Step 5: Create an Apigee runtime instance

This page applies to Apigee, but not to Apigee hybrid.

View Apigee Edge documentation.

You've got your project provisioned, created a new organization, and configured the connection between your network and Google's services. It's time to create a runtime instance.

An instance, or runtime instance, is where your project and related services are stored; it provides the user-facing endpoint for your services.

What you're doing in this step

In this step, you create a new runtime instance. At the end of this setup process, you will deploy an API proxy to the new instance and then send an HTTP request to it to verify that it works. In addition, you also create a key for encrypting and decrypting data stored on disk in the instance.

Perform the step

Permissions required for this task

You can give the Apigee provisioner a predefined role that includes the permissions needed to complete this task, or give more fine-grained permissions to provide the least privilege necessary. See Predefined roles and Runtime instance permissions.

To create a new runtime instance in the Apigee provisioning wizard:

If it is not currently open, open the Apigee provisioning wizard. The wizard returns to the next incomplete install task.
Click Edit next to the Runtime option. The Set up runtime view displays:
From the Runtime hosting region drop-down list, select the region in which you want your instance hosted. For a list of available runtime regions, see Apigee locations.
Specify how you want to allocate an IP range. Choose between these options:
Note: Once created, you cannot change the IP range later. If you ever need to change the range, you will have to create a new instance.
- Automatic (Recommended) - Apigee selects an available CIDR range with a prefix size of /22. No further action on your part is required.
- Custom - In advanced use cases, you may need to specify exactly which IP range you want Apigee to use. For these cases, you specify a custom IP range, and it must have a prefix size of /22. The range must be available as part of a private connection between your project and Apigee.
Under Disk encryption key, choose a customer-managed encryption key. If a key already exists, you can pick it. The wizard lists all keys in the same location as the runtime hosting region across all key rings. If a key doesn't exist, or if you don't want to use an existing key, you can create a new key from within the wizard. To create a key:
1. Click Create key.
2. Select a key ring, or if one doesn't exist, enable Create key ring and enter a key ring name and pick a key ring location. Key ring names can contain letters, numbers, underscores (_), and hyphens (-). Key rings can't be renamed or deleted.
3. Click Continue.
4. Create a key. Enter a name and protection level. Note that key names can contain letters, numbers, underscores (_), and hyphens (-). Keys can't be renamed or deleted. For protection level, Software is a good choice. This is the same default used by Cloud KMS; however, you can change it if you wish.
5. Click Continue and review your selections.
6. Click Create.
Click Grant to grant the service account permission to encrypt/decrypt with the selected key.
Click Create runtime.

Apigee begins the process of creating a new runtime instance for you.

This request can take 40 minutes or longer to complete because Apigee creates the new instance, installs the Apigee resources on it, and sets up load balancing. During this process, Apigee displays a spinner for this step:

When Apigee is done, the wizard displays a checkmark next to the Runtime option. Below that, Apigee displays the IP address of the internal load balancer for your instance:

For additional details, see About the Apigee encryption keys.

If you encounter errors during this part of the process, see Troubleshooting.

Progress (5/8 ... You're nearly there!)

1 2 3 4 5 NEXT: Create an environment 7 8