Accessing API proxies

You're viewing Apigee X documentation.
View Apigee Edge documentation.

This section describes how to send requests to an API proxy that you deployed and restricted to internal access only during the provisioning process (as compared to API proxies that are available externally, or from any machine on the internet.)

The following table shows which type of access is configured by default when you provision your organization:

Org Type Installation Type

Default Access to API Proxies


Apigee provisioning wizard


CLI (for Paid orgs)



Apigee provisioning wizard
Command line

Before you try to access your API proxy, you might find it helpful to gather the following information about your configuration:

As the table shows, internal access is the default when you provision an eval orgs—or if you provisioned a paid org using the command line. It is optional when you provision a paid org with the Apigee provisioning wizard.

To access internal-only API proxies, create another Compute Engine VM within your cluster. The new VM is the machine from which you send requests to the internal load balancer (or ingress router). That load balancer forwards your requests to the newly deployed API proxy. After you create the new VM, connect to it and send requests to the API proxy from it.

The following procedure describes how to do this.

To access an API proxy that is not exposed externally:

  1. (Optional) Define local environment variables to make the commands in this section more readable:

    export PROJECT_NUMBER=$(gcloud projects describe $PROJECT_ID --format="value(projectNumber)")

    For example:

    export PROJECT_ID=my-cloud-project
    export RUNTIME_LOCATION=us-west1-a
    export SUBNET=default
    export PROJECT_NUMBER=$(gcloud projects describe $PROJECT_ID --format="value(projectNumber)")

    Note that you might have already defined the $RUNTIME_LOCATION and $PROJECT_ID environment variables as part of the prerequisites to installation.

  2. Create a new VM inside your VPC network using the gcloud beta compute command.

    The following example creates a new VM with some common options:

    gcloud beta compute --project=$PROJECT_ID \
      instances create CLIENT_NAME \
      --zone=$RUNTIME_LOCATION \
      --machine-type=e2-micro \
      --subnet=$SUBNET \
      --network-tier=PREMIUM \
      --no-restart-on-failure \
      --maintenance-policy=TERMINATE \
      --preemptible \
      --service-account=$ \
      --scopes= \
      --tags=http-server,https-server \
      --image=debian-10-buster-v20210122 \
      --image-project=debian-cloud \
      --boot-disk-size=10GB \
      --boot-disk-type=pd-standard \
      --boot-disk-device-name=CLIENT_NAME \
      --no-shielded-secure-boot \
      --shielded-vtpm \
      --shielded-integrity-monitoring \

    Note that your settings might be different. For example, the value of the --zone option can only be a Compute Engine zone for eval orgs, but can be a region or a zone for paid orgs, depending on your configuration.

  3. Open a secure connection to the new VM that you just created.

    You can do this using Cloud Console or another SSH client. To connect to the new client VM, you can use a tool such as gcloud compute ssh, as the following example shows:

    gcloud compute ssh CLIENT_NAME --zone=$RUNTIME_LOCATION
  4. From the new VM, send a request to your deployed API proxy using the following command:
    curl -i -k \
      -H "Host: ENV_GROUP_HOSTNAME" \

    If you're not sure what the value of the Host header should be, you can get it from the Get environment groups API or in the Environment Groups pane in the Apigee UI.

    For testing purposes, you can use -k flag on the curl command to possibly avoid SSL issues.

If you encounter errors during this part of the process, see Troubleshooting.