6

I am looking for a working example/tutorial on how I can use Google Cloud API Gateway with microservices/API hosted in GKE. For example when I try to create an API Gateway and I point it to an existing API on GKE I get the following error:

Backend URL "http://35.xxx.xxx.xxx/legalentities" is forbidden: cannot route requests by IP Address.

David McCullough
  • 61
  • 1
  • 2
  • Could you explain a bit more about what you have tried so far? What is your API configuration, and what steps did you take to deploy your API? – Cloudkollektiv Nov 18 '20 at 10:33

2 Answers2

2

GKE by default produces ip address for ingress controller or load balancer and API Gateway does not allow ip address to be hostname for x-google-backend. This is a problem, hopefully it will be resolved the API Gateway comes out for beta.

I faced the same situation. This is how I got around to it (using nip.io):

/products/getoptions:
    get:
      summary: get product options
      operationId: getProductOptions
      x-google-backend:
        address: https://35.xxx.xxx.xxx.nip.io/api/productservice
        path_translation: APPEND_PATH_TO_ADDRESS
      parameters:
        - name: x-access-token
          in: header
          description: Access Token
          required: true
          type: string
        - name: x-refresh-token
          in: header
          description: Refresh Token
          required: true
          type: string
      responses:
        '200':
          description: OK
          schema:
            type: object
Dharman
  • 30,962
  • 25
  • 85
  • 135
Ali Nahid
  • 867
  • 11
  • 26
  • Have you tried to assign a domain name (DNS wise) to the `IP` of your `Ingress`/`Loadbalancer` IP? – Dawid Kruk Nov 19 '20 at 10:43
  • Hi Dawid Kurk, yes, however you are suggesting that I set the address with an external IP/DNS... this defeats the purpose of using API Gateway.. – David McCullough Nov 19 '20 at 11:16
  • I added two possible options, putting a load balancer in front of your application may be an option. Another option is to put your internet-facing application in a managed cloud run, which produces an fqdn. – Cloudkollektiv Nov 21 '20 at 10:39
  • @Ali Nahid Could you please share me way to manage it without nio.io. i'm not much familiar with nip.io, is it just a string? – Sachin Kalia May 13 '21 at 08:42
1

At the time of writing, API Gateway is still in Beta, so it may not be fully functional and documentation may be scarce. One of the shortcomings of API Gateway, for now, is that your GKE environment produces an internet-facing service which is accessible by IP address only. However, you will need to put an FQDN inside your openapi.yaml (see below). That is where your error probably comes from.

Two options to mitigate this problem:

  • Use a load-balancer in front of the GKE IP address. So that you can use the FQDN of the load balancer. However, I am not sure if authentication will still work in this setup, and users may be able to bypass the API gateway.

  • Deploy your internet-facing application in a managed Cloud Run. This will always produce an FQDN. Which you can just fill in the x-google-backend address. You will need to configure serverless VPC access for Cloud Run to let the application communicate with your GKE cluster.

    swagger: '2.0'
info:
  title: API_ID optional-string
  description: Sample API on API Gateway with a Google Cloud Functions backend
  version: 1.0.0
schemes:
  - https
produces:
  - application/json
paths:
  /hello:
    get:
      summary: Greet a user
      operationId: hello
      x-google-backend:
        address: [FQDN HERE]
      responses:
        '200':
          description: A successful response
          schema:
            type: string
Cloudkollektiv
  • 11,852
  • 3
  • 44
  • 71
  • 2
    I don't think this ans holds any relevance to the asked question. GCP API Gateway allows x-google-backend with fqdn name. However, upon GKE deployed with native load balancer or ingress controller it gives an external IP address, not fqdn. If I try to use this IP address based GKE ingress controller endpoint in the x-google-backend the API gateway throws this error. I am facing the same issue. – Ali Nahid Nov 19 '20 at 09:30
  • Thanks for your comment Nahid, I will update my answer. If there is no requirement to have GKE, a managed cloud run always produces a fqdn, so that could work for now. One could also deploy the internet-facing application in a managed cloud run with serverless vpc access. – Cloudkollektiv Nov 19 '20 at 10:43