The gcp:apigee/instance:Instance resource, part of the Pulumi GCP provider, provisions the Apigee runtime dataplane: the infrastructure that executes API proxies in a specific region. This guide focuses on three capabilities: VPC peering and network connectivity, IP address allocation strategies, and customer-managed encryption.
Apigee instances belong to an Apigee Organization and require VPC networking infrastructure with service networking peering. The examples are intentionally small. Combine them with your own VPC configuration, KMS keys, and environment attachments.
Create a runtime instance with VPC peering
Most deployments start by provisioning a runtime instance in a region, connected to a VPC through service networking peering.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const current = gcp.organizations.getClientConfig({});
const apigeeNetwork = new gcp.compute.Network("apigee_network", {name: "apigee-network"});
const apigeeRange = new gcp.compute.GlobalAddress("apigee_range", {
name: "apigee-range",
purpose: "VPC_PEERING",
addressType: "INTERNAL",
prefixLength: 16,
network: apigeeNetwork.id,
});
const apigeeVpcConnection = new gcp.servicenetworking.Connection("apigee_vpc_connection", {
network: apigeeNetwork.id,
service: "servicenetworking.googleapis.com",
reservedPeeringRanges: [apigeeRange.name],
});
const apigeeOrg = new gcp.apigee.Organization("apigee_org", {
analyticsRegion: "us-central1",
projectId: current.then(current => current.project),
authorizedNetwork: apigeeNetwork.id,
}, {
dependsOn: [apigeeVpcConnection],
});
const apigeeInstance = new gcp.apigee.Instance("apigee_instance", {
name: "my-instance-name",
location: "us-central1",
orgId: apigeeOrg.id,
});
import pulumi
import pulumi_gcp as gcp
current = gcp.organizations.get_client_config()
apigee_network = gcp.compute.Network("apigee_network", name="apigee-network")
apigee_range = gcp.compute.GlobalAddress("apigee_range",
name="apigee-range",
purpose="VPC_PEERING",
address_type="INTERNAL",
prefix_length=16,
network=apigee_network.id)
apigee_vpc_connection = gcp.servicenetworking.Connection("apigee_vpc_connection",
network=apigee_network.id,
service="servicenetworking.googleapis.com",
reserved_peering_ranges=[apigee_range.name])
apigee_org = gcp.apigee.Organization("apigee_org",
analytics_region="us-central1",
project_id=current.project,
authorized_network=apigee_network.id,
opts = pulumi.ResourceOptions(depends_on=[apigee_vpc_connection]))
apigee_instance = gcp.apigee.Instance("apigee_instance",
name="my-instance-name",
location="us-central1",
org_id=apigee_org.id)
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/apigee"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/compute"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/organizations"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/servicenetworking"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
current, err := organizations.GetClientConfig(ctx, map[string]interface{}{}, nil)
if err != nil {
return err
}
apigeeNetwork, err := compute.NewNetwork(ctx, "apigee_network", &compute.NetworkArgs{
Name: pulumi.String("apigee-network"),
})
if err != nil {
return err
}
apigeeRange, err := compute.NewGlobalAddress(ctx, "apigee_range", &compute.GlobalAddressArgs{
Name: pulumi.String("apigee-range"),
Purpose: pulumi.String("VPC_PEERING"),
AddressType: pulumi.String("INTERNAL"),
PrefixLength: pulumi.Int(16),
Network: apigeeNetwork.ID(),
})
if err != nil {
return err
}
apigeeVpcConnection, err := servicenetworking.NewConnection(ctx, "apigee_vpc_connection", &servicenetworking.ConnectionArgs{
Network: apigeeNetwork.ID(),
Service: pulumi.String("servicenetworking.googleapis.com"),
ReservedPeeringRanges: pulumi.StringArray{
apigeeRange.Name,
},
})
if err != nil {
return err
}
apigeeOrg, err := apigee.NewOrganization(ctx, "apigee_org", &apigee.OrganizationArgs{
AnalyticsRegion: pulumi.String("us-central1"),
ProjectId: pulumi.String(current.Project),
AuthorizedNetwork: apigeeNetwork.ID(),
}, pulumi.DependsOn([]pulumi.Resource{
apigeeVpcConnection,
}))
if err != nil {
return err
}
_, err = apigee.NewInstance(ctx, "apigee_instance", &apigee.InstanceArgs{
Name: pulumi.String("my-instance-name"),
Location: pulumi.String("us-central1"),
OrgId: apigeeOrg.ID(),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var current = Gcp.Organizations.GetClientConfig.Invoke();
var apigeeNetwork = new Gcp.Compute.Network("apigee_network", new()
{
Name = "apigee-network",
});
var apigeeRange = new Gcp.Compute.GlobalAddress("apigee_range", new()
{
Name = "apigee-range",
Purpose = "VPC_PEERING",
AddressType = "INTERNAL",
PrefixLength = 16,
Network = apigeeNetwork.Id,
});
var apigeeVpcConnection = new Gcp.ServiceNetworking.Connection("apigee_vpc_connection", new()
{
Network = apigeeNetwork.Id,
Service = "servicenetworking.googleapis.com",
ReservedPeeringRanges = new[]
{
apigeeRange.Name,
},
});
var apigeeOrg = new Gcp.Apigee.Organization("apigee_org", new()
{
AnalyticsRegion = "us-central1",
ProjectId = current.Apply(getClientConfigResult => getClientConfigResult.Project),
AuthorizedNetwork = apigeeNetwork.Id,
}, new CustomResourceOptions
{
DependsOn =
{
apigeeVpcConnection,
},
});
var apigeeInstance = new Gcp.Apigee.Instance("apigee_instance", new()
{
Name = "my-instance-name",
Location = "us-central1",
OrgId = apigeeOrg.Id,
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.organizations.OrganizationsFunctions;
