The gcp:apigee/instance:Instance resource, part of the Pulumi GCP provider, provisions an Apigee runtime instance: the dataplane that executes API proxies in a specific region. This guide focuses on three capabilities: VPC peering and network setup, IP range allocation strategies, and customer-managed encryption.
Apigee instances belong to an Apigee Organization and require VPC network infrastructure with Service Networking peering. The examples are intentionally small. Combine them with your own VPC networks, organizations, and encryption keys.
Create a runtime instance with VPC peering
Most deployments start by provisioning a runtime instance in a region, connected to a VPC through Service Networking peering.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const current = gcp.organizations.getClientConfig({});
const apigeeNetwork = new gcp.compute.Network("apigee_network", {name: "apigee-network"});
const apigeeRange = new gcp.compute.GlobalAddress("apigee_range", {
name: "apigee-range",
purpose: "VPC_PEERING",
addressType: "INTERNAL",
prefixLength: 16,
network: apigeeNetwork.id,
});
const apigeeVpcConnection = new gcp.servicenetworking.Connection("apigee_vpc_connection", {
network: apigeeNetwork.id,
service: "servicenetworking.googleapis.com",
reservedPeeringRanges: [apigeeRange.name],
});
const apigeeOrg = new gcp.apigee.Organization("apigee_org", {
analyticsRegion: "us-central1",
projectId: current.then(current => current.project),
authorizedNetwork: apigeeNetwork.id,
}, {
dependsOn: [apigeeVpcConnection],
});
const apigeeInstance = new gcp.apigee.Instance("apigee_instance", {
name: "my-instance-name",
location: "us-central1",
orgId: apigeeOrg.id,
});
import pulumi
import pulumi_gcp as gcp
current = gcp.organizations.get_client_config()
apigee_network = gcp.compute.Network("apigee_network", name="apigee-network")
apigee_range = gcp.compute.GlobalAddress("apigee_range",
name="apigee-range",
purpose="VPC_PEERING",
address_type="INTERNAL",
prefix_length=16,
network=apigee_network.id)
apigee_vpc_connection = gcp.servicenetworking.Connection("apigee_vpc_connection",
network=apigee_network.id,
service="servicenetworking.googleapis.com",
reserved_peering_ranges=[apigee_range.name])
apigee_org = gcp.apigee.Organization("apigee_org",
analytics_region="us-central1",
project_id=current.project,
authorized_network=apigee_network.id,
opts = pulumi.ResourceOptions(depends_on=[apigee_vpc_connection]))
apigee_instance = gcp.apigee.Instance("apigee_instance",
name="my-instance-name",
location="us-central1",
org_id=apigee_org.id)
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/apigee"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/compute"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/organizations"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/servicenetworking"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
current, err := organizations.GetClientConfig(ctx, map[string]interface{}{}, nil)
if err != nil {
return err
}
apigeeNetwork, err := compute.NewNetwork(ctx, "apigee_network", &compute.NetworkArgs{
Name: pulumi.String("apigee-network"),
})
if err != nil {
return err
}
apigeeRange, err := compute.NewGlobalAddress(ctx, "apigee_range", &compute.GlobalAddressArgs{
Name: pulumi.String("apigee-range"),
Purpose: pulumi.String("VPC_PEERING"),
AddressType: pulumi.String("INTERNAL"),
PrefixLength: pulumi.Int(16),
Network: apigeeNetwork.ID(),
})
if err != nil {
return err
}
apigeeVpcConnection, err := servicenetworking.NewConnection(ctx, "apigee_vpc_connection", &servicenetworking.ConnectionArgs{
Network: apigeeNetwork.ID(),
Service: pulumi.String("servicenetworking.googleapis.com"),
ReservedPeeringRanges: pulumi.StringArray{
apigeeRange.Name,
},
})
if err != nil {
return err
}
apigeeOrg, err := apigee.NewOrganization(ctx, "apigee_org", &apigee.OrganizationArgs{
AnalyticsRegion: pulumi.String("us-central1"),
ProjectId: pulumi.String(current.Project),
AuthorizedNetwork: apigeeNetwork.ID(),
}, pulumi.DependsOn([]pulumi.Resource{
apigeeVpcConnection,
}))
if err != nil {
return err
}
_, err = apigee.NewInstance(ctx, "apigee_instance", &apigee.InstanceArgs{
