Provisioning NAT IPs

This page applies to Apigee, but not to Apigee hybrid.

View Apigee Edge documentation.

This section describes how to manage the NAT IPs for Apigee instances.

Apigee provides ephemeral IPs and dedicated IPs. In many cases, ephemeral IPs are sufficient. If your backend doesn't require IP allow-listing, you will not need to manage NAT IPs, and Apigee will automatically allocate ephemeral IPs for egress.

If you require IP allow-listing, you can reserve and activate IPs so that Apigee uses static IPs for egress traffic.

Set up Apigee NAT IP provisioning

To set NAT IP provisioning for your Apigee instance:

  1. Create and populate the following environment variables:

    Variables

    PROJECT_ID=YOUR_PROJECT_ID
    ORG_ID=YOUR_ORG_ID
    INSTANCE_NAME=YOUR_INSTANCE_NAME
    NAT_ID=1st_NAT_IP_ID

    Example

    PROJECT_ID=apigee-saas-prod
    ORG_ID=apigee-saas-prod
    INSTANCE_NAME=prod-us-west1-instance1
    NAT_ID=nat-1

    Where:

    • YOUR_PROJECT_ID is the Cloud project ID that you created as part of the Prerequisites. If you're not sure what your project ID is, use Cloud console or the gcloud projects list command to find it.
    • YOUR_ORG_ID is your Apigee organization ID.
    • YOUR_INSTANCE_NAME is the name of your Apigee instance.
    • 1st_NAT_IP_ID is the name you are assigning to this NAT IP address; for example, nat-1.
  2. Reserve a NAT IP with the following commands:
    1. On the command line, get your gcloud authentication credentials, as the following example shows:

      TOKEN=$(gcloud auth print-access-token)

      To check that your token was populated, use echo, as the following example shows:

      echo $TOKEN

      This should display your token as an encoded string.

      For more information, see gcloud command-line tool overview.

    2. The command to reserve the NAT IP returns the long-running operation. Therefore the command as shown here assigns the output to a variable operation_name:
      operation_name=$(curl -H "Authorization: Bearer $TOKEN" \
        "https://apigee.googleapis.com/v1/organizations/${ORG_ID}/instances/${INSTANCE_NAME}/natAddresses" \
        -X POST -H "content-type:application/json" -d "{\"name\":\"${NAT_ID}\"}" | jq -r '.name')
      
    3. Poll the long-running operation until it shows a status of done: true by executing the following request:
      curl -s -H "Authorization: Bearer $TOKEN" "https://apigee.googleapis.com/v1/$operation_name"
  3. After the operation is completed, activate the NAT IP with the following commands:
    1. Activate the IP and assign the long-running operation name to operation_name:
      operation_name=$(curl -H "Authorization: Bearer $TOKEN" \
        "https://apigee.googleapis.com/v1/organizations/${ORG_ID}/instances/${INSTANCE_NAME}/natAddresses/${NAT_ID}:activate" \
        -X POST -H "content-type:application/json" -d "{}" | jq -r '.name')
    2. Poll the long-running operation until it shows a status of done: true:
      curl -s -H "Authorization: Bearer $TOKEN" "https://apigee.googleapis.com/v1/$operation_name"
  4. Repeat this procedure with a new NAT IP name for each NAT IP you neet to set up.

Fetching NAT IPs

List the NAT IPs for an instance with the following command:

curl -H "Authorization: Bearer $TOKEN" \
  "https://apigee.googleapis.com/v1/organizations/${ORG_ID}/instances/${INSTANCE_NAME}/natAddresses"

An example response would look like:

{
  "natAddresses": [
    {
      "name": "nat-1",
      "ipAddress": "35.203.160.18",
      "state": "ACTIVE"
    },
    {
      "name": "nat-2",
      "ipAddress": "35.230.14.174",
      "state": "RESERVED"
    },
    {
      "name": "nat-3",
      "state": "CREATING"
    }
  ]
}

States of a NAT IP

  • CREATING : The NAT IP creation is pending. Not ready to be used.
  • RESERVED: The NAT IP has been created but not used. This gives you the opportunity to allow-list this IP before activating it.
  • ACTIVE: The NAT IP is being used to send egress traffic.
  • DELETING: The NAT IP is being deleted.

Deleting NAT IPs

You can delete NAT IPs with the following command:

  1. Delete the IP and assign the output to "operation_name."
    operation_name=$(curl -H "Authorization: Bearer $TOKEN" \
      "https://apigee.googleapis.com/v1/organizations/${ORG_ID}/instances/${INSTANCE_NAME}/natAddresses/${NAT_ID}" \
      -X DELETE | jq -r '.name')
  2. Poll the long-running operation until it shows a status of done: true.
    curl -s -H "Authorization: Bearer $TOKEN" "https://apigee.googleapis.com/v1/$operation_name"