Edge network design and firewalls

Apigee Edge is built in the cloud using a multi-tiered network design. The network is designed to expose only the required services and instances to the Internet and keep all other services internal to the virtual private cloud. It is an evolution of the three-tier DMZ design used in traditional datacenters. By default, new instances do not have access to the Internet, ingress or egress. Specific actions must be taken to even allow an instance to communicate with or over the Internet.

All instances are also protected by the cloud equivalent of firewalls. These are commonly called "security groups." Apigee uses instance-based security groups that treat each instance like an island with very specific ingress and egress access required to be explicitly allowed. Apigee uses a continuous monitoring and enforcement tool on our security group configurations along with an event monitoring system for security group changes. One tool is responsible to continuously evaluate all security groups for deviation from the defined standard. Any unauthorized change is automatically reverted. Another tool is used to monitor and record all actions taken by administrators in Edge. This record is also evaluated for any changes to security groups and alerts sent whenever a change is detected.

All authorized changes done through the proper process are tracked, logged, and reported for correlation with change control approvals.

Frequently asked questions

Following are network-related frequently asked questions.

What is the Google Cloud Platform (GCP) DNS topology?

Apigee is a multi-cloud service, we use both GCP Cloud DNS and Amazon Web Services (AWS) Route53 DNS service for our external authoritative zones.

Do the Apigee DNS servers do non-authoritative lookups?

Apigee also has internally hosted DNS servers for our internal/private zones, as well as resolvers for non-authoritative lookups.

Is GCP DNS blended across regions?

GCP Cloud DNS is across regions and uses our global network of Anycast name servers to serve the zones from redundant locations around the world, providing high availability and lower latency.

Is Anycast used, and if so is Anycast defined by region or is a single Anycast used across all regions?

Multiple Anycast IPs are used for redundancy, and each is used across all regions.

How do I use a domain name other than the default {org}-{env}.apigee.net?

See this Apigee Community article or About virtual hosts in the Apigee documentation.