When Apigee hybrid was first introduced, the value of having an API runtime plane consisting of the Gateway and other runtime components close to the enterprise workloads was immediately obvious. The flexibility to deploy the runtime as a containerized workload on a range of supported container platforms and being in control of all runtime network traffic represented a clear advantage over the previously available deployment options.
The Apigee control plane makes up the other side of this operating model that constitutes the hybrid nature of Apigee hybrid. The control plane has initially received less attention because ultimately it is a managed service that is supposed to just work. As Apigee hybrid is gaining more popularity and is adopted in more regulated environments, more and more customers are looking at the control plane in detail. The goal of this article is to answer some of the most frequently asked questions around the Apigee control plane and its interaction with the runtime plane.
What is the hybrid Apigee Control Plane?
The Apigee control plane consists of a set of Google-managed services to enable full-lifecycle API management. These services are always hosted on Google Cloud Platform even if the runtime is deployed on premise or on another supported cloud platform. By leveraging a proven cloud stack, the control plane provides many operational aspects of an enterprise API management solution as well as scalable control mechanisms.
To better understand the control plane we will have to look at the different services one by one:
Management Server
The central Apigee capabilities are provided by the Apigee Management Server that can be accessed by the API team and other authorized agents (users and service accounts) via the Apigee API or the Apigee UI. With respect to the data held by the control plane we can classify them into three different categories:
- Configuration Data controlled by the control plane
The Management server manages the configuration of API proxies and shared flows as well as the necessary resource files like JavaScript files or PropertySets. - Configuration Data passed through the control plane to the Runtime
The Management server is also used to pass resources transiently to the runtime plane. Resources like API Products, Developers and Apps can be created or retrieved through the Management APIs but in contrast to the API proxy resources mentioned above they are not stored on the controlplane. - Analytics Data passed to the controlplane
The Management server’s Unified Analytics Platform (UAP) aggregates runtime meta information that is periodically sent back from the runtime to the controlplane. This includes information about the deployment status of API proxies, the analytics metadata as well as optional Apigee Debug session information. Sensitive runtime information can be removed before the data is sent to the UAP as explained later in this article.
Google Cloud IAM
For permissions management for the Apigee control plane we rely on Cloud Identity and Access Management (IAM). Cloud IAM provides the necessary services to safely and securely authenticate and authorize any user of the Apigee API or Apigee UI and is based on the same RBAC constructs that are used for the rest of the GCP services.
Cloud Operations Suite
Apigee also enables users to make use of the Cloud Operations Suite to analyze their API traffic and define custom alerts based on metrics. Cloud Logging can be used to centrally aggregate infrastructure logs. These logs do not contain any data from API traffic but are useful to monitor and investigate the communication between the runtime components. Customers can choose to also send Runtime logs to Cloud Logging via an Apigee Policy by explicitly composing logging payloads from flow variables. An example implementation of such a Cloud Logging policy can be found in the open-source Apigee DevRel Repository.
Developer Portal
The Apigee integrated developer portal is also provided as an optional managed service in the Apigee control plane. The developer portal is used to provide self-service access to the application developers that act as API consumers. The integrated developer portal is an optional component and customers can choose to host their own portal based on the official Apigee Drupal Modules or directly on top of the Apigee APIs.
Why would I want a hosted control plane?
In the previous section we looked at which services are provided by the control plane vs the runtime plane. Taking a step back we want to explain the motivations behind running the control plane on a managed cloud stack.
- Reduced Operational Costs and Higher Operational Excellence
By pooling the operation of the control plane of multiple customers together Google can make use of economies of scale to operate, maintain and secure all the required components of the control plane. Follow these links if you’re interested in Google’s multi-layer security model and SRE principles. - High Availability
The Google hosted-control plane is highly available and hosted redundantly across multiple failure domains. This ensures that the availability of the control plane is not coupled to the availability of the runtime. - Integrated with proven technologies and the larger GCP ecosystem
By running the Apigee control plane inside GCP it can integrate with other widely used and highly-available GCP services like IAM or the Cloud Operations Suite. This allows Apigee customers to benefit from a large number of enterprise features like Active Directory federation or audit logging that would have to be separately configured and validated on a standalone stack. - Enhanced Supportability
If desired and requested by the customer, a hybrid control plane can provide the Google support team additional information about the current configuration of the Apigee deployment as well as operational metrics that help identify and resolve potential performance or traffic anomalies.
Which controls do I have as an Apigee Administrator
Obviously, the benefits mentioned above come with the requirement of data and administration passing through a managed control plane component that resides outside of your infrastructure. As an Apigee administrator you have several options to secure and limit data going to and residing in the Apigee control plane.
- VPC Service controls and Private Google Access
Apigee supports VPC service controls that limit access to the Management API from only within an authorized service perimeter. This ensures that the Google APIs can only be reached from a private network in order to mitigate the risk of data exfiltration.
Even without VPC service controls Apigee customers can use Private Google Access to route all of their traffic via a private network connection instead of the public internet. - Data Obfuscation
Some customers are worried that the Analytics data that is sent back to the control plane contains sensitive information or information that is considered personally identifiable information (PII) like IP addresses that can not be sent to the Apigee control plane for regulatory reasons. These customers are encouraged to activate data obfuscation on their Apigee hybrid organization. Activating data obfuscation will result in a number of potentially sensitive analytics values to be hashed within runtime before they are transferred back to the Apigee control plane. - Disable Optional Logging and Monitoring
The Apigee hybrid configuration allows customers to decide if they want to send infrastructure logs and metrics to cloud logging or not. Sending logs and infrastructure metrics to the control plane is optional and customers can choose to collect their logs and metrics in their own aggregation tools. - Restrict Usage of Debug Functionality
Apigee comes with a Debug functionality that allows users to selectively inspect API calls and to understand the proxy logic. Customers can choose to use Data Masking to hide certain sensitive values from the debug tool. Some customers also decide to completely prevent the usage of the debug tool by removing the respective Google Cloud IAM permissions (apigee.tracesessions.*) from most or all of their custom roles.
If you want to get started with Apigee hybrid and explore the features of the fully managed control plane then check out the official documentation here.