Getting started with API Gateway and Cloud Run
This page shows you how to set up API Gateway to manage and secure a Cloud Run backend service.
Task List
Use the following task list as you work through the tutorial. All tasks are required to deploy an API Gateway for your Cloud Run backend service.
- Create or select a Google Cloud project.
- If you haven't deployed your own Cloud Run, deploy a sample service. See step 7 in Before you begin.
- Enable the required API Gateway services.
- Create an OpenAPI spec that describes your API, and configure the routes to your Cloud Run backend service. See Creating an API config.
- Deploy an API Gateway using your API config. See Deploying an API Gateway.
- Track activity to your services. See Tracking API activity.
- Avoid incurring charges to your Google Cloud account. See Clean up.
Before you begin
In the Google Cloud console, go to the Dashboard page and select or create a Google Cloud project.
Make sure that billing is enabled for your project.
Make a note of the project ID you want to use for this tutorial. On the rest of this page, this project ID is referred to as PROJECT_ID.
Download and install the Google Cloud CLI.
Update
gcloud
components:gcloud components update
Set the default project. Replace PROJECT_ID with your Google Cloud project ID
gcloud config set project PROJECT_ID
If you haven't deployed your own Cloud Run service, follow the steps in Quickstart: Deploy a Prebuilt Sample Container to select or create a Google Cloud project and deploy a sample backend. Make a note of the app URL, as well as the region and project ID where your apps are deployed.
Enabling required services
API Gateway requires that you enable the following Google services:
Name | Title |
---|---|
apigateway.googleapis.com |
API Gateway API |
servicemanagement.googleapis.com |
Service Management API |
servicecontrol.googleapis.com |
Service Control API |
To confirm that the required services are enabled:
gcloud services list
If you do not see the required services listed, enable them:
gcloud services enable apigateway.googleapis.comgcloud services enable servicemanagement.googleapis.com
gcloud services enable servicecontrol.googleapis.com
For more information about the gcloud
services, see
gcloud
services.
Creating an API config
Before API Gateway can be used to manage traffic to your deployed Cloud Run backend, it needs an API config.
You can create an API config using an OpenAPI spec that contains specialized annotations to define the desired API Gateway behavior. You will need to add a Google-specific field that contains the URL for each Cloud Run app so that API Gateway has the information it needs to invoke an app.
- Create a text file called
openapi2-run.yaml
. (For convenience, this page refers to the OpenAPI spec by that file name, but you can name it something else if you prefer.) - List each of your apps in the
paths
section of theopenapi2-run.yaml
file, as shown below:# openapi2-run.yaml swagger: '2.0' info: title: API_ID optional-string description: Sample API on API Gateway with a Cloud Run backend version: 1.0.0 schemes: - https produces: - application/json x-google-backend: address: APP_URL paths: /assets/{asset}: get: parameters: - in: path name: asset type: string required: true description: Name of the asset. summary: Assets operationId: getAsset responses: '200': description: A successful response schema: type: string /hello: get: summary: Cloud Run hello world operationId: hello responses: '200': description: A successful response schema: type: string
- In the
title
field, replace API_ID with the name of your API and replace optional-string with a brief description of your choosing. If your API does not already exist, the command to create the API Config will also create the API with the name you specify. The value of thetitle
field is used when minting API keys that grant access to this API. See API ID requirements for API naming guidelines. - In the
address
field in thex-google-backend
section, replace APP_URL with the actual URL of your Cloud Run service (the full path of the called API). For example:https://hello-abc1def2gh-uc.a.run.app
. - Enter the following command, where:
- CONFIG_ID specifies the name of your API config.
- API_ID specifies the name of your API. If the API does not already exist then this command creates it.
- PROJECT_ID specifies the name of your Google Cloud project.
- SERVICE_ACCOUNT_EMAIL specifies the service account used to sign tokens for backends with authentication configured. For more information, see Creating a service account.
gcloud api-gateway api-configs create CONFIG_ID \ --api=API_ID --openapi-spec=openapi2-run.yaml \ --project=PROJECT_ID --backend-auth-service-account=SERVICE_ACCOUNT_EMAIL
This operation may take several minutes to complete as the API config is propagated to downstream systems. Creation of a complex API config could take up to ten minutes to complete successfully.
- After the API config is created, you can view its details by running this command:
gcloud api-gateway api-configs describe CONFIG_ID \ --api=API_ID --project=PROJECT_ID
Deploying an API Gateway
Now you can deploy your API on API Gateway. Deploying an API on API Gateway also defines an external URL that API clients can use to access your API.
Run the following command to deploy the API config you just created to API Gateway:
gcloud api-gateway gateways create GATEWAY_ID \ --api=API_ID --api-config=CONFIG_ID \ --location=GCP_REGION --project=PROJECT_ID
where:
- GATEWAY_ID specifies the name of the gateway.
- API_ID specifies the name of the API Gateway API associated with this gateway.
- CONFIG_ID specifies the name of the API config deployed to the gateway.
GCP_REGION is the Google Cloud region for the deployed gateway.
PROJECT_ID specifies the name of your Google Cloud project.
On successful completion, you can use the following command to view details about the gateway:
gcloud api-gateway gateways describe GATEWAY_ID \ --location=GCP_REGION --project=PROJECT_ID
Note the value of the defaultHostname
property in the output of this command. This is the hostname portion of the gateway URL you use to test your deployment in the next step.
Testing your API deployment
Now you can send requests to your API using the URL generated upon deployment of your gateway.
Enter the following URL in your web browser, where:
- DEFAULT_HOSTNAME specifies the hostname portion of your deployed gateway URL.
hello
is the path specified in your API config.
https://DEFAULT_HOSTNAME/hello
For example:
https://my-gateway-a12bcd345e67f89g0h.uc.gateway.dev/hello
You should see your Cloud Run container running your app in the browser.
Success! Your API Gateway is managing access to your Cloud Run backend service.
Tracking API activity
View the activity graphs for your API on the API Gateway page in the Google Cloud console. Click on your API to view its activity graphs on the Overview page. It may take a few moments for the requests to be reflected in the graphs.
Look at the request logs for your API on the Logs Explorer page. A link to the Logs Explorer page can be found on the API Gateway page in the Google Cloud console.
Once on the API Gateway page:- Select the API to view.
- Click the Details tab.
- Click the link under Logs.
Clean up
To avoid incurring charges to your Google Cloud account for the resources used in this quickstart, you can:
Alternatively, you can also delete the Google Cloud project used for this tutorial.