Provisioning an eval org
This page applies toApigee, but not toApigee hybrid.
View Apigee Edge documentation.
This section describes how to set up an Apigee evaluation organization (oreval org) using theApigeeprovisioning wizard. For more information, seeOrganization types.
Tip:We recommend you review theApigee architecturetopic before you do the provisioning steps.Video: Check out this short video to learn about setting up and testing an Apigee eval org.
Creating an eval org with the Apigee provisioning wizard
This section describes how to use theApigeeprovisioning wizard to create an eval org.
Get started
Permissions required for this task
The Apigee provisioner must have sufficient permission to use the wizard. To grant this permission, a Google Cloud admin can give the Apigee provisioner the predefinedApigee Organization Admin role, or give morefine-grained permissions to provide the least privilege necessary.
- Ensure that you have met theprerequisites before you continue.
- Create aGoogle Cloud project if you have not done so already.
Launch theApigeeprovisioning wizard in a browser.
TheSet up Apigee pane of the Apigee provisioning wizard displays:
- Enter your Google Cloud project ID in theProject field.
If you do not have permission to manage the project, or if the project does not exist, you will see an error message. Make sure the project ID you entered is correct, and that it is the project ID and not the project name, if they are different.
If the project is already associated with a paid Apigee account, you cannot create an evaluation org for the project. SeeProvisioning > Paid orgs > Before you begin to use the Apigee provisioning wizard to provision a paid org.
Note: The Apigee provisioning wizard keeps track of your steps for this project. Once you complete a step, you can exit the wizard. When you return to it and enter the project ID again, it will continue with the next step. - ClickSTART EVALUATION.
- The Apigee provisioning wizard displays theSet up Apigee Evaluation page. As you complete each step, theEDIT icon will display by the next step.
Enable APIs
Permissions required for this task
You can give the Apigee provisioner a predefined role that includes the permissions needed to complete this task, or give more fine-grained permissions to provide the least privilege necessary. SeePredefined roles andAPI enablement permissions.
Enable the Google Cloud APIs needed for Apigee to function.
- ClickEDIT next toEnable APIs to enable the required APIs for your evaluation org.
- ClickENABLE APIS in the Enable APIs pane of the wizard. This will enable for your project:
- Apigee API
- Compute Engine API
- Service Networking API
- Wait a few moments for the step to complete. When it is done, a check will display next to theEnable APIs step and theNetworking step will be available.Tip: You can see the APIs enabled for your project in theGoogle Cloud Platform APIs & Services Dashboard.
Networking
Permissions required for this task
You can give the Apigee provisioner a predefined role that includes the permissions needed to complete this task, or give more fine-grained permissions to provide the least privilege necessary. SeePredefined roles andService networking permissions.
Set up networking for your local Virtual Private Cloud (VPC).
ClickEDIT next toNetworking.
TheSet up networking pane displays:
Select a network from theAuthorized network drop-down list. For most eval orgs, you will select
default, which is the network that Google Cloud created for you when you created your Google Cloud project. If you have a different Cloud network and want to use it, select it from the list. (Note that the network must have a /22CIDR block of IP addresses free.)If your project is using shared Virtual Private Cloud (VPC) networking, select the network that manages the network settings for your project. If you do not see that network in the dropdown list, have a user with permission to manage the network log in to complete this step. Then you can return to the wizard and continue. For more information on Shared VPC networking, seeUsing Shared VPC networks.
After you select a network the wizard displays the peering range selection options:
Select how you want Apigee to identify IP addresses for your network. For eval organizations it is most common to selectAutomatically allocate IP range. If you prefer to specify a range, selectSelect one or more existing IP ranges or create a new one. You must specify both a name and a specific IP range, like
10.20.238.0/22.ClickALLOCATE AND CONNECT to continue.
The wizard creates the network and allocates IP addresses for the services within that network. The network creation takes a couple of minutes to complete.
Apigee evaluation organization
Permissions required for this task
You can give the Apigee provisioner predefined roles that include the permissions needed to complete this task, or give more fine-grained permissions to provide the least privilege necessary. SeePredefined roles orOrganization creation permissions (eval org).
Create an Apigee evalorganization.
ClickEDIT next toApigee evaluation organization.
TheCreate an Apigee evaluation organization pane displays:
Select an analytics hosting region and a runtime location. For a list of available Apigee API Analytics and runtime locations, see Apigee locations.
ClickPROVISION.
The Apigee provisioning wizard creates the eval org and its associated runtime instance. The eval org will have the same name and ID as your project ID.
Note: This process can take up to 45 minutes.When it is done, a check will display next to theApigee evaluation organization step and theAccess routing step will be available.
Access routing
In this step, you choose whether to expose your new cluster to external requests or to keepit private (and only allow requests from within your VPC). The manner in which you access API proxies depends on whether you decide to allow externalrequests or restricted requests to internal only:
| Access Type | Description of the configuration and deployment process |
|---|---|
| External | Allow external access to API proxies. The wizard deploys a Hello World proxy to your runtime instance for you. You can then send a request to the API proxy from your administration machine or any machine with access to the internet. |
| Internal | Allow only internal access to API proxies. The wizard deploys a Hello World proxy to your runtime instance for you. You must manually create a new VM inside your VPC and connect to it. From the new VM, you can send requests to the API proxy. Caution: Because of alimitation on Google Cloud internal Application Load Balancer, the Apigee internal routing option does not support HTTP 1.0 requests. Incoming client requests that specify the HTTP 1.0 protocol will fail. Later HTTP versions are supported. |
Follow the steps under the External Access or Internal Access tab below:
External Access
This section describes how to configure routing when you're using the Apigee provisioning wizard and you want to allowexternal access to your API proxy.
