Getting started with API Gateway and App EngineThis page shows you how to set up API Gateway to manage and secure an App Engine backend service.
Use the following task list as you work through the tutorial. All tasks are required to deploy an API Gateway for your App Engine backend service.
- Create or select a Google Cloud project.
- If you haven't deployed your own App Engine, deploy a sample app. See Before you begin.
- Enable the required API Gateway services.
- Configure IAP to secure your app. See Configure IAP.
- Create an OpenAPI spec that describes your API, and configure the routes to your App Engine. See Creating an API config.
- Deploy an API Gateway using your API config. See Deploying an API Gateway.
- Track activity to your apps. See Tracking API activity.
- Avoid incurring charges to your Google Cloud account. See Clean up.
Before you begin
In the console, go to the Dashboard page and select or create a Google Cloud project.
Make sure that billing is enabled for your project.
Make a note of the project ID you want to use for this tutorial. On the rest of this page, this project ID is referred to as PROJECT_ID.
Download and install the Google Cloud CLI.
gcloud components update
Set the default project. Replace PROJECT_ID with your Google Cloud project ID
gcloud config set project PROJECT_ID
If you haven't deployed your own App Engine app, follow the steps in the App Engine Quickstart for your language to use the Google Cloud CLI to select or create a Google Cloud project and deploy a sample app. Make a note of the app URL, as well as the region and project ID where your app is deployed.
Enabling required services
API Gateway requires that you enable the following Google services:
||API Gateway API|
||Service Management API|
||Service Control API|
To confirm that the required services are enabled:
gcloud services list
If you do not see the required services listed, enable them:
gcloud services enable apigateway.googleapis.com
gcloud services enable servicemanagement.googleapis.com
gcloud services enable servicecontrol.googleapis.com
For more information about the
gcloud services, see
Configuring IAP to secure your app
In order to secure your App Engine app, you must use the Identity Aware Proxy (IAP) to ensure that requests are authenticated.
Follow the steps to Enable IAP, and ensure that you are able to sign in to your application.
Creating an API config
Before API Gateway can be used to manage traffic to your deployed App Engine backend, it needs an API config.
You can create an API config using an OpenAPI spec that contains specialized annotations to define the desired API Gateway behavior. You will need to add a Google-specific field that contains the URL for each App Engine app so that API Gateway has the information it needs to invoke an app.
- Create a text file called
openapi2-appengine.yaml. (For convenience, this page refers to the OpenAPI spec by that file name, but you can name it something else if you prefer.)
- List each of your apps in the
pathssection of the
openapi2-appengine.yamlfile, as shown below:
# openapi2-appengine.yaml swagger: '2.0' info: title: API_ID optional-string description: Sample API on API Gateway with an App Engine backend version: 1.0.0 schemes: - https produces: - application/json paths: /hello: get: summary: Greet a user operationId: hello x-google-backend: address: APP_URL jwt_audience: IAP_CLIENT_ID responses: '200': description: A successful response schema: type: string
- In the
titlefield, replace API_ID with the name of your API and replace optional-string with a brief description of your choosing. If your API does not already exist, the command to create the API Config will also create the API with the name you specify. The value of the
titlefield is used when minting API keys that grant access to this API. See API ID requirements for API naming guidelines.
- In the
addressfield in the
x-google-backendsection, replace APP_URL with the actual URL of your App Engine service (the full path of the called API). For example,
Replace IAP_CLIENT_ID with the OAuth Client ID you created when you set up IAP.
- Enter the following command, where:
- CONFIG_ID specifies the name of your API config.
- API_ID specifies the name of your API. If the API does not already exist then this command creates it.
- PROJECT_ID specifies the name of your Google Cloud project.
- SERVICE_ACCOUNT_EMAIL specifies the service account used to sign tokens for backends with authentication configured.
gcloud api-gateway api-configs create CONFIG_ID \ --api=API_ID --openapi-spec=openapi2-appengine.yaml \ --project=PROJECT_ID --backend-auth-service-account=SERVICE_ACCOUNT_EMAIL
This operation may take several minutes to complete as the API config is propagated to downstream systems. Creation of a complex API config could take up to ten minutes to complete successfully.
- After the API config is created, you can view its details by running this command:
gcloud api-gateway api-configs describe CONFIG_ID \ --api=API_ID --project=PROJECT_ID
Deploying an API Gateway
Now you can deploy your API on API Gateway. Deploying an API on API Gateway also defines an external URL that API clients can use to access your API.
Run the following command to deploy the API config you just created to API Gateway:
gcloud api-gateway gateways create GATEWAY_ID \ --api=API_ID --api-config=CONFIG_ID \ --location=GCP_REGION --project=PROJECT_ID
- GATEWAY_ID specifies the name of the gateway.
- API_ID specifies the name of the API Gateway API associated with this gateway.
- CONFIG_ID specifies the name of the API config deployed to the gateway.
GCP_REGION is the Google Cloud region for the deployed gateway.
PROJECT_ID specifies the name of your Google Cloud project.
On successful completion, you can use the following command to view details about the gateway:
gcloud api-gateway gateways describe GATEWAY_ID \ --location=GCP_REGION --project=PROJECT_ID
Note the value of the
defaultHostname property in the output of this command. This is the hostname portion of the gateway URL you use to test your deployment in the next step.
Testing your API deployment
Now you can send requests to your API using the URL generated upon deployment of your gateway.
Enter the following
curl command, where:
- DEFAULT_HOSTNAME specifies the hostname portion of your deployed gateway URL. The value of
defaultHostnamecan be found in the output of the
gateways describecommand shown above.
hellois the path specified in your API config.
You should see the following output:
My-AppEngineApp: Access denied for user gateway-1a2b3c@04d5e6f35FgdsT73dFrty-tp.iam.gserviceaccount.com requesting https://my-project.appspot.com/helloGET. If you should have access, contact email@example.com and include the full text of this message.
Success! Your API Gateway is managing access to your App Engine backend service. To grant access to your App Engine app, you will need to configure a service account with the correct permissions for your API Gateway.
Tracking API activity
View the activity graphs for your API on the API Gateway page in the console. Click on your API to view its activity graphs on the Overview page. It may take a few moments for the requests to be reflected in the graphs.
Look at the request logs for your API on the Logs Explorer page. A link to the Logs Explorer page can be found on the API Gateway page in the console.
- Select the API to view.
- Click the Details tab.
- Click the link under Logs.
To avoid incurring charges to your Google Cloud account for the resources used in this quickstart, you can:
Alternatively, you can also delete the Google Cloud project used for this tutorial.