import com.pulumi.gcp.compute.Network;
import com.pulumi.gcp.compute.NetworkArgs;
import com.pulumi.gcp.compute.GlobalAddress;
import com.pulumi.gcp.compute.GlobalAddressArgs;
import com.pulumi.gcp.servicenetworking.Connection;
import com.pulumi.gcp.servicenetworking.ConnectionArgs;
import com.pulumi.gcp.apigee.Organization;
import com.pulumi.gcp.apigee.OrganizationArgs;
import com.pulumi.gcp.apigee.Instance;
import com.pulumi.gcp.apigee.InstanceArgs;
import com.pulumi.resources.CustomResourceOptions;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var current = OrganizationsFunctions.getClientConfig(%!v(PANIC=Format method: runtime error: invalid memory address or nil pointer dereference);
var apigeeNetwork = new Network("apigeeNetwork", NetworkArgs.builder()
.name("apigee-network")
.build());
var apigeeRange = new GlobalAddress("apigeeRange", GlobalAddressArgs.builder()
.name("apigee-range")
.purpose("VPC_PEERING")
.addressType("INTERNAL")
.prefixLength(16)
.network(apigeeNetwork.id())
.build());
var apigeeVpcConnection = new Connection("apigeeVpcConnection", ConnectionArgs.builder()
.network(apigeeNetwork.id())
.service("servicenetworking.googleapis.com")
.reservedPeeringRanges(apigeeRange.name())
.build());
var apigeeOrg = new Organization("apigeeOrg", OrganizationArgs.builder()
.analyticsRegion("us-central1")
.projectId(current.project())
.authorizedNetwork(apigeeNetwork.id())
.build(), CustomResourceOptions.builder()
.dependsOn(apigeeVpcConnection)
.build());
var apigeeInstance = new Instance("apigeeInstance", InstanceArgs.builder()
.name("my-instance-name")
.location("us-central1")
.orgId(apigeeOrg.id())
.build());
}
}
resources:
apigeeNetwork:
type: gcp:compute:Network
name: apigee_network
properties:
name: apigee-network
apigeeRange:
type: gcp:compute:GlobalAddress
name: apigee_range
properties:
name: apigee-range
purpose: VPC_PEERING
addressType: INTERNAL
prefixLength: 16
network: ${apigeeNetwork.id}
apigeeVpcConnection:
type: gcp:servicenetworking:Connection
name: apigee_vpc_connection
properties:
network: ${apigeeNetwork.id}
service: servicenetworking.googleapis.com
reservedPeeringRanges:
- ${apigeeRange.name}
apigeeOrg:
type: gcp:apigee:Organization
name: apigee_org
properties:
analyticsRegion: us-central1
projectId: ${current.project}
authorizedNetwork: ${apigeeNetwork.id}
options:
dependsOn:
- ${apigeeVpcConnection}
apigeeInstance:
type: gcp:apigee:Instance
name: apigee_instance
properties:
name: my-instance-name
location: us-central1
orgId: ${apigeeOrg.id}
variables:
current:
fn::invoke:
function: gcp:organizations:getClientConfig
arguments: {}
The instance runs in the specified location and connects to your VPC through the service networking connection. The orgId ties the instance to your Apigee Organization. The VPC peering setup (Network, GlobalAddress, Connection) must complete before the instance can be created, establishing the network path for API traffic.
Specify CIDR block size with peeringCidrRange
When you need control over IP allocation size, specify a CIDR range using predefined values.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const current = gcp.organizations.getClientConfig({});
const apigeeNetwork = new gcp.compute.Network("apigee_network", {name: "apigee-network"});
const apigeeRange = new gcp.compute.GlobalAddress("apigee_range", {
name: "apigee-range",
purpose: "VPC_PEERING",
addressType: "INTERNAL",
prefixLength: 22,
network: apigeeNetwork.id,
});
const apigeeVpcConnection = new gcp.servicenetworking.Connection("apigee_vpc_connection", {
network: apigeeNetwork.id,
service: "servicenetworking.googleapis.com",
reservedPeeringRanges: [apigeeRange.name],
});
const apigeeOrg = new gcp.apigee.Organization("apigee_org", {
analyticsRegion: "us-central1",
projectId: current.then(current => current.project),
authorizedNetwork: apigeeNetwork.id,
}, {
dependsOn: [apigeeVpcConnection],
});
const apigeeInstance = new gcp.apigee.Instance("apigee_instance", {
name: "my-instance-name",
location: "us-central1",
orgId: apigeeOrg.id,
peeringCidrRange: "SLASH_22",
});
import pulumi
import pulumi_gcp as gcp
current = gcp.organizations.get_client_config()
apigee_network = gcp.compute.Network("apigee_network", name="apigee-network")
apigee_range = gcp.compute.GlobalAddress("apigee_range",
name="apigee-range",
purpose="VPC_PEERING",
address_type="INTERNAL",
prefix_length=22,
network=apigee_network.id)
apigee_vpc_connection = gcp.servicenetworking.Connection("apigee_vpc_connection",
network=apigee_network.id,
service="servicenetworking.googleapis.com",
reserved_peering_ranges=[apigee_range.name])
apigee_org = gcp.apigee.Organization("apigee_org",
analytics_region="us-central1",
project_id=current.project,
authorized_network=apigee_network.id,
opts = pulumi.ResourceOptions(depends_on=[apigee_vpc_connection]))
apigee_instance = gcp.apigee.Instance("apigee_instance",
name="my-instance-name",
location="us-central1",
org_id=apigee_org.id,
peering_cidr_range="SLASH_22")
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/apigee"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/compute"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/organizations"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/servicenetworking"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
current, err := organizations.GetClientConfig(ctx, map[string]interface{}{}, nil)
if err != nil {
return err