Name: pulumi.String("my-instance-name"),
Location: pulumi.String("us-central1"),
OrgId: apigeeOrg.ID(),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var current = Gcp.Organizations.GetClientConfig.Invoke();
var apigeeNetwork = new Gcp.Compute.Network("apigee_network", new()
{
Name = "apigee-network",
});
var apigeeRange = new Gcp.Compute.GlobalAddress("apigee_range", new()
{
Name = "apigee-range",
Purpose = "VPC_PEERING",
AddressType = "INTERNAL",
PrefixLength = 16,
Network = apigeeNetwork.Id,
});
var apigeeVpcConnection = new Gcp.ServiceNetworking.Connection("apigee_vpc_connection", new()
{
Network = apigeeNetwork.Id,
Service = "servicenetworking.googleapis.com",
ReservedPeeringRanges = new[]
{
apigeeRange.Name,
},
});
var apigeeOrg = new Gcp.Apigee.Organization("apigee_org", new()
{
AnalyticsRegion = "us-central1",
ProjectId = current.Apply(getClientConfigResult => getClientConfigResult.Project),
AuthorizedNetwork = apigeeNetwork.Id,
}, new CustomResourceOptions
{
DependsOn =
{
apigeeVpcConnection,
},
});
var apigeeInstance = new Gcp.Apigee.Instance("apigee_instance", new()
{
Name = "my-instance-name",
Location = "us-central1",
OrgId = apigeeOrg.Id,
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.organizations.OrganizationsFunctions;
import com.pulumi.gcp.compute.Network;
import com.pulumi.gcp.compute.NetworkArgs;
import com.pulumi.gcp.compute.GlobalAddress;
import com.pulumi.gcp.compute.GlobalAddressArgs;
import com.pulumi.gcp.servicenetworking.Connection;
import com.pulumi.gcp.servicenetworking.ConnectionArgs;
import com.pulumi.gcp.apigee.Organization;
import com.pulumi.gcp.apigee.OrganizationArgs;
import com.pulumi.gcp.apigee.Instance;
import com.pulumi.gcp.apigee.InstanceArgs;
import com.pulumi.resources.CustomResourceOptions;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var current = OrganizationsFunctions.getClientConfig(%!v(PANIC=Format method: runtime error: invalid memory address or nil pointer dereference);
var apigeeNetwork = new Network("apigeeNetwork", NetworkArgs.builder()
.name("apigee-network")
.build());
var apigeeRange = new GlobalAddress("apigeeRange", GlobalAddressArgs.builder()
.name("apigee-range")
.purpose("VPC_PEERING")
.addressType("INTERNAL")
.prefixLength(16)
.network(apigeeNetwork.id())
.build());
var apigeeVpcConnection = new Connection("apigeeVpcConnection", ConnectionArgs.builder()
.network(apigeeNetwork.id())
.service("servicenetworking.googleapis.com")
.reservedPeeringRanges(apigeeRange.name())
.build());
var apigeeOrg = new Organization("apigeeOrg", OrganizationArgs.builder()
.analyticsRegion("us-central1")
.projectId(current.project())
.authorizedNetwork(apigeeNetwork.id())
.build(), CustomResourceOptions.builder()
.dependsOn(apigeeVpcConnection)
.build());
var apigeeInstance = new Instance("apigeeInstance", InstanceArgs.builder()
.name("my-instance-name")
.location("us-central1")
.orgId(apigeeOrg.id())
.build());
}
}
resources:
apigeeNetwork:
type: gcp:compute:Network
name: apigee_network
properties:
name: apigee-network
apigeeRange:
type: gcp:compute:GlobalAddress
name: apigee_range
properties:
name: apigee-range
purpose: VPC_PEERING
addressType: INTERNAL
prefixLength: 16
network: ${apigeeNetwork.id}
apigeeVpcConnection:
type: gcp:servicenetworking:Connection
name: apigee_vpc_connection
properties:
network: ${apigeeNetwork.id}
service: servicenetworking.googleapis.com
reservedPeeringRanges:
- ${apigeeRange.name}
apigeeOrg:
type: gcp:apigee:Organization
name: apigee_org
properties:
analyticsRegion: us-central1
projectId: ${current.project}
authorizedNetwork: ${apigeeNetwork.id}
options:
dependsOn:
- ${apigeeVpcConnection}
apigeeInstance:
type: gcp:apigee:Instance
name: apigee_instance
properties:
name: my-instance-name
location: us-central1
orgId: ${apigeeOrg.id}
variables:
current:
fn::invoke:
function: gcp:organizations:getClientConfig
arguments: {}
The instance runs in the specified location and connects to your VPC through the Service Networking connection. The orgId ties the instance to your Apigee Organization. The VPC peering setup (network, reserved IP range, and connection) must complete before the instance can provision.
