Overcoming the challenges of Apigee hybrid installation on on-premise for compliance and security

Introducing Apigee Hybrid

Apigee is an API management platform from Google, that helps to build, manage and secure APIs at scale. Apigee Hybrid provided customers the flexibility to deploy Apigee in a hybrid deployment model with greater control on the runtime components of Apigee. Customers can choose to set it up on a cloud platform and region of their choice. The currently supported platforms are Azure on AKS, AWS on EKS, GCP on GKE, Openshift and bare metal servers using Anthos. The management plane components are hosted and managed by Google itself in GCP.

This blog provides an overview of deployment architecture to setup Apigee Hybrid runtime in an on-premise data center. It also highlights some of the possible solutions to overcome some challenges that might be encountered during the installation and setup process.

Business Benefits of Apigee Hybrid

Apigee Hybrid offers the flexibility to support the multi-cloud strategy for organizations who have deployed their applications in different cloud platform and want to manage all APIs through a single API management platform. Customers can control and configure their deployment topology of Apigee setup. It helps achieve better performance by setting up the runtime Apigee components near the backend services which provides ultra-low latency. Apigee Hybrid setup on an on-prem datacenter can help customers to achieve many regulatory compliance and security requirements that may be hard to achieve with a complete SaaS offering. In countries, that have very strict regulatory requirements to keep all data and traffic within their geo-political boundaries, it becomes imperative to deploy Apigee Hybrid runtime components on bare metal servers inside the enterprise data center. Apigee Hybrid setup enables organizations to leverage their existing compliance, governance and security infrastructure.

Installing Apigee Hybrid on Bare Metal Server

Apigee Hybrid installation on bare metal infrastructure needs Anthos to be setup as a pre-requisite. Anthos lets you run Kubernetes clusters to deploy applications, directly on your own machine resources. This comes with the advantages to deliver the best performance and flexibility with compatible security. A multi-cluster deployment model of Athos allows users to manage a fleet of clusters (user clusters) from a centralized cluster called the admin cluster — suitable for managing multiple clusters from a centralized location.

Apigee runs as an application deployed as pods and services running on worker nodes of Anthos user cluster. The following diagram shows the minimum node/ VM requirements for setting up a Apigee Hybrid cluster:

It is recommended to have at least 3 nodes for runtime and 3 nodes for Cassandra datastore. The workloads in each user cluster will be created and managed by its own control plane that will be part of the admin cluster of the Anthos setup. Since Kubernetes control plane uses etcd for managing its configuration data, it is recommended to have minimum 3 nodes for the control plane setup to meet resiliency and quorum requirements. The admin workstation node hosts command-line interface (CLI) tools and configuration files to provision clusters during installation and for interacting with provisioned clusters post-installation.

Installation Challenges and Solutions

The installation process of Anthos requires connectivity to the Google servers to download the required container images and run pre-flight checks. Many organizations route outbound internet traffic through their proxy servers that masks the original IPs for security reasons, making it seem like the request originated from the proxy server. A man in the middle (MITM) proxy provides higher levels of security by terminating all SSL requests at the proxy server. Countries like China have additional restrictions imposed by their Great Firewall that require special network setup to route traffic for meta data information to GCP Cloud. Setting up the Anthos cluster behind a man in the Middle (MITM) proxy on bare metal servers for a client, threw up several challenges, few of which are listed below:

• Cluster creation failed with certificate validation errors while trying to pull image from gcr.io via MITM proxy
• Conflict in the containerization software and version supported by the Admin Workstation OS (RHEL) and between that required by the ansible scripts for the pre-flight check. RHEL supports Podman while the pre-flight check need Docker > 19.03 installed.

The challenge with MITM proxy could be addressed by updating the configurations on the proxy server to bypass the SSL checks while connecting to the Google container registry or by setting up a local repo of container images required for the installation. The choice of solution would however depend on organizational security policies.

Updating the OS on the admin workstation to the latest version of RHEL and then installing docker addressed the issues with container software version mismatch. Apigee Hybrid was then installed on the worker nodes of the user cluster that was setup after the successful installation of Anthos.