}
apigeeNetwork, err := compute.NewNetwork(ctx, "apigee_network", &compute.NetworkArgs{
Name: pulumi.String("apigee-network"),
})
if err != nil {
return err
}
apigeeRange, err := compute.NewGlobalAddress(ctx, "apigee_range", &compute.GlobalAddressArgs{
Name: pulumi.String("apigee-range"),
Purpose: pulumi.String("VPC_PEERING"),
AddressType: pulumi.String("INTERNAL"),
PrefixLength: pulumi.Int(22),
Network: apigeeNetwork.ID(),
})
if err != nil {
return err
}
apigeeVpcConnection, err := servicenetworking.NewConnection(ctx, "apigee_vpc_connection", &servicenetworking.ConnectionArgs{
Network: apigeeNetwork.ID(),
Service: pulumi.String("servicenetworking.googleapis.com"),
ReservedPeeringRanges: pulumi.StringArray{
apigeeRange.Name,
},
})
if err != nil {
return err
}
apigeeOrg, err := apigee.NewOrganization(ctx, "apigee_org", &apigee.OrganizationArgs{
AnalyticsRegion: pulumi.String("us-central1"),
ProjectId: pulumi.String(current.Project),
AuthorizedNetwork: apigeeNetwork.ID(),
}, pulumi.DependsOn([]pulumi.Resource{
apigeeVpcConnection,
}))
if err != nil {
return err
}
_, err = apigee.NewInstance(ctx, "apigee_instance", &apigee.InstanceArgs{
Name: pulumi.String("my-instance-name"),
Location: pulumi.String("us-central1"),
OrgId: apigeeOrg.ID(),
PeeringCidrRange: pulumi.String("SLASH_22"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var current = Gcp.Organizations.GetClientConfig.Invoke();
var apigeeNetwork = new Gcp.Compute.Network("apigee_network", new()
{
Name = "apigee-network",
});
var apigeeRange = new Gcp.Compute.GlobalAddress("apigee_range", new()
{
Name = "apigee-range",
Purpose = "VPC_PEERING",
AddressType = "INTERNAL",
PrefixLength = 22,
Network = apigeeNetwork.Id,
});
var apigeeVpcConnection = new Gcp.ServiceNetworking.Connection("apigee_vpc_connection", new()
{
Network = apigeeNetwork.Id,
Service = "servicenetworking.googleapis.com",
ReservedPeeringRanges = new[]
{
apigeeRange.Name,
},
});
var apigeeOrg = new Gcp.Apigee.Organization("apigee_org", new()
{
AnalyticsRegion = "us-central1",
ProjectId = current.Apply(getClientConfigResult => getClientConfigResult.Project),
AuthorizedNetwork = apigeeNetwork.Id,
}, new CustomResourceOptions
{
DependsOn =
{
apigeeVpcConnection,
},
});
var apigeeInstance = new Gcp.Apigee.Instance("apigee_instance", new()
{
Name = "my-instance-name",
Location = "us-central1",
OrgId = apigeeOrg.Id,
PeeringCidrRange = "SLASH_22",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.organizations.OrganizationsFunctions;
import com.pulumi.gcp.compute.Network;
import com.pulumi.gcp.compute.NetworkArgs;
import com.pulumi.gcp.compute.GlobalAddress;
import com.pulumi.gcp.compute.GlobalAddressArgs;
import com.pulumi.gcp.servicenetworking.Connection;
import com.pulumi.gcp.servicenetworking.ConnectionArgs;
import com.pulumi.gcp.apigee.Organization;
import com.pulumi.gcp.apigee.OrganizationArgs;
import com.pulumi.gcp.apigee.Instance;
import com.pulumi.gcp.apigee.InstanceArgs;
import com.pulumi.resources.CustomResourceOptions;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var current = OrganizationsFunctions.getClientConfig(%!v(PANIC=Format method: runtime error: invalid memory address or nil pointer dereference);
var apigeeNetwork = new Network("apigeeNetwork", NetworkArgs.builder()
.name("apigee-network")
.build());
var apigeeRange = new GlobalAddress("apigeeRange", GlobalAddressArgs.builder()
.name("apigee-range")
.purpose("VPC_PEERING")
.addressType("INTERNAL")
.prefixLength(22)
.network(apigeeNetwork.id())
.build());
var apigeeVpcConnection = new Connection("apigeeVpcConnection", ConnectionArgs.builder()
.network(apigeeNetwork.id())
.service("servicenetworking.googleapis.com")
.reservedPeeringRanges(apigeeRange.name())
.build());
var apigeeOrg = new Organization("apigeeOrg", OrganizationArgs.builder()
.analyticsRegion("us-central1")
.projectId(current.project())
.authorizedNetwork(apigeeNetwork.id())
.build(), CustomResourceOptions.builder()
.dependsOn(apigeeVpcConnection)
.build());
var apigeeInstance = new Instance("apigeeInstance", InstanceArgs.builder()
.name("my-instance-name")
.location("us-central1")
.orgId(apigeeOrg.id())
.peeringCidrRange("SLASH_22")
.build());
}
}
resources:
apigeeNetwork:
type: gcp:compute:Network
name: apigee_network
properties:
name: apigee-network
apigeeRange:
type: gcp:compute:GlobalAddress
name: apigee_range
properties:
name: apigee-range
purpose: VPC_PEERING
addressType: INTERNAL
prefixLength: 22
network: ${apigeeNetwork.id}
apigeeVpcConnection:
type: gcp:servicenetworking:Connection
name: apigee_vpc_connection
properties:
network: ${apigeeNetwork.id}
service: servicenetworking.googleapis.com
reservedPeeringRanges:
- ${apigeeRange.name}
apigeeOrg:
type: gcp:apigee:Organization
name: apigee_org
properties:
analyticsRegion: us-central1
projectId: ${current.project}
authorizedNetwork: ${apigeeNetwork.id}
options:
dependsOn:
- ${apigeeVpcConnection}
apigeeInstance:
type: gcp:apigee:Instance
name: apigee_instance
properties:
name: my-instance-name
location: us-central1
orgId: ${apigeeOrg.id}
peeringCidrRange: SLASH_22
variables:
current:
fn::invoke:
function: gcp:organizations:getClientConfig
arguments: {}
The peeringCidrRange property sets the size of the IP block Apigee reserves. Valid values like SLASH_22 or SLASH_23 determine how many IP addresses are allocated. This example uses a /22 reserved range in the VPC peering setup to match the SLASH_22 specification.