Control IP allocation with CIDR range sizing
When you need predictable IP space, specify the CIDR block size that Apigee reserves from your peering range.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const current = gcp.organizations.getClientConfig({});
const apigeeNetwork = new gcp.compute.Network("apigee_network", {name: "apigee-network"});
const apigeeRange = new gcp.compute.GlobalAddress("apigee_range", {
name: "apigee-range",
purpose: "VPC_PEERING",
addressType: "INTERNAL",
prefixLength: 22,
network: apigeeNetwork.id,
});
const apigeeVpcConnection = new gcp.servicenetworking.Connection("apigee_vpc_connection", {
network: apigeeNetwork.id,
service: "servicenetworking.googleapis.com",
reservedPeeringRanges: [apigeeRange.name],
});
const apigeeOrg = new gcp.apigee.Organization("apigee_org", {
analyticsRegion: "us-central1",
projectId: current.then(current => current.project),
authorizedNetwork: apigeeNetwork.id,
}, {
dependsOn: [apigeeVpcConnection],
});
const apigeeInstance = new gcp.apigee.Instance("apigee_instance", {
name: "my-instance-name",
location: "us-central1",
orgId: apigeeOrg.id,
peeringCidrRange: "SLASH_22",
});
import pulumi
import pulumi_gcp as gcp
current = gcp.organizations.get_client_config()
apigee_network = gcp.compute.Network("apigee_network", name="apigee-network")
apigee_range = gcp.compute.GlobalAddress("apigee_range",
name="apigee-range",
purpose="VPC_PEERING",
address_type="INTERNAL",
prefix_length=22,
network=apigee_network.id)
apigee_vpc_connection = gcp.servicenetworking.Connection("apigee_vpc_connection",
network=apigee_network.id,
service="servicenetworking.googleapis.com",
reserved_peering_ranges=[apigee_range.name])
apigee_org = gcp.apigee.Organization("apigee_org",
analytics_region="us-central1",
project_id=current.project,
authorized_network=apigee_network.id,
opts = pulumi.ResourceOptions(depends_on=[apigee_vpc_connection]))
apigee_instance = gcp.apigee.Instance("apigee_instance",
name="my-instance-name",
location="us-central1",
org_id=apigee_org.id,
peering_cidr_range="SLASH_22")
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/apigee"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/compute"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/organizations"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/servicenetworking"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
current, err := organizations.GetClientConfig(ctx, map[string]interface{}{}, nil)
if err != nil {
return err
}
apigeeNetwork, err := compute.NewNetwork(ctx, "apigee_network", &compute.NetworkArgs{
Name: pulumi.String("apigee-network"),
})
if err != nil {
return err
}
apigeeRange, err := compute.NewGlobalAddress(ctx, "apigee_range", &compute.GlobalAddressArgs{
Name: pulumi.String("apigee-range"),
Purpose: pulumi.String("VPC_PEERING"),
AddressType: pulumi.String("INTERNAL"),
PrefixLength: pulumi.Int(22),
Network: apigeeNetwork.ID(),
})
if err != nil {
return err
}
apigeeVpcConnection, err := servicenetworking.NewConnection(ctx, "apigee_vpc_connection", &servicenetworking.ConnectionArgs{
Network: apigeeNetwork.ID(),
Service: pulumi.String("servicenetworking.googleapis.com"),
ReservedPeeringRanges: pulumi.StringArray{
apigeeRange.Name,
},
})
if err != nil {
return err
}
apigeeOrg, err := apigee.NewOrganization(ctx, "apigee_org", &apigee.OrganizationArgs{
