GCP API Gateway for Compute Engine
I found the following snippet on api gateway marketing page.
So I was setting up API gateway for my app running on compute engine. As I couldn't find any documentation on how to configure compute engine on API engine, I created the following configuration with the internal DNS.enter link description here
swagger: "2.0"
info:
title: API Endpoints
description: API Endpoints
version: 1.0.1
schemes:
- https
produces:
- application/json
paths:
/indexes:
get:
summary: Return Search Indexes
operationId: searchIndexes
x-google-backend:
address: http://my_internal_dns_for_compute_engine.c.myproject.internal/indexes
path_translation: APPEND_PATH_TO_ADDRESS
responses:
"200":
description: A successful response
schema:
type: string
"403":
description: Failed to authenticate
When I deployed the config using gcloud, I got the following error
Waiting for API Config [my-api-config-v6] to be created for API [my-api]...failed.
ERROR: (gcloud.beta.api-gateway.api-configs.create) Wait for Service Config creation: Backend URL "http://my_internal_dns_for_compute_engine.c.myproject.internal/indexes" is forbidden: cannot route requests to an internal address.
So looks like internal DNS is not supported(obviously).
My compute engine instance can only be accessed through a VPC network. How do I connect my api gateway with the VPC network and how do I access my compute engine through it ?
Today, you can't achieve this. Your API gateway is a serverless service and you can't plug a serverless VPC connector on it. I already discussed this with Google (because it's the same problem with Cloud Scheduler, Cloud Task and PubSub push subscription for example) and something should happen soon. Stay tuned!!
Anyway, to solve now your issue, you have 2 solutions (at least, one sure and one to test)
- The first (sure) solution is to have a "proxy". Another compute engine with public access, or a Cloud Function/Cloud Run/App Engine service with a serverless VPC connector. The Cloud Function/Cloud Run/App Engine is better because you can secure the access with IAM (no public access)
- The second (to test) solution is to deploy Cloud Endpoint, I mean ESPv2 on Cloud Run instead of using API gateway. In fact, API Gateway is, for now, a managed solution of ESPv2 on Cloud Run. And if you plug a serverless VPC connector on Cloud Run, it should work. I wrote an article on the ESPv2 & Cloud Run usage. if I have time, I will test it with the serverless VPC connector and let you know. Else, have a try on your side.
EDIT 1
I have tested the second solution and it works with the internal IP (and with a serverless VPC connector on the Cloud Run Endpoint service with ESPv2 deployed), not with the internal DNS name.
- How to pull docker image from Google Artifact Registry in k8s deployment.yaml via imagePullSecrets
- Configure uptime check via trigger cloudbuild YAML
- Google OAuth 2 Error 400: redirect_uri_mismatch but redirect uri is compliant and already registered in Google Cloud Console
- Query data in a key-value table
- Is it possible to create daily budget alerts in GCP?
- Get service account auth token without gcloud?
- GoogleHadoopOutputStream: hflush(): No-op due to rate limit
- Delete all objects from a directory in google storage bucket using cloud storage options
- How do I add a .env file in gitlab ci during deployment stage?
- Bigquery: "User does not have bigquery.jobs.create permission" with roles/bigquery.admin
- Are GCP workflow shared variables thread safe?
- Stripe Error: No signatures found matching the expected signature for payload
- Google Cloud REST API for Artifact Registry - URL is 404
- Google Cloud Run weird behaviour only for path /healthz
- Google Apps Script 403: The caller does not have permission
- Querying for a Google Dataplex Entry only returns names of attached custom Aspects, not the Aspect values
- Why are BQ snapshots using the full storage amount of the original table?
- Google Document AI value types Money vs Currency
- Access Blocked: <project> has not completed the Google verification process
- How to fetch real-time google cloud run job logs?
- How do I know if an Google App Engine instance is Standard or Flexible?
- How to get the latest key version in Google Cloud KMS?
- `PermissionError: [Errno 13] Permission denied: 'C:/Users'` on Google Cloud Storage
- What is the effect of assigning an IAM role to a domain in GCP?
- Permission 'storage.buckets.get' denied on resource (or it may not exist)
- Firestore Bandwidth costs for downloading documents with large embedding vectors
- Google Cloud Functions: missing main.py
- Batch Prediction for Object Detection Auto ML took so long
- Why is this Workload Identity Pool not being created?
- Is there a way to copy from a Google Sheets that is copy locked?