Skip to content

Latest commit

 

History

History
68 lines (53 loc) · 5.33 KB

README.md

File metadata and controls

68 lines (53 loc) · 5.33 KB
Raw

Apigee X with Internet Traffic routed to a firewall appliance

In this example we are routing internet traffic to a mocked firewall appliance (a VM with NATing via iptables) to illustrate how all internet egress traffic can be centrally inspected before leaving the VPC.

To turn off direct internet egress traffic for the Apigee service network (by forcing all egress traffic to go through the firewall appliance of this sample) run the following command after you provisioned this sample:

gcloud services vpc-peerings enable-vpc-service-controls \
  --network=NETWORK --project=PROJECT_ID

Setup Instructions

Please see the main README for detailed instructions.

Providers

Name Version
google n/a

Modules

Name Source Version
apigee-x-core ../../modules/apigee-x-core n/a
mock-firewall github.com/terraform-google-modules/cloud-foundation-fabric//modules/compute-vm v16.0.0
nat github.com/terraform-google-modules/cloud-foundation-fabric//modules/net-cloudnat v16.0.0
project github.com/terraform-google-modules/cloud-foundation-fabric//modules/project v16.0.0
vpc github.com/terraform-google-modules/cloud-foundation-fabric//modules/net-vpc v16.0.0

Resources

Name Type
google_compute_firewall.allow_glb_to_mig_bridge resource
google_compute_route.egress_via_firewall resource
google_compute_route.firewall_to_internet resource

Inputs

Name Description Type Default Required
apigee_envgroups Apigee Environment Groups. 
map(object({
    hostnames = list(string)
  }))
 null no
apigee_environments Apigee Environments. 
map(object({
    display_name = optional(string)
    description  = optional(string)
    node_config = optional(object({
      min_node_count = optional(number)
      max_node_count = optional(number)
    }))
    iam       = optional(map(list(string)))
    envgroups = list(string)
  }))
 null no
apigee_instances Apigee Instances (only one instance for EVAL orgs). 
map(object({
    region       = string
    ip_range     = string
    environments = list(string)
  }))
 null no
ax_region GCP region for storing Apigee analytics data (see https://cloud.google.com/apigee/docs/api-platform/get-started/install-cli). string n/a yes
billing_account Billing account id. string null no
firewall_appliance_subnet Subnet for the mocked egress firewall appliance. 
object({
    name               = string
    ip_cidr_range      = string
    region             = string
    secondary_ip_range = map(string)
  })
 n/a yes
firewall_appliance_tags Network Tags for the mocked egress firewall appliance. list(string) 
[
  "egress-fw"
]
 no
firewall_appliance_zone GCP Compute Zone for the mocked egress firewall appliance. string n/a yes
network Name of the VPC network to peer with the Apigee tennant project. string n/a yes
peering_range Service Peering CIDR range. string n/a yes
project_create Create project. When set to false, uses a data source to reference existing project. bool false no
project_id Project id (also used for the Apigee Organization). string n/a yes
project_parent Parent folder or organization in 'folders/folder_id' or 'organizations/org_id' format. string null no
support_range Support CIDR range of length /28 (required by Apigee for troubleshooting purposes). string n/a yes

Outputs

No outputs.