Provide a specific IP range with ipRange
For strict network planning, specify the exact CIDR block the instance should use.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const current = gcp.organizations.getClientConfig({});
const apigeeNetwork = new gcp.compute.Network("apigee_network", {name: "apigee-network"});
const apigeeRange = new gcp.compute.GlobalAddress("apigee_range", {
name: "apigee-range",
purpose: "VPC_PEERING",
addressType: "INTERNAL",
prefixLength: 22,
network: apigeeNetwork.id,
});
const apigeeVpcConnection = new gcp.servicenetworking.Connection("apigee_vpc_connection", {
network: apigeeNetwork.id,
service: "servicenetworking.googleapis.com",
reservedPeeringRanges: [apigeeRange.name],
});
const apigeeOrg = new gcp.apigee.Organization("apigee_org", {
analyticsRegion: "us-central1",
projectId: current.then(current => current.project),
authorizedNetwork: apigeeNetwork.id,
}, {
dependsOn: [apigeeVpcConnection],
});
const apigeeInstance = new gcp.apigee.Instance("apigee_instance", {
name: "my-instance-name",
location: "us-central1",
orgId: apigeeOrg.id,
ipRange: "10.87.8.0/22",
});
import pulumi
import pulumi_gcp as gcp
current = gcp.organizations.get_client_config()
apigee_network = gcp.compute.Network("apigee_network", name="apigee-network")
apigee_range = gcp.compute.GlobalAddress("apigee_range",
name="apigee-range",
purpose="VPC_PEERING",
address_type="INTERNAL",
prefix_length=22,
network=apigee_network.id)
apigee_vpc_connection = gcp.servicenetworking.Connection("apigee_vpc_connection",
network=apigee_network.id,
service="servicenetworking.googleapis.com",
reserved_peering_ranges=[apigee_range.name])
apigee_org = gcp.apigee.Organization("apigee_org",
analytics_region="us-central1",
project_id=current.project,
authorized_network=apigee_network.id,
opts = pulumi.ResourceOptions(depends_on=[apigee_vpc_connection]))
apigee_instance = gcp.apigee.Instance("apigee_instance",
name="my-instance-name",
location="us-central1",
org_id=apigee_org.id,
ip_range="10.87.8.0/22")
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/apigee"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/compute"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/organizations"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/servicenetworking"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
current, err := organizations.GetClientConfig(ctx, map[string]interface{}{}, nil)
if err != nil {
return err
}
apigeeNetwork, err := compute.NewNetwork(ctx, "apigee_network", &compute.NetworkArgs{
Name: pulumi.String("apigee-network"),
})
if err != nil {
return err
}
apigeeRange, err := compute.NewGlobalAddress(ctx, "apigee_range", &compute.GlobalAddressArgs{
Name: pulumi.String("apigee-range"),
Purpose: pulumi.String("VPC_PEERING"),
AddressType: pulumi.String("INTERNAL"),
PrefixLength: pulumi.Int(22),
Network: apigeeNetwork.ID(),
})
if err != nil {
return err
}
apigeeVpcConnection, err := servicenetworking.NewConnection(ctx, "apigee_vpc_connection", &servicenetworking.ConnectionArgs{
Network: apigeeNetwork.ID(),
Service: pulumi.String("servicenetworking.googleapis.com"),
ReservedPeeringRanges: pulumi.StringArray{
apigeeRange.Name,
},
})
if err != nil {
return err
}
apigeeOrg, err := apigee.NewOrganization(ctx, "apigee_org", &apigee.OrganizationArgs{
AnalyticsRegion: pulumi.String("us-central1"),
ProjectId: pulumi.String(current.Project),
AuthorizedNetwork: apigeeNetwork.ID(),
}, pulumi.DependsOn([]pulumi.Resource{
apigeeVpcConnection,
}))
if err != nil {
return err
}
_, err = apigee.NewInstance(ctx, "apigee_instance", &apigee.InstanceArgs{
Name: pulumi.String("my-instance-name"),
Location: pulumi.String("us-central1"),
OrgId: apigeeOrg.ID(),
IpRange: pulumi.String("10.87.8.0/22"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var current = Gcp.Organizations.GetClientConfig.Invoke();
var apigeeNetwork = new Gcp.Compute.Network("apigee_network", new()
{
Name = "apigee-network",
});
var apigeeRange = new Gcp.Compute.GlobalAddress("apigee_range", new()
{
Name = "apigee-range",
Purpose = "VPC_PEERING",
AddressType = "INTERNAL",
PrefixLength = 22,
Network = apigeeNetwork.Id,
});
var apigeeVpcConnection = new Gcp.ServiceNetworking.Connection("apigee_vpc_connection", new()
{
Network = apigeeNetwork.Id,
Service = "servicenetworking.googleapis.com",
ReservedPeeringRanges = new[]
{
apigeeRange.Name,
},
});
var apigeeOrg = new Gcp.Apigee.Organization("apigee_org", new()
{
AnalyticsRegion = "us-central1",
ProjectId = current.Apply(getClientConfigResult => getClientConfigResult.Project),
AuthorizedNetwork = apigeeNetwork.Id,
}, new CustomResourceOptions
{
DependsOn =
{
apigeeVpcConnection,
},
});
