There are many connectivity options available in or offered by Google Cloud Platform (GCP) and Amazon Web Services (AWS). These options include 2-way TLS, VPNs, VPC peering, Cloud Interconnect / DirectConnect, and others. It is important to choose the right model for the right situation.
For connecting Apigee Edge public cloud to customer backend data centers that serve APIs, Apigee recommends 2-way TLS. Experience has shown great success in securing API traffic with TLS and found difficulties in all the other methods, including a VPN.
TLS is the most scalable solution for customers (vertically), as both Apigee and customers can add and remove resources from the connection pool without needing to change or coordinate settings on either side. TLS is also more scalable horizontally for the thousands of customers Apigee supports.
2-way TLS allows Apigee to dynamically grow and modify the environments while automatically maintaining a secure and authenticated connection to customer services without the need for manual intervention or the need to pre-approve large blocks of IP addresses to be available as the services grow or change.
While a VPN authenticates that the traffic came from a network and is going to a specific network, 2-way TLS can authenticate that the data is flowing from a specific system (or set of systems) to a specific system (or set of systems). Put another way, 2-way TLS authenticates both the service sending and the service receiving. TLS is considered more secure for the service-to-service connectivity between Apigee Edge and customer data centers. Trying to manage VPN connections based on IP addresses is not realistic or scalable.
VPC Peering, Cloud Interconnect, and DirectConnect are not offered by Apigee. These services are valuable tools for connecting services but do not fit properly into or work well with the Apigee Edge multi-tenant and multi-cloud environment.