Google Cloud API Gateway with Google Kubernetes Engine (GKE)

2
votes

I am looking for a working example/tutorial on how I can use Google Cloud API Gateway with microservices/API hosted in GKE. For example when I try to create an API Gateway and I point it to an existing API on GKE I get the following error:

Backend URL "http://35.xxx.xxx.xxx/legalentities" is forbidden: cannot route requests by IP Address.

2
google-cloud-platformgoogle-kubernetes-enginegoogle-cloud-api-gateway
Could you explain a bit more about what you have tried so far? What is your API configuration, and what steps did you take to deploy your API? - Nebulastic

2 Answers

2
votes

GKE by default produces ip address for ingress controller or load balancer and API Gateway does not allow ip address to be hostname for x-google-backend. This is a problem, hopefully it will be resolved the API Gateway comes out for beta.

I faced the same situation. This is how I got around to it (using nip.io):

/products/getoptions:
    get:
      summary: get product options
      operationId: getProductOptions
      x-google-backend:
        address: https://35.xxx.xxx.xxx.nip.io/api/productservice
        path_translation: APPEND_PATH_TO_ADDRESS
      parameters:
        - name: x-access-token
          in: header
          description: Access Token
          required: true
          type: string
        - name: x-refresh-token
          in: header
          description: Refresh Token
          required: true
          type: string
      responses:
        '200':
          description: OK
          schema:
            type: object
0
votes

At the time of writing, API Gateway is still in Beta, so it may not be fully functional and documentation may be scarce. One of the shortcomings of API Gateway, for now, is that your GKE environment produces an internet-facing service which is accessible by IP address only. However, you will need to put an FQDN inside your openapi.yaml (see below). That is where your error probably comes from.

Two options to mitigate this problem:

  • Use a load-balancer in front of the GKE IP address. So that you can use the FQDN of the load balancer. However, I am not sure if authentication will still work in this setup, and users may be able to bypass the API gateway.

  • Deploy your internet-facing application in a managed Cloud Run. This will always produce an FQDN. Which you can just fill in the x-google-backend address. You will need to configure serverless VPC access for Cloud Run to let the application communicate with your GKE cluster.

    swagger: '2.0'
info:
  title: API_ID optional-string
  description: Sample API on API Gateway with a Google Cloud Functions backend
  version: 1.0.0
schemes:
  - https
produces:
  - application/json
paths:
  /hello:
    get:
      summary: Greet a user
      operationId: hello
      x-google-backend:
        address: [FQDN HERE]
      responses:
        '200':
          description: A successful response
          schema:
            type: string