Step 4: Customize access routing

This page applies to Apigee, but not to Apigee hybrid.

View Apigee Edge documentation.

What you're doing in this step

In this step, you can choose to expose your new Apigee instance to external requests or keep it private (and only allow requests from within the firewall).

How you access the API proxy depends on whether you allow external requests or restrict access to internal requests only.

Access Type Description of the configuration and deployment process

No internet access

Access Type	Description of the configuration and deployment process
No internet access	Allow only internal access to your API proxy. You can download the `Hello World` proxy from GitHub and then deploy it to your Apigee instance. You must then create a new VM inside the network and connect to it. From the new VM, you can send a request to the API proxy.
Enable internet access	Allow external access to your API proxy. Note: Apigee recommends using this approach. Apigee deploys a `Hello World` proxy to your Apigee instance. You can then send a request to the API proxy from your administration machine or any network-enabled machine, whether it is within or outside the firewall.

Allow only internal access to your API proxy.

You can download the Hello World proxy from GitHub and then deploy it to your Apigee instance. You must then create a new VM inside the network and connect to it. From the new VM, you can send a request to the API proxy.

Enable internet access

Allow external access to your API proxy.

Apigee deploys a Hello World proxy to your Apigee instance. You can then send a request to the API proxy from your administration machine or any network-enabled machine, whether it is within or outside the firewall.

Each of these approaches is presented on a tab in the instructions below.

Perform the step

Select External Access or Internal Access:

External Access

This section describes how to configure routing from the Google Cloud console when you want to allow external access to your API proxy.

Permissions required for this task

You can give the Apigee provisioner a predefined role that includes the permissions needed to complete this task, or give more fine-grained permissions to provide the least privilege necessary. See Predefined roles and Access routing permissions.

To configure routing for external access in the Google Cloud console:

Click Edit to open the Configure access panel.
Select Enable internet access.
Choose one of the following options in the Domain Type section:
- Automatically managed domain, subnetwork and SSL certificates: Choose this option to use the nip.io wildcard DNS service, and a Google-managed certificate to secure your domain. Apigee automatically creates an L7 global external load balancer to forward traffic to your runtime.
- Customize: Choose this option if you want to customize your domain name, SSL certificate, or subnetwork. Apigee automatically creates an L7 global external load balancer to forward traffic to your runtime. You can select or clear any of the following options to enter custom details:
  - Domain: Optional. Enter the custom domain name.
  - Network: Optional. Select an available network name from the dropdown menu.
  - Subnetwork: Optional. Select an available subnetwork name from the dropdown menu. The subnetwork selected should be in the same region as the runtime instance.
  - SSL Certificate: Optional. Select an existing self-managed certificate or provide a new self-managed certificate.
    To select an existing certificate:
    1. Select an existing certificate from the drop-down list. If there is no certificate in the list, click Add new.
    2. Browse the file system and select the certificate you wish to use.
    3. Click Save SSL.
    To provide a new certificate:
    1. Click in the Select certificate drop-down list.
    2. Click Add new.
    3. In the respective fields, browse your file system and attach the files containing the certificate and private key. Both should be PEM-formatted.
    4. Click Save SSL.
Click Set access.
Apigee prepares your instance for external access. This includes creating firewall rules, uploading certificates, and creating a load balancer.

This process can take several minutes.

Internal Access

This section describes how to configure routing when you're using the Google Cloud console and you do not want to allow external access to your API proxy. Instead, you want to limit access to internal requests only that originate from within the VPC.

To configure routing for internal access in the Google Cloud console:

Click Edit to open the Configure access panel.
Select No internet access.
Click Set access.

Click Next.
Click Submit to begin the provisioning process.

The provisioning process may take up to 40 minutes to complete. If you want to leave the page while provisioning is in progress, a notification will appear in notifications Notifications in the Google Cloud console when the operation completes.

Once provisioning is complete, the Apigee Overview page will appear and you can begin exploring Apigee!