In this step, you can choose to expose your new Apigee instance to
external requests or keep it private (and only allow requests from within the
firewall).
How you access the API proxy depends on whether you allow external
requests or restrict access to internal requests only.
Access Type
Description of the configuration and deployment process
No internet access
Allow only internal access to your API proxy.
You can download the Hello World proxy from GitHub
and then deploy it to your Apigee
instance. You must then create a new VM inside the network and
connect to it. From the new VM, you can send a request to the
API proxy.
Enable internet access
Allow external access to your API proxy.
Apigee deploys a Hello World proxy to your
Apigee instance. You can then send a request to the API
proxy from your administration machine or any network-enabled
machine, whether it is within or outside the firewall.
Each of these approaches is presented on a tab in the instructions below.
Perform the step
Select External Access or Internal Access:
External Access
This section describes how to configure routing from the
Google Cloud console when you want to allow
external access to your API proxy.
Permissions required for this task
You can give the Apigee provisioner a predefined role
that includes the permissions needed to complete this task,
or give more fine-grained permissions to provide the least
privilege necessary. See
Predefined roles
and
Access routing permissions.
To configure routing for external access in the Google Cloud console:
Click createEdit to open the
Configure access panel.
Select Enable internet access.
Choose one of the following options in the Domain Type
section:
Automatically managed domain, subnetwork and SSL
certificates: Choose this option
to use the nip.io wildcard DNS service, and a
Google-managed certificate to secure your domain.
Apigee automatically creates an L7 global external
load balancer to forward traffic to your runtime.
Customize: Choose this option if you want to
customize your domain name, SSL certificate, or
subnetwork. Apigee automatically creates an L7
global external load balancer to forward traffic to your
runtime.
You can select or clear any of the following options to
enter custom details:
Domain: Optional. Enter the custom domain name.
Network: Optional. Select an available network
name from the dropdown menu.
Subnetwork: Optional. Select an available
subnetwork name from the dropdown menu. The subnetwork
selected should be in the same region as the runtime instance.
SSL Certificate: Optional. Select an existing
self-managed certificate or provide a new self-managed
certificate.
To select an existing certificate:
Select an existing certificate from the drop-down
list. If there is no certificate in the list, click
Add new.
Browse the file system and select the certificate
you wish to use.
Click Save SSL.
To provide a new certificate:
Click in the Select certificate drop-down list.
Click Add new.
In the respective fields, browse your file system
and attach the files containing the certificate and private key.
Both should be PEM-formatted.
Click Save SSL.
Click Set access.
Apigee prepares your instance for external access.
This includes creating firewall
rules, uploading certificates, and creating a load balancer.
This process can take several minutes.
Internal Access
This section describes how to configure routing when you're using
the Google Cloud console and you do not want to allow external
access to your API proxy.
Instead, you want to limit access to internal requests only
that originate from within the VPC.
To configure routing for internal access in the Google Cloud console:
Click createEdit to open the
Configure access panel.
Select No internet access.
Click Set access.
Click Next.
Click Submit to begin the provisioning process.
The provisioning process may take up to 40 minutes to complete. If you
want to leave the page while provisioning is in progress, a notification
will appear in notificationsNotifications in the Google Cloud console when the operation completes.
Once provisioning is complete, the Apigee Overview page will
appear and you can begin exploring Apigee!
