VMware Apigee hybrid

This repository contains code to set up Apigee hybrid on VMware without internet access for cluster VMs.

It's based on the official tutorial available here Apigee hybrid.

Deployment Details

VMware ESXi 7.0 U1+
VMware vCenter Server 7.0 U1+
Anthos clusters on VMware 1.10
- gkeadm 1.10.3-gke.49
- gkectl 1.10.3-gke.49 (git-b074b66a3)
Anthos Service Mesh 1.13.x
- asmcli 1.13.4-asm.4+config2
Apigee Hybrid 1.7.2

Network diagram

Subnets

Name	VLAN ID	CIDR	Purpose
Main	1	`10.0.0.0/24`	Workstation, pfSense, ESXi, vCenter
Admin subnet	25	`10.25.0.0/24`	Anthos admin workstation + admin cluster
User subnet	26	`10.26.0.0/24`	Anthos user cluster (apigee hybrid runtime)

Static IPs and VIPs

Name	Segment	Value
ESXi	Main	`10.0.0.10`
vCenter	Main	`10.0.0.11`
Google DNS	Main	`10.0.0.20`
NTP (pfSense)	Main	`10.0.0.1`
Admin control plane VIP	Admin subnet	`10.25.0.50`
User control plane VIP	Admin subnet	`10.25.0.51`
User anthos ingress VIP	User subnet	`10.26.0.50`
User apigee ingress VIP	User subnet	`10.26.0.51`

Load Balancing

Configure load balancing with HAProxy on pfSense & VIPs:

Name	VIP	Frontend Port	Server Pool	Server Port
gke-admin-cluster-cp	`10.25.0.50`	443	gke-admin{1-3}	30968
gke-user-cluster-cp	`10.25.0.51`	443	gke-admin{4}	30562
gke-user-cluster-konnectivity	`10.25.0.51`	8132	gke-admin{4}	30563
gke-user-cluster-anthos-ingress	`10.26.0.50`	80, 443	gke-user{1-6}	30243, 30879
gke-user-cluster-apigee-ingress	`10.26.0.51`	443	gke-user{1-6}	30397

Firewall Admin Subnet `10.25.0.0/24` - Admin WS / Admin cluster

Protocol	Source	Source Port	Destination	Dest Port	Description
IPv4 UDP	`10.25.0.0/24`	*	NTP	123	Allow NTP
IPv4 TCP/UDP	`10.25.0.0/24`	*	DNS	53	Allow DNS to Google-DNS
IPv4 TCP	`10.25.0.0/24`	*	vCenter/ESXi IPs	443	Allow to vCenter/ESXi
IPv4 TCP	`10.25.0.0/24`	*	`199.36.153.8/30`	443	Allow HTTPS to Private Google APIs
IPv4 TCP	`10.25.0.0/24`	*	Control plane VIPs	443	Allow HTTPS to VIPs
IPv4 ICMP	`10.25.0.2`	*	`10.26.0.0/24`	*	Allow Admin WS ICMP to user subnet
IPv4 TCP	`10.25.0.2`	*	`10.26.0.0/24`	22	Allow Admin WS SSH to user subnet
IPv4 TCP	`10.25.0.2`	*	`10.26.0.0/24`	443	Allow Admin WS HTTPS to user subnet

Firewall User Subnet `10.26.0.0/24` - Apigee runtime

Protocol	Source	Source Port	Destination	Dest Port	Description
IPv4 UDP	`10.26.0.0/24`	*	NTP IP	123	Allow NTP
IPv4 TCP/UDP	`10.26.0.0/24`	*	DNS IPs	53	Allow DNS to Priv-Google-DNS
IPv4 TCP	`10.26.0.0/24`	*	`199.36.153.8/30`	443	Allow HTTPS to Private Google APIs
IPv4 TCP	`10.26.0.0/24`	*	`10.25.0.51`	443	Allow HTTPS to User cluster CP VIP
IPv4 TCP	`10.26.0.0/24`	*	`10.25.0.51`	8132	Allow Konnectivity to User cluster CP VIP

Steps

GCP Tunnel
Anthos admin workstation
Anthos clusters
Apigee ASM
Apigee Hybrid

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

README.md

README.md

VMware Apigee hybrid

Deployment Details

Network diagram

Subnets

Static IPs and VIPs

Load Balancing

Firewall Admin Subnet `10.25.0.0/24` - Admin WS / Admin cluster

Firewall User Subnet `10.26.0.0/24` - Apigee runtime

Steps

Files

README.md

Latest commit

History

README.md

File metadata and controls

VMware Apigee hybrid

Deployment Details

Network diagram

Subnets

Static IPs and VIPs

Load Balancing

Firewall Admin Subnet 10.25.0.0/24 - Admin WS / Admin cluster

Firewall User Subnet 10.26.0.0/24 - Apigee runtime

Steps

Firewall Admin Subnet `10.25.0.0/24` - Admin WS / Admin cluster

Firewall User Subnet `10.26.0.0/24` - Apigee runtime