In Apigee Edge, I have created a proxy with two target endpoints.
https://lambda.us-west-2.amazonaws.com & https://lambda.us-east-1.amazonaws.com
Ive done all the aws sigv4 signing stuff and successfully created RouteRules to target them individually.
Now that I've gotten that far, I would like to go down to single RouteRule that implements Apigee load balancing capabilities for failing over to my backup region. Unfortunately, I need to build the authentication differently for each target. Specifically, change the AWS "region" in the SigV4 signing process. By the time the load balancer chooses the target, it is too late to modify the request.
Any ideas on a solution for this?
Thanks!
@kwright0 😉
Solved! Go to Solution.
By the time the load balancer chooses the target, it is too late to modify the request.
I understand the question. There is no "hook" in Apigee that allows you to execute steps AFTER the choice of the target, but BEFORE the message is sent to the target.
The only solution I can think of is... to configure a proxy within Apigee that corresponds to the upstream. Basically your first proxy will "load balance" across 2 other Apigee proxies, one for lambda in us-west-2, and the other for lambda in us-east-1. And then in that second layer of proxy, you can do the right thing for signing, because the target is always the same.
After I wrote the above, I thought "really, AWS should provide a way to solve this for multi-region deployments", so I googled for it, and found that there is a new signature version, called v4a, which allows multi-region access points. But
So, unless you can figure out how to use v4a with MRAP against lambda, then.... I think the 2-layer proxy approach is your option.
Good luck. Please post back if you find more on v4a + lambda.
By the time the load balancer chooses the target, it is too late to modify the request.
I understand the question. There is no "hook" in Apigee that allows you to execute steps AFTER the choice of the target, but BEFORE the message is sent to the target.
The only solution I can think of is... to configure a proxy within Apigee that corresponds to the upstream. Basically your first proxy will "load balance" across 2 other Apigee proxies, one for lambda in us-west-2, and the other for lambda in us-east-1. And then in that second layer of proxy, you can do the right thing for signing, because the target is always the same.
After I wrote the above, I thought "really, AWS should provide a way to solve this for multi-region deployments", so I googled for it, and found that there is a new signature version, called v4a, which allows multi-region access points. But
So, unless you can figure out how to use v4a with MRAP against lambda, then.... I think the 2-layer proxy approach is your option.
Good luck. Please post back if you find more on v4a + lambda.
@dchiesa1,
I had a similar thought. Does this visualize the solution you're proposing?
Thank you for your feedback. I will do more research v4a and if i discover anything more elegant, I will post back.
Thanks again,
Dennis