var apigeeInstance = new Gcp.Apigee.Instance("apigee_instance", new()
{
Name = "my-instance-name",
Location = "us-central1",
OrgId = apigeeOrg.Id,
IpRange = "10.87.8.0/22",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.organizations.OrganizationsFunctions;
import com.pulumi.gcp.compute.Network;
import com.pulumi.gcp.compute.NetworkArgs;
import com.pulumi.gcp.compute.GlobalAddress;
import com.pulumi.gcp.compute.GlobalAddressArgs;
import com.pulumi.gcp.servicenetworking.Connection;
import com.pulumi.gcp.servicenetworking.ConnectionArgs;
import com.pulumi.gcp.apigee.Organization;
import com.pulumi.gcp.apigee.OrganizationArgs;
import com.pulumi.gcp.apigee.Instance;
import com.pulumi.gcp.apigee.InstanceArgs;
import com.pulumi.resources.CustomResourceOptions;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var current = OrganizationsFunctions.getClientConfig(%!v(PANIC=Format method: runtime error: invalid memory address or nil pointer dereference);
var apigeeNetwork = new Network("apigeeNetwork", NetworkArgs.builder()
.name("apigee-network")
.build());
var apigeeRange = new GlobalAddress("apigeeRange", GlobalAddressArgs.builder()
.name("apigee-range")
.purpose("VPC_PEERING")
.addressType("INTERNAL")
.prefixLength(22)
.network(apigeeNetwork.id())
.build());
var apigeeVpcConnection = new Connection("apigeeVpcConnection", ConnectionArgs.builder()
.network(apigeeNetwork.id())
.service("servicenetworking.googleapis.com")
.reservedPeeringRanges(apigeeRange.name())
.build());
var apigeeOrg = new Organization("apigeeOrg", OrganizationArgs.builder()
.analyticsRegion("us-central1")
.projectId(current.project())
.authorizedNetwork(apigeeNetwork.id())
.build(), CustomResourceOptions.builder()
.dependsOn(apigeeVpcConnection)
.build());
var apigeeInstance = new Instance("apigeeInstance", InstanceArgs.builder()
.name("my-instance-name")
.location("us-central1")
.orgId(apigeeOrg.id())
.ipRange("10.87.8.0/22")
.build());
}
}
resources:
apigeeNetwork:
type: gcp:compute:Network
name: apigee_network
properties:
name: apigee-network
apigeeRange:
type: gcp:compute:GlobalAddress
name: apigee_range
properties:
name: apigee-range
purpose: VPC_PEERING
addressType: INTERNAL
prefixLength: 22
network: ${apigeeNetwork.id}
apigeeVpcConnection:
type: gcp:servicenetworking:Connection
name: apigee_vpc_connection
properties:
network: ${apigeeNetwork.id}
service: servicenetworking.googleapis.com
reservedPeeringRanges:
- ${apigeeRange.name}
apigeeOrg:
type: gcp:apigee:Organization
name: apigee_org
properties:
analyticsRegion: us-central1
projectId: ${current.project}
authorizedNetwork: ${apigeeNetwork.id}
options:
dependsOn:
- ${apigeeVpcConnection}
apigeeInstance:
type: gcp:apigee:Instance
name: apigee_instance
properties:
name: my-instance-name
location: us-central1
orgId: ${apigeeOrg.id}
ipRange: 10.87.8.0/22
variables:
current:
fn::invoke:
function: gcp:organizations:getClientConfig
arguments: {}
The ipRange property accepts a /22 CIDR block in “a.b.c.d/22” format. This range must be available within your service networking peering allocation. Use this when you need precise control over which IP addresses Apigee uses, rather than letting it allocate automatically.
Enable disk encryption with customer-managed keys
Organizations with compliance requirements encrypt instance storage using their own KMS keys.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const current = gcp.organizations.getClientConfig({});
const apigeeNetwork = new gcp.compute.Network("apigee_network", {name: "apigee-network"});
const apigeeRange = new gcp.compute.GlobalAddress("apigee_range", {
name: "apigee-range",
purpose: "VPC_PEERING",
addressType: "INTERNAL",
prefixLength: 16,
network: apigeeNetwork.id,
});
const apigeeVpcConnection = new gcp.servicenetworking.Connection("apigee_vpc_connection", {
network: apigeeNetwork.id,
service: "servicenetworking.googleapis.com",
reservedPeeringRanges: [apigeeRange.name],
});
const apigeeKeyring = new gcp.kms.KeyRing("apigee_keyring", {
name: "apigee-keyring",
location: "us-central1",
});
const apigeeKey = new gcp.kms.CryptoKey("apigee_key", {
name: "apigee-key",
keyRing: apigeeKeyring.id,
});
const apigeeSa = new gcp.projects.ServiceIdentity("apigee_sa", {
project: project.projectId,
service: apigee.service,
});
const apigeeSaKeyuser = new gcp.kms.CryptoKeyIAMMember("apigee_sa_keyuser", {
cryptoKeyId: apigeeKey.id,
role: "roles/cloudkms.cryptoKeyEncrypterDecrypter",
member: apigeeSa.member,
});
const apigeeOrg = new gcp.apigee.Organization("apigee_org", {
analyticsRegion: "us-central1",
displayName: "apigee-org",
description: "Auto-provisioned Apigee Org.",
projectId: current.then(current => current.project),
