Calling an API proxy with internal-only access

You're viewing Apigee X documentation.
View Apigee Edge documentation.

This section describes how to send requests to an API proxy that you deployed and restricted to internal access only during the provisioning process.


To access internal-only API proxies, you must create another Compute Engine VM within your cluster. The new VM is the machine from which you send requests to the internal load balancer (or ingress router). That load balancer forwards your requests to the newly deployed API proxy.

Before you begin

Do the following preliminary setup steps:

  1. Log in to Google Cloud by using the following command:
    gcloud auth login

    The command launches a browser window and prompts you to choose an account (if you have more than one). Cloud then prompts you to allow access. You only need to do this once: You will not need to run this command, choose an account, or allow access in the future.

  2. If you have not done so previously, initialize the Cloud SDK, as described in Initializing Cloud SDK; for example:
    gcloud init

    During SDK initialization, enter or select the ID of the project you created in Prerequisites. Set this project as the default. You will not need to run this command in the future unless you want to change the defaults.

  3. Get an authorization token for use in Apigee API requests that follow:
    export AUTH="Authorization: Bearer $(gcloud auth print-access-token)"
  4. Define the following local environment variables. They make the commands in this section easy to copy and paste:

          #Specified during provisioning. Typically, 'default'
          #A name for a VM you will create later. For details on valid
          # instance names, refer to the criteria documented under the
          #field name at REST Resource: instances.
    export PROJECT_NUMBER=$(gcloud projects describe $PROJECT_ID --format="value(projectNumber)")
  5. Get the runtime location for your instance. For example:
    curl -H "$AUTH"$ORG_NAME/instances

    The response should look something like this, where the location value is us-west1. Your location may be different:

      "instances": [
          "name": "eval-instance",
          "location": "us-west1",
          "host": "",
          "port": "443",
          "state": "ACTIVE",
          "peeringCidrRange": "SLASH_23"
  6. Put the name of a zone into an environment variable named ZONE. The zone must be within the region returned in the location attribute of the previous response. For example:
    export ZONE="us-west1-a"

Create a VM and call the API proxy

Next, create a new VM inside your VPC network using the gcloud beta compute command. The VM acts as a bridge that allows you to send requests to the internal load balancer IP. After the VM is set up, you can call the hello-world API proxy that was deployed for you during provisioning:

  1. The following example creates a new VM with some common options and uses environment variables that you defined previously as inputs.
    gcloud beta compute --project=$PROJECT_ID \
      instances create $INSTANCE_NAME \
      --zone=$ZONE \
      --machine-type=e2-micro \
      --subnet=$SUBNET \
      --network-tier=PREMIUM \
      --no-restart-on-failure \
      --maintenance-policy=TERMINATE \
      --preemptible \
      --service-account=$ \
      --scopes= \
      --tags=http-server,https-server \
      --image=debian-10-buster-v20210122 \
      --image-project=debian-cloud \
      --boot-disk-size=10GB \
      --boot-disk-type=pd-standard \
      --boot-disk-device-name=$INSTANCE_NAME \
      --no-shielded-secure-boot \
      --shielded-vtpm \
      --shielded-integrity-monitoring \
  2. Open a secure connection to the new VM that you just created.

    gcloud compute ssh $INSTANCE_NAME --zone=$ZONE --project=$PROJECT_ID
  3. In the VM shell, install the jq utility. It is used in subsequent steps:
    sudo apt-get update -y
    sudo apt-get install -y jq
  4. In the VM shell, create the following environment variables to make it easy to copy/paste the API proxy request:
    export AUTH="Authorization: Bearer $(gcloud auth print-access-token)"
    export ORG_NAME=YOUR_ORG_NAME   #Same value as your PROJECT_ID.
    export ENV_GROUP_HOSTNAME=$(curl -H "$AUTH"$ORG_NAME/envgroups -s | jq -r '.environmentGroups[0].hostnames[0]')
    export INTERNAL_LOAD_BALANCER_IP=$(curl -H "$AUTH"$ORG_NAME/instances -s | jq -r '.instances[0].host')
  5. Send a request to your deployed API proxy using the following pair of commands.
    1. Pull the CA Certificate you created during org creation with the following command:
      curl -H "$AUTH"$ORG_NAME | jq -r .caCertificate | base64 -d > cacert.crt
    2. Send the request to your deployed API proxy:
      curl -is -H "Host: $ENV_GROUP_HOSTNAME" https://example.$ORG_NAME.apigee.internal/hello-world \
        --cacert cacert.crt \
        --resolve example.$ORG_NAME.apigee.internal:443:$INTERNAL_LOAD_BALANCER_IP

    On success, the proxy returns Hello, Guest!.

If you encounter errors during this part of the process, be sure that all of the environment variables you created and used in commands have valid values. See also Troubleshooting.