Envoy proxy and the Apigee Adapter for Envoy [2022]

I know this tutorial is more focused around standalone Envoy but if you have insight around the integration with Istio.

Does you know if the Envoy Adapter for Apigee could be integrated with other Service Meshes that use Envoy as their side car proxy such as Consul? I think it theory the answer should be yes but probably with a bit more custom overhead?

The other question I have, is if there is best practices and recommendation on how to use a service mesh with an api gateway? Such as, for micro services do you still flow traffic through to the mesh? Should you keep the Gateway as Ingress APIs only? What about the security controls that the mesh provides? Does that become obsolescence with Apigee handling authentication and authorization? Can I publish a micro-service API to the developer portal for internal use only for documentation purposes, while using the mesh for micro service to micro service communication?

I’d definitely like to see more documentation about the unity of a mesh and a gateway. Some meshes provide a simple “API gateway”, while Apigee is more a API management system.

Lastly, if we have a Apigee subscription, is the adapter included with support?

codemiester

Hey Dino

Sorry to bug you again. I have a use case where I’d like to deploy Envoy with the Adapter for Apigee. The downstream API requires authentication through OAuth but I would like to manage the user auth flow through Apigee. Do you know if through a Lua filter/script if I could codify the OAuth flow on the API, while having users manually OAuth through the Apigee Adapter.

I saw the OAuth filter but looks like that requires redirection and manual intervention. Specifically, I am looking for the client credentials grant type.

For that matter, there may be other downstream APIs that have their own authentication flow. Any thoughts on how we could achieve this with the adapter or if we would be better off using an Apigee proxy? I suspect most of the APIs will be protected with their own auth methods.

Thank you

codemiester

Hey Dino. This may be bit of a silly question. But is there any merit to fronting the Envoy Proxy with an Apigee Proxy?

One of the downsides to using this approach is we would loose some of the benefits Apigee provides, such as Pre/Post, shared flows and policies etc.

Also, this requires Envoy to be exposed as an Ingress service for every backend used. Nice thing about using Apigee natively is having a single entry point for all hosts. Makes it easier to manage configuration changes. Obviously, if you’re using K8s with a mesh and ingress controller this is mitigated. But just looking for some insight, if there is an approach that could give the best of both worlds. I think it does defeat a bit of the purpose of using the Adapter but could provide some upside. For example, if mTLS isn’t easy to implement the envoy proxy can still run as a side car on the same host as the backend, while it’s much easier to configure Envoy/Apigee with mTLS, appose to building it within the app itself.

Finally, for Enterprise, do we still get all the same benefits of monetization and the developer portal features.

Thanks so much.

codemiester

does the apigee adapter for envoy work for both apigee edge and apigee X ?

naijithgopal

I am having issues while using envoy as forward proxy, any help is highly appreciated

manvig