I am setting up a load balancer in Kubernetes which will allow access to only authorized IPs. I am considering APIGEE to use an abstraction layer to manage all the authentication, rate limiting, and other filters before the client request reaches the load balancer or the service endpoint.
I understand that using 'Access Control' policy in Apigee I can restrict the access of the Apigee endpoint to only authorized IPs. So I want to allow ONLY traffic in Kubernetes service (or load balancer) which goes through Apigee endpoint. In short, adding Apigee endpoints IP in the authorized networks in the load balancer is the identical solution I am considering at this point.
I went through a few articles and questions and I am still not sure whether or not the IP address of the Apigee endpoint (from which the requests are being sent to the Kubernetes Load Balancer) is static, and how to find it out. I tried sending a curl -v and I got the public IP of the endpoint which can also be retrieved from https://ipinfo.info/html/ip_checker.php
To summarize, here are my questions:
1. The IP address from which APIGEE sends the request to an endpoint is fixed or changes? If changes, how often?
2. Is there any fixed IP range per proxy in APIGEE?
As I find this a simple ended question. Answer to this would be a 'Yes, the IP of Apigee source can change'.
The frequency of the change is supposed to be really low, but in rare cases, the IP can change.
Using two-way TLS can be a better solution to the problem you've described than IP whitelisting.
More about how we can configure Two-way TLS between Apigee Edge and Backend Server can be found here.