_TAGS}
  

Further information

• Creating Apigee Firewall Rule
• About Firewall Rules
• About Using VPC Firewall Rules