Permissions required for this task
You can give the Apigee provisioner a predefined role that includes the permissions needed to complete this task, or give more fine-grained permissions to provide the least privilege necessary. SeePredefined roles andAccess routing permissions.
To configure routing for external access in the Apigee provisioning wizard:
- Open theApigeeprovisioning wizard if it is not currently open. The wizard returns to the most recent incomplete task in the list.
ClickEDIT next toAccess routing.
SelectEnable internet access from the Configure access panel.
The wizard displays additional options for configuring the instance:
- For the domain setting, enter a valid DNS name that you own, or choose to use a wildcard DNS service, such asnip.io. If you choose the wildcard service, a static external IP address is reserved for you. The wildcard option is easy to use, but is only recommended for testing purposes.
- (Optional) You can change the virtual machine instance name to something more meaningful. As part of the provisioning process, Apigee creates a managed instance group (MIG) containing multiple VMs to proxy traffic between the load balancer and the Apigee runtime. To change the VM instance name, clickEDIT and make your changes.
- Select the subnet used to host the MIG of VMs to bridge to the Apigee runtime. The subnet size can be small (e.g. /28) as it needs to host at most three VMs. The subnet can be shared and used by VMs or other entities.
If you are using a wildcard DNS service, just note that a Google-managed certificate will be created for the domain. You do not have to take further action. See also Using Google-managed SSL certificates.
If you are using your own domain, select whether to supply a certificate you manage or use aGoogle-managed certificate:
- Supply aself-managed certificate:
- Generate a certificate/key pair if you don't already have one. For test environments, this can be a self-signed certificate. For a production system you should use a certificate signed by a Certificate Authority. SeeUsing self-managed SSL certificates.
- In the respective fields, browse your file system and attach the files containing the certificate and private key. Both must be PEM-formatted.
- Use aGoogle-managed certificate. To use aGoogle-managed certificate, do not enter a signed certificate or RSA private key. The Google-managed certificate will be created for you.
- Supply aself-managed certificate:
ClickSET ACCESS.
Apigee prepares your cluster for external access. This includes setting up the MIG to proxy traffic, creating firewall rules, uploading certificates, and creating a load balancer.
This process can take several minutes to complete.
When Apigee finishes setting up your runtime's access, you'll notice that there is a blue check mark next to all steps in the wizard:
ClickCONTINUE.
The wizard displaysRecommended next steps. The steps shown depend on whether you used your own DNS name or a wildcard DNS.
Note: DNS changes are published immediately, but may take time to propagate. Because of this delay, you may have to wait up to an hour before you can call the sample proxy.- If you specified your own domain name, go to your domain registrar and create an A record for your domain hostname that points to the IP address shown in the wizard. When that is done, clickLaunch to call the API proxy that was deployed for you.
- If you used a wildcard DNS, then just clickLaunch to call thehello-world API proxy that was deployed for you.
- (Optional) Add users and roles for your organization. SeeUsers and roles.
You have now completed the steps to configure external internet access to API proxies.
Internal Access
This section describes how to configure routing when you're using the Apigee provisioning wizard and youdo not want to allow external access to your API proxy. Instead, you want to limit access tointernal requests only that originate from within the VPC.
Caution: Because of alimitation on Google Cloud internal Application Load Balancer, the Apigee internal routing option does not support HTTP 1.0 requests. Incoming client requests that specify the HTTP 1.0 protocol will fail. Later HTTP versions are supported.To configure routing for internal access in the Apigee provisioning wizard:
- ClickEDIT next to the Access Routing step.
SelectNo internet access in theConfigure access to the 'eval-group' env group panel.
- ClickCONTINUE.
You'll notice that there is a blue check mark next to all steps in the wizard. This indicates all steps were completed successfully:
- ClickCONTINUE.
- To test your newly provisioned organization, follow the instructions inCalling an API proxy with internal-only access. In those steps, you will create a Virtual Machine (VM) inside your VPC from which API proxy requests can be sent to the internal load balancer (ingress), which forwards them to your Apigee runtime instance. For convenience, the provisioning wizard created and deployed a test proxy for you, called
hello-world. - (Optional) Add users and roles for your organization. SeeUsers and roles.
If you encounter errors during this part of the process, seeTroubleshooting.
View organization details
Finally, open the Apigee UI to view details about your organization.
Permissions required for this task
If you have Apigee Org Admin role, you can complete this task. To learn about other roles you can employ for using the Apigee UI, seeApigee roles.
- ClickOPEN APIGEE CONSOLE to open theApigee UI.
- Make sure the project you just created is selected in the Apigee UI. For example:
If the org you just created is not the one selected, click the project name to drop down a list of projects.
If your project is not in the list of available projects, you may need to wait a few moments before it is available. Refresh your browser and check again.
ClickAdmin to see the configuration of your org:
Location Property Value Admin > Instances Name eval-instanceIP address This is your org's internal load balancer IP address. Admin > Environments > Overview Environment name evalAdmin > Environments > Groups Environment group eval-groupAdmin > Environments > Groups Hostnames PROJECT_NAME-eval.apigee.net- ClickDevelop > API Proxies. Apigee created an API proxy called
hello-worldfor you when you provisioned the eval org.Location Property Value Develop > API Proxies API proxy hello-world
Deleting an evaluation organization
To delete (ordeprovision) an eval organization, use thegcloud alpha apigee organizations delete command.
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-12-15 UTC.