AnalyticsRegion: pulumi.String("us-central1"),
ProjectId: pulumi.String(current.Project),
AuthorizedNetwork: apigeeNetwork.ID(),
}, pulumi.DependsOn([]pulumi.Resource{
apigeeVpcConnection,
}))
if err != nil {
return err
}
_, err = apigee.NewInstance(ctx, "apigee_instance", &apigee.InstanceArgs{
Name: pulumi.String("my-instance-name"),
Location: pulumi.String("us-central1"),
OrgId: apigeeOrg.ID(),
PeeringCidrRange: pulumi.String("SLASH_22"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var current = Gcp.Organizations.GetClientConfig.Invoke();
var apigeeNetwork = new Gcp.Compute.Network("apigee_network", new()
{
Name = "apigee-network",
});
var apigeeRange = new Gcp.Compute.GlobalAddress("apigee_range", new()
{
Name = "apigee-range",
Purpose = "VPC_PEERING",
AddressType = "INTERNAL",
PrefixLength = 22,
Network = apigeeNetwork.Id,
});
var apigeeVpcConnection = new Gcp.ServiceNetworking.Connection("apigee_vpc_connection", new()
{
Network = apigeeNetwork.Id,
Service = "servicenetworking.googleapis.com",
ReservedPeeringRanges = new[]
{
apigeeRange.Name,
},
});
var apigeeOrg = new Gcp.Apigee.Organization("apigee_org", new()
{
AnalyticsRegion = "us-central1",
ProjectId = current.Apply(getClientConfigResult => getClientConfigResult.Project),
AuthorizedNetwork = apigeeNetwork.Id,
}, new CustomResourceOptions
{
DependsOn =
{
apigeeVpcConnection,
},
});
var apigeeInstance = new Gcp.Apigee.Instance("apigee_instance", new()
{
Name = "my-instance-name",
Location = "us-central1",
OrgId = apigeeOrg.Id,
PeeringCidrRange = "SLASH_22",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.organizations.OrganizationsFunctions;
import com.pulumi.gcp.compute.Network;
import com.pulumi.gcp.compute.NetworkArgs;
import com.pulumi.gcp.compute.GlobalAddress;
import com.pulumi.gcp.compute.GlobalAddressArgs;
import com.pulumi.gcp.servicenetworking.Connection;
import com.pulumi.gcp.servicenetworking.ConnectionArgs;
import com.pulumi.gcp.apigee.Organization;
import com.pulumi.gcp.apigee.OrganizationArgs;
import com.pulumi.gcp.apigee.Instance;
import com.pulumi.gcp.apigee.InstanceArgs;
import com.pulumi.resources.CustomResourceOptions;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var current = OrganizationsFunctions.getClientConfig(%!v(PANIC=Format method: runtime error: invalid memory address or nil pointer dereference);
var apigeeNetwork = new Network("apigeeNetwork", NetworkArgs.builder()
.name("apigee-network")
.build());
var apigeeRange = new GlobalAddress("apigeeRange", GlobalAddressArgs.builder()
.name("apigee-range")
.purpose("VPC_PEERING")
.addressType("INTERNAL")
.prefixLength(22)
.network(apigeeNetwork.id())
.build());
var apigeeVpcConnection = new Connection("apigeeVpcConnection", ConnectionArgs.builder()
.network(apigeeNetwork.id())
.service("servicenetworking.googleapis.com")
.reservedPeeringRanges(apigeeRange.name())
.build());
var apigeeOrg = new Organization("apigeeOrg", OrganizationArgs.builder()
.analyticsRegion("us-central1")
.projectId(current.project())
.authorizedNetwork(apigeeNetwork.id())
.build(), CustomResourceOptions.builder()
.dependsOn(apigeeVpcConnection)
.build());
var apigeeInstance = new Instance("apigeeInstance", InstanceArgs.builder()
.name("my-instance-name")
.location("us-central1")
.orgId(apigeeOrg.id())
.peeringCidrRange("SLASH_22")
