let me see if I can get someone to reply here

Thanks. I tried following https://www.googlecloudcommunity.com/gc/Cloud-Product-Articles/Controlling-Apigee-X-s-Internet-Egres...(option A)

Instead of a mock firewall application, I route to a VM with Nginx deployed on it. I confirmed that curl requests from the VM to the AWS backends succeed so the VPN works as intended. However, requests from Apigee to the same backend fail with "503 ServiceUnavailable" errors. 

Is it possible to confirm Apigee is attempting to route requests through the VM? Maybe via trace route?

Also, I exported both of these routes to servicenetworking-googleapis-com as per the article. Wouldn't the first one take priority or does Apigee ignore it?

default-route, static, 0.0.0.0/0, priority 1000, next hop = default internet gateway

internet-via-rp, static, 0.0.0.0/0, priority 1001, next hop = reverse-proxy-vm

So even requests to https://mocktarget.apigee.net/ fail with the 503 ServiceUnavilable error if VPC service controls are enabled. I think the issue might be with exporting the routes to Apigee or the VM itself. The VM allows traffic from the public internet via HTTPS.