authorizedNetwork: apigeeNetwork.id,
runtimeDatabaseEncryptionKeyName: apigeeKey.id,
}, {
dependsOn: [
apigeeVpcConnection,
apigeeSaKeyuser,
],
});
const apigeeInstance = new gcp.apigee.Instance("apigee_instance", {
name: "my-instance-name",
location: "us-central1",
description: "Auto-managed Apigee Runtime Instance",
displayName: "my-instance-name",
orgId: apigeeOrg.id,
diskEncryptionKeyName: apigeeKey.id,
});
import pulumi
import pulumi_gcp as gcp
current = gcp.organizations.get_client_config()
apigee_network = gcp.compute.Network("apigee_network", name="apigee-network")
apigee_range = gcp.compute.GlobalAddress("apigee_range",
name="apigee-range",
purpose="VPC_PEERING",
address_type="INTERNAL",
prefix_length=16,
network=apigee_network.id)
apigee_vpc_connection = gcp.servicenetworking.Connection("apigee_vpc_connection",
network=apigee_network.id,
service="servicenetworking.googleapis.com",
reserved_peering_ranges=[apigee_range.name])
apigee_keyring = gcp.kms.KeyRing("apigee_keyring",
name="apigee-keyring",
location="us-central1")
apigee_key = gcp.kms.CryptoKey("apigee_key",
name="apigee-key",
key_ring=apigee_keyring.id)
apigee_sa = gcp.projects.ServiceIdentity("apigee_sa",
project=project["projectId"],
service=apigee["service"])
apigee_sa_keyuser = gcp.kms.CryptoKeyIAMMember("apigee_sa_keyuser",
crypto_key_id=apigee_key.id,
role="roles/cloudkms.cryptoKeyEncrypterDecrypter",
member=apigee_sa.member)
apigee_org = gcp.apigee.Organization("apigee_org",
analytics_region="us-central1",
display_name="apigee-org",
description="Auto-provisioned Apigee Org.",
project_id=current.project,
authorized_network=apigee_network.id,
runtime_database_encryption_key_name=apigee_key.id,
opts = pulumi.ResourceOptions(depends_on=[
apigee_vpc_connection,
apigee_sa_keyuser,
]))
apigee_instance = gcp.apigee.Instance("apigee_instance",
name="my-instance-name",
location="us-central1",
description="Auto-managed Apigee Runtime Instance",
display_name="my-instance-name",
org_id=apigee_org.id,
disk_encryption_key_name=apigee_key.id)
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/apigee"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/compute"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/kms"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/organizations"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/projects"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/servicenetworking"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
current, err := organizations.GetClientConfig(ctx, map[string]interface{}{}, nil)
if err != nil {
return err
}
apigeeNetwork, err := compute.NewNetwork(ctx, "apigee_network", &compute.NetworkArgs{
Name: pulumi.String("apigee-network"),
})
if err != nil {
return err
}
apigeeRange, err := compute.NewGlobalAddress(ctx, "apigee_range", &compute.GlobalAddressArgs{
Name: pulumi.String("apigee-range"),
Purpose: pulumi.String("VPC_PEERING"),
AddressType: pulumi.String("INTERNAL"),
PrefixLength: pulumi.Int(16),
Network: apigeeNetwork.ID(),
})
if err != nil {
return err
}
apigeeVpcConnection, err := servicenetworking.NewConnection(ctx, "apigee_vpc_connection", &servicenetworking.ConnectionArgs{
Network: apigeeNetwork.ID(),
Service: pulumi.String("servicenetworking.googleapis.com"),
ReservedPeeringRanges: pulumi.StringArray{
apigeeRange.Name,
},
})
if err != nil {
return err
}
apigeeKeyring, err := kms.NewKeyRing(ctx, "apigee_keyring", &kms.KeyRingArgs{
Name: pulumi.String("apigee-keyring"),
Location: pulumi.String("us-central1"),
})
if err != nil {
return err
}
apigeeKey, err := kms.NewCryptoKey(ctx, "apigee_key", &kms.CryptoKeyArgs{
Name: pulumi.String("apigee-key"),
KeyRing: apigeeKeyring.ID(),
})
if err != nil {
return err
}
apigeeSa, err := projects.NewServiceIdentity(ctx, "apigee_sa", &projects.ServiceIdentityArgs{
Project: pulumi.Any(project.ProjectId),
Service: pulumi.Any(apigee.Service),
})
if err != nil {
return err
}
apigeeSaKeyuser, err := kms.NewCryptoKeyIAMMember(ctx, "apigee_sa_keyuser", &kms.CryptoKeyIAMMemberArgs{
CryptoKeyId: apigeeKey.ID(),
Role: pulumi.String("roles/cloudkms.cryptoKeyEncrypterDecrypter"),
Member: apigeeSa.Member,
})
if err != nil {
return err
}
apigeeOrg, err := apigee.NewOrganization(ctx, "apigee_org", &apigee.OrganizationArgs{
AnalyticsRegion: pulumi.String("us-central1"),
DisplayName: pulumi.String("apigee-org"),
Description: pulumi.String("Auto-provisioned Apigee Org."),
ProjectId: pulumi.String(current.Project),
AuthorizedNetwork: apigeeNetwork.ID(),
RuntimeDatabaseEncryptionKeyName: apigeeKey.ID(),
}, pulumi.DependsOn([]pulumi.Resource{
apigeeVpcConnection,
apigeeSaKeyuser,
}))
if err != nil {
return err
}
