Provisioning an eval org from the command line

You're viewing Apigee X documentation.
View Apigee Edge documentation.

This section describes how to install and configure Apigee with an evaluation organization (or eval org) from the command line. You can provision an eval org with just a Google Cloud billing account. Eval orgs expire after 60 days and may have other limitations. For details, see Organization types and Provisioning options.

Step 1: Define environment variables

Set up gcloud and define environment variables for use in later steps:

  1. Be sure you have completed the setup requirements listed in Prerequisites.
  2. You must have the Cloud SDK installed. If you need to install it, see Installing Cloud SDK.
  3. Initialize the Cloud SDK, as described in Initializing Cloud SDK, or otherwise ensure that the Google Cloud project you created in Prerequisites is the default project for gcloud.
  4. Define the following environment variables:
    AUTH="Authorization: Bearer $(gcloud auth print-access-token)"


    • AUTH defines the Authentication header with a bearer token. You will use this header when calling Apigee APIs. Note that the token expires after a period of time and when it does, you can simply regenerate it using the same command. For more information, see the reference page for the print-access-token command.
    • PROJECT_ID is the Cloud project ID that you created as part of the Prerequisites.
    • RUNTIME_LOCATION is the physical location where the Apigee instance you will create later is located. Valid values are any Compute Engine region.

    • ANALYTICS_REGION is the physical location at which Apigee analytics data will be stored.

      Where ANALYTICS_REGION is one of the following:

      asia-northeast1 asia-south1 asia-east1 asia-southeast1
      australia-southeast1 us-central1 us-east1 us-west1
      asia-southeast2 europe-west1 europe-west2

      Choose a region that is geographically close or one that satisfies your organization's storage requirements.

      Both RUNTIME_LOCATION and ANALYTICS_REGION can be the same region, but they do not have to be the same. However, there may be a performance benefit if they are the same.

  5. (Optional) Check your work by echoing the values you just set. Note that when you want to use a variable in your commands, precede the variable's name with a dollar sign ($).
    echo $AUTH
    echo $PROJECT_ID

    The responses to your echo commands should look something like the following:

    Authorization: Bearer ya29.a123456678940B63hPSAMPLEsampleKKYVsample0f3pWDWZDuH2-hENkNa

Step 2: Enable APIs

  1. Apigee requires you to enable several Google Cloud APIs. Enable them by executing the following services enable command:

    gcloud services enable \ \ --project=$PROJECT_ID
  2. (Optional) To check your work, use the services list command to show all the enabled APIs:

    gcloud services list

    The response shows all enabled services, including the APIs that you just enabled (Apigee, Service Networking, Cloud KMS, and Compute Engine).

Step 3: Configure service networking

  1. Create these environment variables:


    • RANGE_NAME is the name of the IP address range you are creating. You can name the range anything you want. For example: google-svcs
    • NETWORK_NAME is the name of the network resource in which the addresses should be reserved.

      Google creates a default network (named default) for each new project, so you can use that. However, Google does not recommend using the default network for anything other than testing.

  2. Create an IP range with a CIDR length of /22:
    gcloud compute addresses create $RANGE_NAME \
      --global \
      --prefix-length=22 \
      --description="Peering range for Apigee services" \
      --network=$NETWORK_NAME \
      --purpose=VPC_PEERING \

    On success, gcloud responds with the following:

    Created [].

    After you create a range of IP addresses, the addresses are associated with the project until you release them.

  3. Create a second IP range with a CIDR length of /28. This range is used by Apigee for troubleshooting purposes and cannot be customized or changed.
    gcloud compute addresses create google-managed-services-support-1 \
      --global \
      --prefix-length=28 \
      --description="Peering range for supporting Apigee services" \
      --network=$NETWORK_NAME \
      --purpose=VPC_PEERING \
  4. Connect your services to the network using the following command:
    gcloud services vpc-peerings connect \ \
      --network=$NETWORK_NAME \
      --ranges=$RANGE_NAME,google-managed-services-support-1 \

    Use the same network name you used previously (for example, default). This operation can take several minutes to complete.

    On success, gcloud responds with the following:

    Operation "operations/OPERATION_ID" finished successfully.

    Where OPERATION_ID is the UUID of the LRO.

    Apigee creates a connection between your network and Google's services; specifically, Apigee connects your project to the Service Networking API through VPC peering. Apigee also associates IP addresses with your project.

Step 4: Create an organization

An organization is the top-level container in Apigee. It contains all your API proxies and related resources. For details, see Understanding organizations.

  1. Create a new eval org using the gcloud alpha apigee organizations command:
    gcloud alpha apigee organizations provision \
      --runtime-location=$RUNTIME_LOCATION \
      --analytics-region=$ANALYTICS_REGION \
      --authorized-network=default \

    Where --authorized-network is the name of your custom peering network. For example: default.

  2. When you execute the provision command, Google starts an LRO (long-running operation) to create the eval org. This operation takes about 15 minutes to complete. During that time, gcloud displays the following:

    Provisioning organization...
  3. (Optional) In another terminal window, check the status of your LRO by using the operations list command:

    gcloud alpha apigee operations list --organization=$PROJECT_ID

    If the eval org is not created yet, the response includes an IN_PROGRESS status.

    When the eval org and its associated runtime instance are created, gcloud responds with the following:

    Provisioning organization...done.

    If you execute the operations list command again, you should see that all UUIDs are in the FINISHED state. For example:

    UUID                                  ORGANIZATION  STATE
    00bab06f-c60c-41a5-4242-7SAMPLE7f     my-org        FINISHED
    429790a7-3151-4642-4343-7SAMPLE7f     my-org        FINISHED
    d00a92a9-9b83-4642-4343-7SAMPLE7f     my-org        FINISHED
    f48a00ff-7daa-4c4a-4444-7SAMPLE7f     my-org        FINISHED

Step 5: Do a final test

An API proxy called hello-world was created for you during provisioning. By default, proxies you create in an eval org have internal-only access. To test your newly provisioned org, follow the steps in Calling an API proxy with internal-only access.