Provisioning an eval org from the command line

You're viewing Apigee X documentation.
View Apigee Edge documentation.

This section describes how to install and configure Apigee with an evaluation organization (or eval org) from the command line. You can provision an eval org with just a Google Cloud billing account. Eval orgs expire after 60 days and may have other limitations. For details, see Organization types and Provisioning options.

Step 1: Define environment variables

Set up gcloud and define environment variables for use in later steps:

Be sure you have completed the setup requirements listed in Prerequisites.
You must have the Cloud SDK installed. If you need to install it, see Installing Cloud SDK.
Initialize the Cloud SDK, as described in Initializing Cloud SDK, or otherwise ensure that the Google Cloud project you created in Prerequisites is the default project for gcloud.

Define the following environment variables:

AUTH="Authorization: Bearer $(gcloud auth print-access-token)"
PROJECT_ID="YOUR_PROJECT_ID"
RUNTIME_LOCATION="YOUR_RUNTIME_LOCATION"
ANALYTICS_REGION="YOUR_ANALYTICS_REGION"

Where:

AUTH defines the Authentication header with a bearer token. You will use this header when calling Apigee APIs. Note that the token expires after a period of time and when it does, you can simply regenerate it using the same command. For more information, see the reference page for the print-access-token command.
PROJECT_ID is the Cloud project ID that you created as part of the Prerequisites.
RUNTIME_LOCATION is the physical location where the Apigee instance you will create later is located. Valid values are any Compute Engine region.

Note: For RUNTIME_LOCATION, be sure to use a region name and not a zone name. The available regions are listed in Available regions and zones. For example, us-west1 is a region name, while us-west1-a is a zone in the region. See also Identifying a region or zone.

ANALYTICS_REGION is the physical location at which Apigee analytics data will be stored.

Where ANALYTICS_REGION is one of the following:

`asia-northeast1`	`asia-south1`	`asia-east1`	`asia-southeast1`
`australia-southeast1`	`us-central1`	`us-east1`	`us-west1`
`asia-southeast2`	`europe-west1`	`europe-west2`

Choose a region that is geographically close or one that satisfies your organization's storage requirements.

Both RUNTIME_LOCATION and ANALYTICS_REGION can be the same region, but they do not have to be the same. However, there may be a performance benefit if they are the same.

(Optional) Check your work by echoing the values you just set. Note that when you want to use a variable in your commands, precede the variable's name with a dollar sign ($).

echo $AUTH
echo $PROJECT_ID
echo $RUNTIME_LOCATION
echo $ANALYTICS_REGION

The responses to your echo commands should look something like the following:

Authorization: Bearer ya29.a123456678940B63hPSAMPLEsampleKKYVsample0f3pWDWZDuH2-hENkNa
TvgZ1PD977TMvv6edBQPJezdHw040880Ol_LoD5ZDkt-i-knizia_KhA9L20sSvztL81-SAMPLE42ELPMASk2_
1CxN
my-cloud-project
us-west1
us-west1

Step 2: Enable APIs

Apigee requires you to enable several Google Cloud APIs. Enable them by executing the following services enable command:

gcloud services enable apigee.googleapis.com \
  servicenetworking.googleapis.com compute.googleapis.com \
  cloudkms.googleapis.com --project=$PROJECT_ID

(Optional) To check your work, use the services list command to show all the enabled APIs:
```
gcloud services list
```
The response shows all enabled services, including the APIs that you just enabled (Apigee, Service Networking, Cloud KMS, and Compute Engine).

Step 3: Configure service networking

Note: For most eval orgs, use default for the network parameter. default is the network that Google Cloud created for you when you created your Google Cloud project. If you have a different Cloud network and want to use it, then enter its name. (Note that the network must have a /22 CIDR block of IP addresses free.)

Create these environment variables:
```
RANGE_NAME=YOUR_RANGE_NAME
NETWORK_NAME=YOUR_NETWORK_NAME
```
Where:
- RANGE_NAME is the name of the IP address range you are creating. You can name the range anything you want. For example: google-svcs
- NETWORK_NAME is the name of the network resource in which the addresses should be reserved.
  Google creates a default network (named default) for each new project, so you can use that. However, Google does not recommend using the default network for anything other than testing.
  
  Note: Google does not recommend using default unless you are testing this setup process. You should not use an organization with a default network in production.

Create an IP range with a CIDR length of /22:

gcloud compute addresses create $RANGE_NAME \
  --global \
  --prefix-length=22 \
  --description="Peering range for Apigee services" \
  --network=$NETWORK_NAME \
  --purpose=VPC_PEERING \
  --project=$PROJECT_ID

On success, gcloud responds with the following:

Created [https://www.googleapis.com/compute/v1/projects/PROJECT_NAME/global/addresses/google-svcs].

After you create a range of IP addresses, the addresses are associated with the project until you release them.

Create a second IP range with a CIDR length of /28. This range is used by Apigee for troubleshooting purposes and cannot be customized or changed.

gcloud compute addresses create google-managed-services-support-1 \
  --global \
  --prefix-length=28 \
  --description="Peering range for supporting Apigee services" \
  --network=$NETWORK_NAME \
  --purpose=VPC_PEERING \
  --project=$PROJECT_ID

Connect your services to the network using the following command:
```
gcloud services vpc-peerings connect \
  --service=servicenetworking.googleapis.com \
  --network=$NETWORK_NAME \
  --ranges=$RANGE_NAME,google-managed-services-support-1 \
  --project=$PROJECT_ID
```
Use the same network name you used previously (for example, default). This operation can take several minutes to complete.

On success, gcloud responds with the following:
```
Operation "operations/OPERATION_ID" finished successfully.
```
Where OPERATION_ID is the UUID of the LRO.

Apigee creates a connection between your network and Google's services; specifically, Apigee connects your project to the Service Networking API through VPC peering. Apigee also associates IP addresses with your project.

Step 4: Create an organization

An organization is the top-level container in Apigee. It contains all your API proxies and related resources. For details, see Understanding organizations.

Create a new eval org using the gcloud alpha apigee organizations command:

gcloud alpha apigee organizations provision \
  --runtime-location=$RUNTIME_LOCATION \
  --analytics-region=$ANALYTICS_REGION \
  --authorized-network=default \
  --project=$PROJECT_ID

Where --authorized-network is the name of your custom peering network. For example: default.

When you execute the provision command, Google starts an LRO (long-running operation) to create the eval org. This operation takes about 15 minutes to complete. During that time, gcloud displays the following:
```
Provisioning organization...
```
Note: The provision command can create only eval organizations. It cannot be used to create production organizations.
(Optional) In another terminal window, check the status of your LRO by using the operations list command:
```
gcloud alpha apigee operations list --organization=$PROJECT_ID
```
If the eval org is not created yet, the response includes an IN_PROGRESS status.

When the eval org and its associated runtime instance are created, gcloud responds with the following:
```
Provisioning organization...done.
```
If you execute the operations list command again, you should see that all UUIDs are in the FINISHED state. For example:
```
UUID                                  ORGANIZATION  STATE
00bab06f-c60c-41a5-4242-7SAMPLE7f     my-org        FINISHED
429790a7-3151-4642-4343-7SAMPLE7f     my-org        FINISHED
d00a92a9-9b83-4642-4343-7SAMPLE7f     my-org        FINISHED
f48a00ff-7daa-4c4a-4444-7SAMPLE7f     my-org        FINISHED
```

Step 5: Do a final test

An API proxy called hello-world was created for you during provisioning. By default, proxies you create in an eval org have internal-only access. To test your newly provisioned org, follow the steps in Calling an API proxy with internal-only access.