_, err = apigee.NewInstance(ctx, "apigee_instance", &apigee.InstanceArgs{
Name: pulumi.String("my-instance-name"),
Location: pulumi.String("us-central1"),
Description: pulumi.String("Auto-managed Apigee Runtime Instance"),
DisplayName: pulumi.String("my-instance-name"),
OrgId: apigeeOrg.ID(),
DiskEncryptionKeyName: apigeeKey.ID(),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var current = Gcp.Organizations.GetClientConfig.Invoke();
var apigeeNetwork = new Gcp.Compute.Network("apigee_network", new()
{
Name = "apigee-network",
});
var apigeeRange = new Gcp.Compute.GlobalAddress("apigee_range", new()
{
Name = "apigee-range",
Purpose = "VPC_PEERING",
AddressType = "INTERNAL",
PrefixLength = 16,
Network = apigeeNetwork.Id,
});
var apigeeVpcConnection = new Gcp.ServiceNetworking.Connection("apigee_vpc_connection", new()
{
Network = apigeeNetwork.Id,
Service = "servicenetworking.googleapis.com",
ReservedPeeringRanges = new[]
{
apigeeRange.Name,
},
});
var apigeeKeyring = new Gcp.Kms.KeyRing("apigee_keyring", new()
{
Name = "apigee-keyring",
Location = "us-central1",
});
var apigeeKey = new Gcp.Kms.CryptoKey("apigee_key", new()
{
Name = "apigee-key",
KeyRing = apigeeKeyring.Id,
});
var apigeeSa = new Gcp.Projects.ServiceIdentity("apigee_sa", new()
{
Project = project.ProjectId,
Service = apigee.Service,
});
var apigeeSaKeyuser = new Gcp.Kms.CryptoKeyIAMMember("apigee_sa_keyuser", new()
{
CryptoKeyId = apigeeKey.Id,
Role = "roles/cloudkms.cryptoKeyEncrypterDecrypter",
Member = apigeeSa.Member,
});
var apigeeOrg = new Gcp.Apigee.Organization("apigee_org", new()
{
AnalyticsRegion = "us-central1",
DisplayName = "apigee-org",
Description = "Auto-provisioned Apigee Org.",
ProjectId = current.Apply(getClientConfigResult => getClientConfigResult.Project),
AuthorizedNetwork = apigeeNetwork.Id,
RuntimeDatabaseEncryptionKeyName = apigeeKey.Id,
}, new CustomResourceOptions
{
DependsOn =
{
apigeeVpcConnection,
apigeeSaKeyuser,
},
});
var apigeeInstance = new Gcp.Apigee.Instance("apigee_instance", new()
{
Name = "my-instance-name",
Location = "us-central1",
Description = "Auto-managed Apigee Runtime Instance",
DisplayName = "my-instance-name",
OrgId = apigeeOrg.Id,
DiskEncryptionKeyName = apigeeKey.Id,
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.organizations.OrganizationsFunctions;
import com.pulumi.gcp.compute.Network;
import com.pulumi.gcp.compute.NetworkArgs;
import com.pulumi.gcp.compute.GlobalAddress;
import com.pulumi.gcp.compute.GlobalAddressArgs;
import com.pulumi.gcp.servicenetworking.Connection;
import com.pulumi.gcp.servicenetworking.ConnectionArgs;
import com.pulumi.gcp.kms.KeyRing;
import com.pulumi.gcp.kms.KeyRingArgs;
import com.pulumi.gcp.kms.CryptoKey;
import com.pulumi.gcp.kms.CryptoKeyArgs;
import com.pulumi.gcp.projects.ServiceIdentity;
import com.pulumi.gcp.projects.ServiceIdentityArgs;
import com.pulumi.gcp.kms.CryptoKeyIAMMember;
import com.pulumi.gcp.kms.CryptoKeyIAMMemberArgs;
import com.pulumi.gcp.apigee.Organization;
import com.pulumi.gcp.apigee.OrganizationArgs;
import com.pulumi.gcp.apigee.Instance;
import com.pulumi.gcp.apigee.InstanceArgs;
import com.pulumi.resources.CustomResourceOptions;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var current = OrganizationsFunctions.getClientConfig(%!v(PANIC=Format method: runtime error: invalid memory address or nil pointer dereference);
var apigeeNetwork = new Network("apigeeNetwork", NetworkArgs.builder()
.name("apigee-network")
.build());
var apigeeRange = new GlobalAddress("apigeeRange", GlobalAddressArgs.builder()
.name("apigee-range")
.purpose("VPC_PEERING")
.addressType("INTERNAL")
.prefixLength(16)
.network(apigeeNetwork.id())
.build());
var apigeeVpcConnection = new Connection("apigeeVpcConnection", ConnectionArgs.builder()
.network(apigeeNetwork.id())
.service("servicenetworking.googleapis.com")
.reservedPeeringRanges(apigeeRange.name())
.build());
var apigeeKeyring = new KeyRing("apigeeKeyring", KeyRingArgs.builder()
.name("apigee-keyring")
.location("us-central1")
.build());
var apigeeKey = new CryptoKey("apigeeKey", CryptoKeyArgs.builder()
.name("apigee-key")
.keyRing(apigeeKeyring.id())
.build());
var apigeeSa = new ServiceIdentity("apigeeSa", ServiceIdentityArgs.builder()
.project(project.projectId())
.service(apigee.service())
.build());
var apigeeSaKeyuser = new CryptoKeyIAMMember("apigeeSaKeyuser", CryptoKeyIAMMemberArgs.builder()
.cryptoKeyId(apigeeKey.id())
.role("roles/cloudkms.cryptoKeyEncrypterDecrypter")
.member(apigeeSa.member())
.build());
var apigeeOrg = new Organization("apigeeOrg", OrganizationArgs.builder()
.analyticsRegion("us-central1")
.displayName("apigee-org")
.description("Auto-provisioned Apigee Org.")