.build());
}
}
resources:
apigeeNetwork:
type: gcp:compute:Network
name: apigee_network
properties:
name: apigee-network
apigeeRange:
type: gcp:compute:GlobalAddress
name: apigee_range
properties:
name: apigee-range
purpose: VPC_PEERING
addressType: INTERNAL
prefixLength: 22
network: ${apigeeNetwork.id}
apigeeVpcConnection:
type: gcp:servicenetworking:Connection
name: apigee_vpc_connection
properties:
network: ${apigeeNetwork.id}
service: servicenetworking.googleapis.com
reservedPeeringRanges:
- ${apigeeRange.name}
apigeeOrg:
type: gcp:apigee:Organization
name: apigee_org
properties:
analyticsRegion: us-central1
projectId: ${current.project}
authorizedNetwork: ${apigeeNetwork.id}
options:
dependsOn:
- ${apigeeVpcConnection}
apigeeInstance:
type: gcp:apigee:Instance
name: apigee_instance
properties:
name: my-instance-name
location: us-central1
orgId: ${apigeeOrg.id}
peeringCidrRange: SLASH_22
variables:
current:
fn::invoke:
function: gcp:organizations:getClientConfig
arguments: {}
The peeringCidrRange property controls how much IP space Apigee reserves. Valid values like SLASH_22 correspond to /22 CIDR blocks. This approach lets Apigee auto-allocate the specific range while you control the size.
Specify an exact IP range for the instance
For strict network planning, provide the exact IP range rather than letting Apigee auto-allocate.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const current = gcp.organizations.getClientConfig({});
const apigeeNetwork = new gcp.compute.Network("apigee_network", {name: "apigee-network"});
const apigeeRange = new gcp.compute.GlobalAddress("apigee_range", {
name: "apigee-range",
purpose: "VPC_PEERING",
addressType: "INTERNAL",
prefixLength: 22,
network: apigeeNetwork.id,
});
const apigeeVpcConnection = new gcp.servicenetworking.Connection("apigee_vpc_connection", {
network: apigeeNetwork.id,
service: "servicenetworking.googleapis.com",
reservedPeeringRanges: [apigeeRange.name],
});
const apigeeOrg = new gcp.apigee.Organization("apigee_org", {
analyticsRegion: "us-central1",
projectId: current.then(current => current.project),
authorizedNetwork: apigeeNetwork.id,
}, {
dependsOn: [apigeeVpcConnection],
});
const apigeeInstance = new gcp.apigee.Instance("apigee_instance", {
name: "my-instance-name",
location: "us-central1",
orgId: apigeeOrg.id,
ipRange: "10.87.8.0/22",
});
import pulumi
import pulumi_gcp as gcp
current = gcp.organizations.get_client_config()
apigee_network = gcp.compute.Network("apigee_network", name="apigee-network")
apigee_range = gcp.compute.GlobalAddress("apigee_range",
name="apigee-range",
purpose="VPC_PEERING",
address_type="INTERNAL",
prefix_length=22,
network=apigee_network.id)
apigee_vpc_connection = gcp.servicenetworking.Connection("apigee_vpc_connection",
network=apigee_network.id,
service="servicenetworking.googleapis.com",
reserved_peering_ranges=[apigee_range.name])
apigee_org = gcp.apigee.Organization("apigee_org",
analytics_region="us-central1",
project_id=current.project,
authorized_network=apigee_network.id,
opts = pulumi.ResourceOptions(depends_on=[apigee_vpc_connection]))
apigee_instance = gcp.apigee.Instance("apigee_instance",
name="my-instance-name",
location="us-central1",
org_id=apigee_org.id,
ip_range="10.87.8.0/22")
