Skip to main content

Setting Up Private Ingress (Internal APIs)

This guide walks you through setting up a PrivateIngress — an internal-only load-balanced entry point for cross-project service communication within your organization's Shared VPC.

Unlike PublicIngress (which exposes services to the internet), PrivateIngress keeps traffic entirely within the private network. This is used for internal APIs, microservice-to-microservice communication, and secure backend integrations via the Hub-and-Spoke network model.

Prerequisites

  • You must have at least one Application deployed in the target project.
  • You must have HttpRoute manifests to route traffic to your applications.
  • You need to know which other projects need to access this internal API.

Step 1: Define Your PrivateIngress Manifest

Create a YAML file for your private ingress:

apiVersion: lowops.manifests.v1
kind: PrivateIngress
metadata:
  name: internal-api-gateway
  project: payment-gateway
  environment: production
  organizational-unit: retail-banking
  organization: fincorp
spec:
  description: "Internal L7 gateway for payment APIs"
  region: us-central1
  authorizedProjects:
    - name: order-service
      environment: production
      organizationalUnit: retail-banking
    - name: analytics-platform
      environment: production
      organizationalUnit: data-engineering
  config:
    timeoutSec: 30
    connectionDrainingTimeoutSec: 60
    loadBalancing:
      balancingMode: RATE
      maxRate: 1000

Key fields:

  • region — The GCP region where the ingress gateway's compute resources will be deployed.
  • authorizedProjects — A list of projects that are granted network-level access to this ingress via the Hub-and-Spoke VPC topology. Each entry must specify the name, environment, and organizationalUnit to uniquely identify the project.
  • config.loadBalancing — Fine-tune the load balancing behavior (mode, rate limits, connection limits).
  • authorizationDatabase — (Optional) Name of a Database manifest for storing authorization policies.

Step 2: Create HTTP Routes

Define how incoming requests are routed to your applications using HttpRoute manifests:

apiVersion: lowops.manifests.v1
kind: HttpRoute
metadata:
  name: payments-api-route
  project: payment-gateway
  environment: production
  organizational-unit: retail-banking
  organization: fincorp
spec:
  hostnames:
    - "payments.internal.fincorp.com"
  privateIngress: internal-api-gateway   # References the PrivateIngress
  rules:
    - matches:
        - path:
            type: PREFIX
            value: /api/v1/payments
      action:
        destinations:
          - name: payment-api            # Name of the Application manifest
            port: 8080

Tip: You can define multiple HttpRoute manifests to route different paths or hostnames to different applications, all through the same PrivateIngress.

Step 3: Commit, Review, and Merge

Commit the PrivateIngress and HttpRoute manifests in a pull request.

After merge, the platform will:

  1. Provision an internal L7 HTTPS load balancer with TLS termination.
  2. Configure backend services for each routed application.
  3. Create VPC peering/spoke connectivity so that the authorized projects can reach the gateway.
  4. Set up health checks and connection draining policies.