There have been some issues this week with 502 Bad Gateway errors from VPC peered Evaluation new and existing deployments. If you see an error similar to this one when using the deployment wizard, then you can see that the issue is coming froma deprecated Debian 10 image.
This issue is currently being fixed, but in the meantime if you have an existing deployment, you can update the image as described in this forum post: https://www.googlecloudcommunity.com/gc/Apigee/Server-Error-502/m-p/771874#M79884.
Another option is to change the connection between Apigee and the Load Balancer to use PSC (Private Service Connection, without the need for VPC peering or MIG VM images). Here are the instructions to change an existing or failed deployment (as shown in the wizard error above) to use PSC.
Step 1: Copy your Apigee Service Attachment name from the instance configuration.
Go to the Apigee Instance configuration, and copy the Service Attachment name (below it is projects/x737cbd20055b6193-tp/regions/europe-west4/serviceAttachments/apigee-europe-west4-kjlw).
Step 2: Go to Compute Engine - Network endpoint groups and create a new NEG for Apigee
Under Compute Engine - Network endpoint groups, create a new NEG of type Private Service Connect NEG (Regional) and target Published service, and then set the Target service with the Service Attachment name copied in Step 1, as well as your network from the Apigee deployment.
Step 3: Reserve an IP address for the load balancer
Since I will use the IP to get a certificate from nip.io, I need the IP address in advance, so create a global (for a global LB) IP under VPC network - IP addresses. Copy the IP address for the next step.
Step 4: Create a Load Balancer
Now go to Network services - Load balancing, and press + CREATE LOAD BALANCER at the top of the screen. Click through all of the default options and click CONFIGURE at the bottom of the screen. Give the Load Balancer a name at the top (for example apigee-lb), and give the Frontend configuration a name, and select HTTPS as protocol. Select your reserved IP address, and under Certificate click CREATE A NEW CERTIFICATE. Give the certificate a name (apigee-cert), and click Create Google-managed certificate. Under Domain add your IP address with - instead of . between the numbers, and .nip.io at the end (so for 34.54.56.166, enter 34-54-56-166.nip.io). This will automatically validate the certificate with nip.io, and give you a HTTPS endpoint.
Now under Backend configuration, click CREATE A BACKEND SERVICE, give it a name (apigee-backend), and select Private Service Connect netowrk endpoint group as Backend type, and select Published service as target type. Then under New backend select your apigee-neg that you created in Step 2. Uncheck Cloud CDN and click CREATE, and then CREATE again at the bottom of the screen to create the load balancer.
Step 5: Update Apigee environment group host name
After waiting around 5-10 minutes for the load balancer and certificate to be created, go back to Apigee - Environments, and click on ENVIRONMENT GROUPS at the top of the page. Add the nip.io host name from the certificate as a host name by clicking Edit (for example 34-54-56-166.nip.io in my case). Now your Apigee environment should be reachable through the load balancer.
Step 6: Test Apigee API
Now test that you can reach a sample proxy deployed in Apigee (by default hello-world) is deployed by the wizard at /hello-world.
curl -i https://34-54-56-166.nip.io/hello-world
HTTP/2 200
x-powered-by: Apigee
access-control-allow-origin: *
x-frame-options: ALLOW-FROM RESOURCE-URL
x-xss-protection: 1
x-content-type-options: nosniff
content-type: text/plain; charset=utf-8
content-length: 13
etag: W/"d-CD90h6x0eIVqiTkn8InWaeagV3Q"
date: Thu, 04 Jul 2024 08:45:49 GMT
via: 1.1 google, 1.1 google
alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
x-request-id: b1b5333e-d9a2-45b9-aebe-d923ea62efc9
Hello, Guest!
Just reach out in case of questions here in the chat, apologies to anyone impacted by this issue, and hopefully these steps can help with the switch to PSC.
For reference: command-line steps
Here are also the steps to do the configuration above for the command-line, as reference.