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-26 UTC."],[[["\u003cp\u003eThis content pertains to Apigee, excluding Apigee hybrid, and provides guidance on configuring API proxy access.\u003c/p\u003e\n"],["\u003cp\u003eYou can choose to allow external access to your Apigee instance, which simplifies the process of deploying and testing an API proxy, or restrict access to internal requests only.\u003c/p\u003e\n"],["\u003cp\u003eEnabling internet access for your API proxy involves configuring routing in the Google Cloud console, and you can use an automatically managed domain or customize the domain, network, and SSL certificate.\u003c/p\u003e\n"],["\u003cp\u003eRestricting access to internal requests only also requires configuration through the Google Cloud console, where you select the "No internet access" option, and this setup limits the API proxy to requests originating from within the VPC.\u003c/p\u003e\n"],["\u003cp\u003eConfiguring your instance for external access involves tasks such as creating firewall rules, uploading certificates, and setting up a load balancer, which may take several minutes to complete.\u003c/p\u003e\n"]]],[],null,["*This page\napplies to **Apigee** , but not to **Apigee hybrid**.*\n\n\n*View [Apigee Edge](https://docs.apigee.com/api-platform/get-started/what-apigee-edge) documentation.*\n\nWhat you're doing in this step\n\nIn this step, you can choose to expose your new Apigee instance to\nexternal requests or keep it private (and only allow requests from within the\nfirewall).\n| **Tip:** There are fewer steps required to deploy and test a proxy if you choose **external**. If you are following these steps for testing purposes, choose that path.\n\nHow you access the API proxy depends on whether you allow external\nrequests or restrict access to internal requests only.\n\n| Access Type | Description of the configuration and deployment process |\n|------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|\n| No internet access | Allow only internal access to your API proxy. You can download the `Hello World` proxy from GitHub and then deploy it to your Apigee instance. You must then create a new VM inside the network and connect to it. From the new VM, you can send a request to the API proxy. |\n| Enable internet access | Allow external access to your API proxy. | **Note:** Apigee recommends using this approach. Apigee deploys a `Hello World` proxy to your Apigee instance. You can then send a request to the API proxy from your administration machine or any network-enabled machine, whether it is within or outside the firewall. |\n\nEach of these approaches is presented on a tab in the instructions below.\n\nPerform the step\n\n1. Select **External Access** or **Internal Access**: \n\nExternal Access\n\nThis section describes how to configure routing from the\nGoogle Cloud console when you want to allow\n*external* access to your API proxy.\n\nPermissions required for this task\n\nYou can give the Apigee provisioner a predefined role\nthat includes the permissions needed to complete this task,\nor give more fine-grained permissions to provide the least\nprivilege necessary. See\n[Predefined roles](/apigee/docs/api-platform/get-started/permissions#predefined-roles)\nand [Access routing permissions](/apigee/docs/api-platform/get-started/permissions#access-routing-permissions).\n\n**To configure routing for external access in the Google Cloud console**:\n\n1. Click create**Edit** to open the **Configure access** panel.\n2. Select **Enable internet access** .\n\n Choose one of the following options in the **Domain Type**\n section:\n - **Automatically managed domain, subnetwork and SSL\n certificates** : Choose this option to use the `nip.io` wildcard DNS service, and a Google-managed certificate to secure your domain. Apigee automatically creates an L7 global external load balancer to forward traffic to your runtime.\n - **Customize** : Choose this option if you want to customize your domain name, SSL certificate, or subnetwork. Apigee automatically creates an L7 global external load balancer to forward traffic to your runtime. You can select or clear any of the following options to enter custom details:\n - **Domain**: Optional. Enter the custom domain name.\n - **Network**: Optional. Select an available network name from the dropdown menu.\n - **Subnetwork**: Optional. Select an available subnetwork name from the dropdown menu. The subnetwork selected should be in the same region as the runtime instance.\n - **SSL Certificate** : Optional. Select an existing self-managed certificate or provide a new self-managed certificate.\n\n To select an existing certificate:\n 1. Select an existing certificate from the drop-down list. If there is no certificate in the list, click **Add new**.\n 2. Browse the file system and select the certificate you wish to use.\n 3. Click **Save SSL**.\n\n To provide a new certificate:\n 1. Click in the **Select certificate** drop-down list.\n 2. Click **Add new**.\n 3. In the respective fields, browse your file system and attach the files containing the certificate and private key. Both should be PEM-formatted.\n 4. Click **Save SSL**.\n3. Click **Set access** .\n\n Apigee prepares your instance for external access.\n This includes creating firewall\n rules, uploading certificates, and creating a load balancer.\n\n This process can take several minutes.\n\nInternal Access\n\nThis section describes how to configure routing when you're using\nthe Google Cloud console and you *do not* want to allow external\naccess to your API proxy.\nInstead, you want to limit access to *internal* requests only\nthat originate from within the VPC.\n\n**To configure routing for internal access in the Google Cloud console:**\n\n1. Click create**Edit** to open the **Configure access** panel.\n2. Select **No internet access**.\n\n3. Click **Set access**.\n2. Click **Next**.\n3. Click **Submit** to begin the provisioning process.\n\n The provisioning process may take up to 40 minutes to complete. If you\n want to leave the page while provisioning is in progress, a notification\n will appear in notifications\n **Notifications** in the Google Cloud console when the operation completes.\n\n Once provisioning is complete, the **Apigee Overview** page will\n appear and you can begin exploring Apigee!"]]
