What you're doing in this step
In this step, you choose whether to expose your new cluster to external requests or to keep it private (and only allow requests from within the firewall).
The manner in which you access the API proxy depends on whether you decided to allow external requests or restricted requests to internal only:
|Access Type||Difficulty Level||Description of the configuration and deployment process|
Allow external access to your API proxy using the Apigee provisioning wizard.
The wizard deploys a Hello World proxy to your runtime instance for you. You can then send a request to the API proxy from your administration machine or any network-enabled machine, whether it is within or outside the firewall.
Allow only internal access to your API proxy using the Apigee provisioning wizard.
You download the Hello World proxy from GitHub and then deploy it to your runtime instance. You must then create a new VM inside the network and connect to it. From the new VM, you can send a request to the API proxy.
In both cases, you can optionally set up DNS to make naming and routing easier. However, setting this up can distract you from the task at hand, so Apigee recommends that if this is your first time running through this process, then you should skip setting up DNS.
Each of these approaches is presented on a tab in the instructions below.
Perform the step
This section describes how to configure routing when you're using the Apigee provisioning wizard and you want to allow external access to your API proxy.
Difficulty Level: LOW
To configure routing for external access in the Apigee provisioning wizard:
- Open the Apigee provisioning wizard if it is not currently open. The wizard returns to the most recent incomplete task in the list.
Click Edit next to Access routing.
The Configure access view displays:
Select Enable internet access.
The wizard displays additional options for configuring the instance:
The options include the instance name for the VM as well as choosing a certifiate.
- (Optional) To change the virtual machine instance name to something more meaningful,
click Edit and make your changes:
The VM that this refers to is the one used for the Envoy proxy.
- (Optional) Add a certificate if you want to support inbound TLS:
- Generate a certificate/key pair if you don't already have one. This can be a self-signed certificate, but you should use a certificate signed by a Certificate Authority for a production system.
- In the respective fields, browse your file system and attach the files containing the certificate and private key. Both should be PEM-formatted.
The wizard creates a self-managed certificate, which has a restriction on the encryption algorithm and key size that can be used. For more information, see Private key.
Click Set Access.
Apigee prepares your cluster for external access. This includes setting up an Envoy proxy, creating firewall rules, uploading certificates, and creating a load balancer.
This process can take several minutes to complete.
When Apigee finishes setting up your runtime's access, you'll notice that there is a blue check mark next to all steps in the wizard:
The wizard displays Recommended next steps:
This section describes how to configure routing when you're using the Apigee provisioning wizard and you do not want to allow external access to your API proxy. Instead, you want to limit access to internal requests only that originate from within the VPC.
Difficulty Level: MEDIUM
To configure routing for internal access in the Apigee provisioning wizard:
Select No internet access. The wizard displays the internal link that you can use to access your new cluster:
- Make a note of the IP address displayed in this view. This IP address is the internal access point for all requests. You will send a request to this IP address from a machine that is also inside the VPC.
- Click Continue to complete this step in the wizard.
When Apigee finishes setting up your routing rules, you'll notice that there is a blue check mark next to all steps in the wizard:
The wizard displays the Recommended next steps view for an internally accessible endpoint set up with the wizard:
If you encounter errors during this part of the process, see Troubleshooting.