Solved: Load Balancing Target Endpoints with different Aut...

DennisB1 · 01-18-2024 07:38 PM

In Apigee Edge, I have created a proxy with two target endpoints.
https://lambda.us-west-2.amazonaws.com & https://lambda.us-east-1.amazonaws.com
Ive done all the aws sigv4 signing stuff and successfully created RouteRules to target them individually.

Now that I've gotten that far, I would like to go down to single RouteRule that implements Apigee load balancing capabilities for failing over to my backup region. Unfortunately, I need to build the authentication differently for each target. Specifically, change the AWS "region" in the SigV4 signing process. By the time the load balancer chooses the target, it is too late to modify the request.

Any ideas on a solution for this?

Thanks!

@kwright0 😉

dchiesa1

By the time the load balancer chooses the target, it is too late to modify the request.

I understand the question. There is no "hook" in Apigee that allows you to execute steps AFTER the choice of the target, but BEFORE the message is sent to the target.

The only solution I can think of is... to configure a proxy within Apigee that corresponds to the upstream. Basically your first proxy will "load balance" across 2 other Apigee proxies, one for lambda in us-west-2, and the other for lambda in us-east-1. And then in that second layer of proxy, you can do the right thing for signing, because the target is always the same.

After I wrote the above, I thought "really, AWS should provide a way to solve this for multi-region deployments", so I googled for it, and found that there is a new signature version, called v4a, which allows multi-region access points. But

I couldn't find a specific description of how v4a works. The only doc I found says "it works like v4, but for multi-region." 😐
There is mention of support for v4a in the AWS documentation, but only for S3, not Lambda
I couldn't find an implementation that tests against Lambda
or any test vectors

So, unless you can figure out how to use v4a with MRAP against lambda, then.... I think the 2-layer proxy approach is your option.

Good luck. Please post back if you find more on v4a + lambda.

View solution in original post

dchiesa1

By the time the load balancer chooses the target, it is too late to modify the request.

I understand the question. There is no "hook" in Apigee that allows you to execute steps AFTER the choice of the target, but BEFORE the message is sent to the target.

The only solution I can think of is... to configure a proxy within Apigee that corresponds to the upstream. Basically your first proxy will "load balance" across 2 other Apigee proxies, one for lambda in us-west-2, and the other for lambda in us-east-1. And then in that second layer of proxy, you can do the right thing for signing, because the target is always the same.

After I wrote the above, I thought "really, AWS should provide a way to solve this for multi-region deployments", so I googled for it, and found that there is a new signature version, called v4a, which allows multi-region access points. But

I couldn't find a specific description of how v4a works. The only doc I found says "it works like v4, but for multi-region." 😐
There is mention of support for v4a in the AWS documentation, but only for S3, not Lambda
I couldn't find an implementation that tests against Lambda
or any test vectors

So, unless you can figure out how to use v4a with MRAP against lambda, then.... I think the 2-layer proxy approach is your option.

Good luck. Please post back if you find more on v4a + lambda.

DennisB1

@dchiesa1,
I had a similar thought. Does this visualize the solution you're proposing?

Thank you for your feedback. I will do more research v4a and if i discover anything more elegant, I will post back.

Thanks again,

Dennis

Load Balancing Target Endpoints with different Auth