You've got your project provisioned, created a new organization, and configured the connection between your network and Google's services. It's time to create a runtime instance.
An instance, or runtime is where your project and related services are stored; it provides the user-facing endpoint for your services. Behind the scenes, one or more instances are grouped into a cluster. Clusters are groupings of containerized components running within a Kubernetes mesh. A cluster is sometimes called the instance group.
What you're doing in this step
In this step, you create a new runtime instance, which will be part of a cluster. At the end of this setup process, you will deploy an API proxy to the new instance and then send an HTTP request to it to verify that it works. In addition, you also create a key for encrypting and decrypting data stored on disk in the instance.
Perform the step
To create a new runtime instance in the Apigee provisioning wizard:
- Open the Apigee provisioning wizard if it is not currently open. The wizard returns to the most recent incomplete task in the list.
- Click the Edit button next to the Runtime option.
The Set up runtime view displays:
- From the Runtime hosting region drop-down list, select a physical location in which you want your instance hosted. Select the value of the $LOCATION variable that you set up in Step 1: Define environment variables. Valid values are any location allowed by Compute Engine.
Add the disk encryption key:
- Create a new key ring using the
gcloud kms keyrings create disk-key-ring --location $LOCATION --project $PROJECT_ID
This creates a new key ring named "disk-key-ring". Note that the key ring's location must be set to the same location as the instance.
- Create a disk key using the
kms keys createcommand:
gcloud kms keys create disk-key --keyring disk-key-ring \ --location us-west1 --purpose "encryption" --project my-cloud-project
This command creates a new key named "disk-key" and adds it to the key ring.
The key can be referenced by its key path, which uses the following syntax:
- Grant access for the Apigee Service Agent to use the new key by executing the
gcloud kms keys add-iam-policy-binding disk-key \ --location $LOCATION \ --keyring disk-key-ring \ --member serviceAccount:service-$PROJECT_NUMBER@gcp-sa-apigee.iam.gserviceaccount.com \ --role roles/cloudkms.cryptoKeyEncrypterDecrypter \ --project $PROJECT_ID
This command binds the key to the Apigee Service Agent.
- In the Disk encryption key ID field, enter the key path for the key that you just created.
For additional details, see About the Apigee encryption keys.
- Create a new key ring using the
Return to the Apigee provisioning wizard and enter or paste the disk key path into the Disk encryption key ID field.
The disk encryption key that you created is per instance, so the location should always be the same as the instance.
Click Create Runtime.
Apigee begins the process of creating a new cluster for you.
This request can take up to 20 minutes to complete because Apigee creates and launches a new GKE cluster, installs the Apigee resources on that cluster, and sets up load balancing. During this process, Apigee displays a spinner for this step:
When Apigee is done, the wizard displays a checkmark next to the Runtime option. Below that, Apigee displays the IP address:
If you encounter errors during this part of the process, see Troubleshooting.