PROJECT_ID=YOUR_PROJECT_ID
gcloud config set project $PROJECT_ID
# get instance status
curl "https://apigee.googleapis.com/v1/organizations/$PROJECT_ID/instances/instance1" \
-H "Authorization: Bearer $(gcloud auth print-access-token)"
# get all instances
curl "https://apigee.googleapis.com/v1/organizations/$PROJECT_ID/instances" \
-H "Authorization: Bearer $(gcloud auth print-access-token)"
# set TARGET_SERVICE to Apigee Servide Attachment name from above output
TARGET_SERVICE=projects/i7cf18ac52f8d77a0-tp/regions/europe-west4/serviceAttachments/apigee-europe-west4-dtim
# create a Private Service Connect NEG that points to the service attachment
# https://console.cloud.google.com/compute/networkendpointgroups/add
gcloud compute network-endpoint-groups create apigee-neg \
--network-endpoint-type=private-service-connect \
--psc-target-service=$TARGET_SERVICE \
--region=europe-west4 \
--project=$PROJECT_ID
# reserve IP address for Apigee
gcloud compute addresses create apigee-ipaddress \
--ip-version=IPV4 --global --project=$PROJECT_ID
# view IP address
gcloud compute addresses describe apigee-ipaddress \
--format="get(address)" --global --project=$PROJECT_ID
IP_ADDRESS=$(gcloud compute addresses describe apigee-ipaddress \
--format="get(address)" --global --project=$PROJECT_ID)
# create LB backend service for the NEG
gcloud compute backend-services create apigee-backend \
--load-balancing-scheme=EXTERNAL_MANAGED \
--protocol=HTTPS \
--global --project=$PROJECT_ID
# add the backend service to the NEG
gcloud compute backend-services add-backend apigee-backend \
--network-endpoint-group=apigee-neg \
--network-endpoint-group-region=europe-west4 \
--global --project=$PROJECT_ID
# create a URL mapper
gcloud compute url-maps create apigee-url-map \
--default-service=apigee-backend \
--global --project=$PROJECT_ID
# create certificate
RUNTIME_HOST_ALIAS=$(echo "$IP_ADDRESS" | tr '.' '-').nip.io
gcloud compute ssl-certificates create apigee-ssl-cert \
--domains="$RUNTIME_HOST_ALIAS" --project "$PROJECT_ID" --quiet
# create target HTTPS proxy
gcloud compute target-https-proxies create apigee-proxy \
--url-map=apigee-url-map \
--ssl-certificates=apigee-ssl-cert --project=$PROJECT_ID
# create forwarding rule
gcloud compute forwarding-rules create apigee-fw-rule \
--load-balancing-scheme=EXTERNAL_MANAGED \
--network-tier=PREMIUM \
--address=$IP_ADDRESS \
--target-https-proxy=apigee-proxy \
--ports=443 \
--global --project=$PROJECT_ID
# create environment group
curl -X POST "https://apigee.googleapis.com/v1/organizations/$PROJECT_ID/envgroups" \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H 'Content-Type: application/json; charset=utf-8' \
--data-binary @- << EOF
{
"name": "dev",
"hostnames": ["34-49-116-165.nip.io"]
}
EOF
# create environment
curl -X POST "https://apigee.googleapis.com/v1/organizations/$PROJECT_ID/environments" \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H 'Content-Type: application/json; charset=utf-8' \
--data-binary @- << EOF
{
"name": "dev"
}
EOF
# attach environment to envgroup
curl -X POST "https://apigee.googleapis.com/v1/organizations/$PROJECT_ID/envgroups/dev/attachments" \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H 'Content-Type: application/json; charset=utf-8' \
--data-binary @- << EOF
{
"name": "dev",
"environment": "dev"
}
EOF
# attach environment to instance
curl -X POST "https://apigee.googleapis.com/v1/organizations/$PROJECT_ID/instances/instance1/attachments" \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H 'Content-Type: application/json; charset=utf-8' \
--data-binary @- << EOF
{
"environment": "dev"
}
EOF