.projectId(current.project())
.authorizedNetwork(apigeeNetwork.id())
.runtimeDatabaseEncryptionKeyName(apigeeKey.id())
.build(), CustomResourceOptions.builder()
.dependsOn(
apigeeVpcConnection,
apigeeSaKeyuser)
.build());
var apigeeInstance = new Instance("apigeeInstance", InstanceArgs.builder()
.name("my-instance-name")
.location("us-central1")
.description("Auto-managed Apigee Runtime Instance")
.displayName("my-instance-name")
.orgId(apigeeOrg.id())
.diskEncryptionKeyName(apigeeKey.id())
.build());
}
}
resources:
apigeeNetwork:
type: gcp:compute:Network
name: apigee_network
properties:
name: apigee-network
apigeeRange:
type: gcp:compute:GlobalAddress
name: apigee_range
properties:
name: apigee-range
purpose: VPC_PEERING
addressType: INTERNAL
prefixLength: 16
network: ${apigeeNetwork.id}
apigeeVpcConnection:
type: gcp:servicenetworking:Connection
name: apigee_vpc_connection
properties:
network: ${apigeeNetwork.id}
service: servicenetworking.googleapis.com
reservedPeeringRanges:
- ${apigeeRange.name}
apigeeKeyring:
type: gcp:kms:KeyRing
name: apigee_keyring
properties:
name: apigee-keyring
location: us-central1
apigeeKey:
type: gcp:kms:CryptoKey
name: apigee_key
properties:
name: apigee-key
keyRing: ${apigeeKeyring.id}
apigeeSa:
type: gcp:projects:ServiceIdentity
name: apigee_sa
properties:
project: ${project.projectId}
service: ${apigee.service}
apigeeSaKeyuser:
type: gcp:kms:CryptoKeyIAMMember
name: apigee_sa_keyuser
properties:
cryptoKeyId: ${apigeeKey.id}
role: roles/cloudkms.cryptoKeyEncrypterDecrypter
member: ${apigeeSa.member}
apigeeOrg:
type: gcp:apigee:Organization
name: apigee_org
properties:
analyticsRegion: us-central1
displayName: apigee-org
description: Auto-provisioned Apigee Org.
projectId: ${current.project}
authorizedNetwork: ${apigeeNetwork.id}
runtimeDatabaseEncryptionKeyName: ${apigeeKey.id}
options:
dependsOn:
- ${apigeeVpcConnection}
- ${apigeeSaKeyuser}
apigeeInstance:
type: gcp:apigee:Instance
name: apigee_instance
properties:
name: my-instance-name
location: us-central1
description: Auto-managed Apigee Runtime Instance
displayName: my-instance-name
orgId: ${apigeeOrg.id}
diskEncryptionKeyName: ${apigeeKey.id}
variables:
current:
fn::invoke:
function: gcp:organizations:getClientConfig
arguments: {}
The diskEncryptionKeyName property references a Cloud KMS CryptoKey for encrypting instance disks and volumes. The ServiceIdentity resource creates the Apigee service account, and CryptoKeyIAMMember grants it permission to use the key. Customer-managed encryption is required for Apigee paid subscriptions.
Beyond these examples
These snippets focus on specific instance-level features: VPC peering and network connectivity, IP address allocation (automatic, sized, and explicit), and customer-managed encryption keys. They’re intentionally minimal rather than full API management deployments.
The examples reference pre-existing infrastructure such as an Apigee Organization (created in each example but represents a prerequisite), GCP project with Apigee API enabled, and VPC network with service networking peering. They focus on configuring the runtime instance rather than provisioning the complete Apigee platform.
To keep things focused, common instance patterns are omitted, including:
- Access logging configuration (accessLoggingConfig)
- Consumer accept lists for Private Service Connect
- Instance metadata (displayName, description)
- Runtime configuration and environment attachments
These omissions are intentional: the goal is to illustrate how each instance feature is wired, not provide drop-in API platform modules. See the Apigee Instance resource reference for all available configuration options.
Let's deploy GCP Apigee Runtime Instances
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Configuration & Immutability
What properties can't I change after creating an Apigee instance?
Many properties are immutable after creation, including
location, name, orgId, peeringCidrRange, ipRange, diskEncryptionKeyName, description, displayName, and accessLoggingConfig. Plan these values carefully, as changes require recreating the instance.What's the difference between peeringCidrRange and ipRange?
peeringCidrRange uses enum values like SLASH_22 to specify the CIDR block size, while ipRange accepts specific CIDR notation like 10.87.8.0/22. Both are immutable. If ipRange isn’t provided, Apigee automatically requests a /22 CIDR block from Service Networking.Networking & VPC Peering
How do I set up VPC peering for my Apigee instance?
Create a
gcp.compute.Network, gcp.compute.GlobalAddress with purpose: "VPC_PEERING", and gcp.servicenetworking.Connection. Use dependsOn on the Apigee organization to ensure the VPC connection is established first.What projects can connect to my instance by default?
By default, the customer project associated with the Apigee organization is included in
consumerAcceptLists, allowing it to privately connect to the service attachment.Encryption & Security
Do I need to configure customer-managed encryption keys for my instance?
Customer-managed encryption keys (CMEK) via
diskEncryptionKeyName are required for Apigee paid subscriptions only. Free tier instances don’t require CMEK configuration.How do I set up customer-managed encryption keys?
Create a
gcp.kms.KeyRing and gcp.kms.CryptoKey, then create a gcp.projects.ServiceIdentity for Apigee and grant it roles/cloudkms.cryptoKeyEncrypterDecrypter via gcp.kms.CryptoKeyIAMMember. Use dependsOn on the organization to ensure IAM permissions are set before creation.Why do I need dependsOn when using CMEK?
The Apigee service identity needs
cryptoKeyEncrypterDecrypter permissions on the KMS key before the organization can be created. Using dependsOn ensures the IAM binding is complete before Apigee attempts to use the key.Using a different cloud?
Explore integration guides for other cloud providers: