My First Apigee Environment

This is a repost of an article that went up on CTS’s Medium channel before.

Apigee is a brilliant solution to deliver API’s to customers, internal developers, and external partners. In the past Apigee as an offering was held back by having to commit to a yearly subscription just to get your toes in the water, putting it somewhat out of reach of smaller companies. However, Google has recently launched a Pay-as-you-Go tier for Apigee bringing the technology to a broader audience. To whet the appetite a bit for Apigee, I’ve set out to create a simple demo to showcase some of the things that Apigee can do. For the purposes of installing this demo, I assume you have a Google Cloud project ready to go, with billing set up on it. Also, I’m assuming that Terraform is installed and that a command-line does not scare you witless.

Following this demo will create an Apigee evaluation installation that gives you access to all features of Apigee for a period of 2 months. After these 2 months, the Apigee organization is automatically garbage collected. Beware that all Apigee configurations and proxies you create in that organization will be lost upon deletion, so make sure to export them before the end of the evaluation period. Also, although the Apigee evaluation is free of charge, some resources such as compute and load balancers will be consumed in your Google Cloud project.

With all these caveats out of the way, this is the demo set up:

Apigee demo overview

This demo will connect directly to Apigee with a Private Service Connection (PSC) through a PSC Network Endpoint Group (NEG) as the backend for the Google Cloud Global L7 load balancer. This eliminates the need for a bridge VM to forward traffic to the Apigee runtime plane.

We’ll be setting all this up using Terraform as much as possible, but unfortunately creating the PSC NEG needs to be done on the command line as this is not currently supported in the Google terraform provider.

Let’s start by cloning the following GitHub repository and setting up a set of environment variables we’ll use to refer to in subsequent commands. The access token we store has a limited validity, should you receive an unauthorized error in any of the steps later on, you’ll need to re-generate the access token.

git clone https://github.com/salberin/cts-apigee.git
export AUTH="Authorization: Bearer $(gcloud auth print-access-token)"
export PROJECT_ID="<YOUR_GOOGLE_PROJECT_ID>"
export RUNTIME_LOCATION="europe-west1"
export ENV_NAME="demo"
cd terraform

Put the following terraform command in to generate the whole Apigee organization:

terraform init
terraform apply -var "project_id=$PROJECT_ID" -var "region=$RUNTIME_LOCATION" \
-var "env_name=$ENV_NAME"

After the terraform has completed (mind you, this may take a while — up to 45 minutes!) you will receive the hostname for the Apigee loadbalancer as an output. We finish the setup by creating a PSC NEG and attaching it to our loadbalancer back end. We first retrieve the service attachment from an Apigee API call (as it is unfortunately not available from the terraform output) and create the back end from that info using gcloud commands.

export AUTH="Authorization: Bearer $(gcloud auth print-access-token)"
SERVICE_ATT=$(curl -X GET -H "$AUTH"  \
  "https://apigee.googleapis.com/v1/organizations/$PROJECT_ID/instances" \
  | jq -r '.instances[0].serviceAttachment')
gcloud compute network-endpoint-groups create $ENV_NAME-neg \
  --network-endpoint-type=private-service-connect \
  --psc-target-service=$SERVICE_ATT --region=$RUNTIME_LOCATION \
  --project=$PROJECT_ID
gcloud compute backend-services add-backend apigee-$ENV_NAME-backend \
  --network-endpoint-group=$ENV_NAME-neg \
  --network-endpoint-group-region=$RUNTIME_LOCATION \
  --global --project=$PROJECT_ID

Et viola! We have a Apigee organization setup, with connectivity to boot!

Next step: deploy an API gateway. Contained in the repo there is a sample hello-world proxy that will print out a simple hello world messages when called.

cd ../proxy
export MGMT_HOST="https://apigee.googleapis.com"
curl -s -X POST \
"$MGMT_HOST/v1/organizations/$PROJECT_ID/apis?action=import&name=hello-world" \
  -H "$AUTH" --form file=@"./hello-world.zip"
curl -s -X POST -H "$AUTH" \
"$MGMT_HOST/v1/organizations/$PROJECT_ID/environments/$ENV_NAME-environment/apis/hello-world/revisions/1/deployments"
export HOST="<<hostname printed as part of terraform output>>"
curl -i -H "Host: $HOST" https://$HOST/hello-world

Take into account that certificate generation may take some time and therefore that the last curl command may fail until that has completed. And there you have it: an Apigee gateway, deployed through terraform, running behind a private service connect.

Next up: making a proxy do something useful. Watch this space and until then, keep it Googley (as my esteemed colleague Alistair Grew would say.)

About CTS

CTS is the largest dedicated Google Cloud practice in Europe and one of the world’s leading Google Cloud experts, winning 2020 Google Partner of the Year Awards for both Workspace and GCP.

We offer a unique full stack Google Cloud solution for businesses, encompassing cloud migration and infrastructure modernisation. Our data practice focuses on analysis and visualisation, providing industry specific solutions for; Retail, Financial Services, Media and Entertainment.

We’re building talented teams ready to change the world using Google technologies. So if you’re passionate, curious and keen to get stuck in — take a look at our Careers Page and join us for the ride!