This page applies to Apigee, but not to Apigee hybrid.
View Apigee Edge
documentation.
This document explains how to configure Apigee to configure active health check for cases where you wish to use Private Service Connect (PSC) for northbound network routing (traffic from clients to Apigee). Active health check is useful for preventing loss of network traffic in case of a regional failure.
Overview
If you plan to use PSC for Apigee northbound network routing, follow the instructions in this document to configure active health check. At this time, PSC does not support active health check monitoring. To work around this limitation of PSC, you can modify the Apigee installation configuration to use a managed instance group (MIG), which does provide active health check capability.
You could use outlier detection for health monitoring; however during regional failures, you may lose some amount of traffic periodically as outlier detection uses real-time traffic as indicators. Outlier detection re-routes part of the live traffic periodically to check the health of the failed region.
Figure 1 shows the proposed architecture. A service endpoint connects to the service attachment in the Apigee instance, and a MIG proxies traffic to the service endpoint. You enable health check monitoring on the MIG.
MIG-based health check approach
Prerequisites
You can apply the technique described in this document to Apigee installations that use VPC peering or do not use VPC peering. But in the case of a VPC peered installation, the active health check technique described here only applies if you are using PSC for your routing configuration.
Before performing the steps in this section:
- For non-VPC peering
installations:
- Complete Apigee provisioning Steps 1 through 6 for subscription-based or Pay-as-you-go installations . At this time, the only option is to perform these steps using the command-line interface.
- Skip Step 7: Configure routing, and do the following steps instead.
- For VPC peering
installations that use PSC for routing:
- Complete Apigee provisioning Steps 1 through 7 for subscription-based or Pay-as-you-go installations . At this time, the only option is to perform these steps using the command-line interface.
- Skip Step 8: Configure routing, and do the following steps instead.
1. Configure a PSC service endpoint for the Apigee service attachment
In this step, you create a PSC Service Endpoint that points to the service attachment in the Apigee instance:
- Get the service attachment from the Apigee instance you created previously:
curl -i -X GET -H "Authorization: Bearer $AUTH " \ "https://apigee.googleapis.com/v1/organizations/ $PROJECT_ID /instances"
In the following sample output, the
serviceAttachmentvalue is shown in bold type:{ "instances" : [ { "name" : "us-west1" , "location" : "us-west1" , "host" : "10.82.192.2" , "port" : "443" , "createdAt" : "1645731488019" , "lastModifiedAt" : "1646504754219" , "diskEncryptionKeyName" : "projects/my-project/locations/us-west1/keyRings/us-west1/cryptoKeys/dek" , "state" : "ACTIVE" , "peeringCidrRange" : "SLASH_22" , "runtimeVersion" : "1-7-0-20220228-190814" , "ipRange" : "10.82.192.0/22,10.82.196.0/28" , "consumerAcceptList" : [ "875609189304" ], "serviceAttachment" : " projects/bfac74a67a320c43a12p-tp/regions/us-west1/serviceAttachments/apigee-us-west1-crw1 " } ] }
- Create a PSC Service Endpoint that points to the service attachment that you obtained from the instance response body in the previous step, as explained in Create a Private Service Connect endpoint .
2. Configure a MIG that points to the service endpoint
In this step, you create a MIG that proxies traffic to the service endpoint. You can then enable active health check on the MIG.
Permissions required for this task
You can give the Apigee provisioner a predefined role that includes the permissions needed to complete this task, or give more fine-grained permissions to provide the least privilege necessary. See Predefined roles and Access routing permissions .
