Northbound networking with Private Service Connect

This page applies to Apigee, but not to Apigee hybrid.

View Apigee Edge documentation.

This document describes the use of Private Service Connect (PSC) to configure routing from clients to Apigee, also called "northbound" traffic.

Overview

You can use PSC to connect the Apigee VPC with the VPC that you have peered with Apigee, or with any other VPC that you control. This architectural pattern eliminates the need to create managed instance groups (MIGs) to forward requests from the global load balancer to Apigee. With the PSC routing method, API proxy requests pass through a global external HTTP(S) load balancer that you install in a VPC to a single point of attachment in the Apigee VPC, called a Service Attachment. This configuration lets you send Apigee API proxy requests from any network-enabled machine. See Figure 1.

Note the following supported northbound PSC features:

You can use PSC with any existing Apigee instance.
You can attach multiple PSC network endpoint groups (NEGs) to the Envoy-based, Google Cloud global external HTTP(S) load balancer.
PSC is supported with VPC Service Controls.
You can set an outlier detection traffic policy on the backend service for handling failover scenarios automatically. See the following for more information:

Figure 1: Private service connections

Restrictions

The use of PSC with Apigee currently has the following restrictions:

Restrictions: Note the following restrictions for PSC configuration:

Global external HTTP(S) load balancer (classic) is not supported for this configuration.
For failover with multiple PSC NEGs, active health checks are not supported. Use outlier detection instead.
The number of Google Cloud projects that can connect to an Apigee instance through PSC is limited to 50, and each project can create up to 20 connections. See Configure routing. See also Limits.
Note: You control the list of Google Cloud projects connected to an instance through the consumerAcceptList field of the instances API.
If a Google cloud project is removed from consumerAcceptList, the existing PSC NEGs in that removed project will continue to work. However, any new NEGs will be rejected. You must delete existing NEGs if you remove their associated projects from the consumerAcceptList. Alternatively, you can recreate the Apigee instance, which recreates the service attachment in the Apigee project.

Configure PSC routing

We support using PSC for northbound routing from both internal and external clients. For detailed steps, see Step 8: Configure routing of the CLI provisioning instructions.

Multi-region expansion with PSC

You can expand an Apigee organization across multiple regions and use PSC for northbound routing in the new regions. For details, see Expanding Apigee to multiple regions.

Deleting an Apigee instance

To delete an Apigee instance that uses PSC, follow these steps:

Remove and delete the PSC NEG backend from the external load balancer.
Delete the Apigee runtime instance using the Apigee API. This is a long-running operation that can take up to 20 minutes to complete.
Optionally retrieve the long-running operation state using the Apigee API.