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/apigee"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/compute"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/organizations"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/servicenetworking"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
current, err := organizations.GetClientConfig(ctx, map[string]interface{}{}, nil)
if err != nil {
return err
}
apigeeNetwork, err := compute.NewNetwork(ctx, "apigee_network", &compute.NetworkArgs{
Name: pulumi.String("apigee-network"),
})
if err != nil {
return err
}
apigeeRange, err := compute.NewGlobalAddress(ctx, "apigee_range", &compute.GlobalAddressArgs{
Name: pulumi.String("apigee-range"),
Purpose: pulumi.String("VPC_PEERING"),
AddressType: pulumi.String("INTERNAL"),
PrefixLength: pulumi.Int(22),
Network: apigeeNetwork.ID(),
})
if err != nil {
return err
}
apigeeVpcConnection, err := servicenetworking.NewConnection(ctx, "apigee_vpc_connection", &servicenetworking.ConnectionArgs{
Network: apigeeNetwork.ID(),
Service: pulumi.String("servicenetworking.googleapis.com"),
ReservedPeeringRanges: pulumi.StringArray{
apigeeRange.Name,
},
})
if err != nil {
return err
}
apigeeOrg, err := apigee.NewOrganization(ctx, "apigee_org", &apigee.OrganizationArgs{
AnalyticsRegion: pulumi.String("us-central1"),
ProjectId: pulumi.String(current.Project),
AuthorizedNetwork: apigeeNetwork.ID(),
}, pulumi.DependsOn([]pulumi.Resource{
apigeeVpcConnection,
}))
if err != nil {
return err
}
_, err = apigee.NewInstance(ctx, "apigee_instance", &apigee.InstanceArgs{
Name: pulumi.String("my-instance-name"),
Location: pulumi.String("us-central1"),
OrgId: apigeeOrg.ID(),
IpRange: pulumi.String("10.87.8.0/22"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var current = Gcp.Organizations.GetClientConfig.Invoke();
var apigeeNetwork = new Gcp.Compute.Network("apigee_network", new()
{
Name = "apigee-network",
});
var apigeeRange = new Gcp.Compute.GlobalAddress("apigee_range", new()
{
Name = "apigee-range",
Purpose = "VPC_PEERING",
AddressType = "INTERNAL",
PrefixLength = 22,
Network = apigeeNetwork.Id,
});
var apigeeVpcConnection = new Gcp.ServiceNetworking.Connection("apigee_vpc_connection", new()
{
Network = apigeeNetwork.Id,
Service = "servicenetworking.googleapis.com",
ReservedPeeringRanges = new[]
{
apigeeRange.Name,
},
});
var apigeeOrg = new Gcp.Apigee.Organization("apigee_org", new()
{
AnalyticsRegion = "us-central1",
ProjectId = current.Apply(getClientConfigResult => getClientConfigResult.Project),
AuthorizedNetwork = apigeeNetwork.Id,
}, new CustomResourceOptions
{
DependsOn =
{
apigeeVpcConnection,
},
});
var apigeeInstance = new Gcp.Apigee.Instance("apigee_instance", new()
{
Name = "my-instance-name",
Location = "us-central1",
OrgId = apigeeOrg.Id,
IpRange = "10.87.8.0/22",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.organizations.OrganizationsFunctions;
import com.pulumi.gcp.compute.Network;
import com.pulumi.gcp.compute.NetworkArgs;
import com.pulumi.gcp.compute.GlobalAddress;
import com.pulumi.gcp.compute.GlobalAddressArgs;
import com.pulumi.gcp.servicenetworking.Connection;
import com.pulumi.gcp.servicenetworking.ConnectionArgs;
import com.pulumi.gcp.apigee.Organization;
import com.pulumi.gcp.apigee.OrganizationArgs;
import com.pulumi.gcp.apigee.Instance;
import com.pulumi.gcp.apigee.InstanceArgs;
import com.pulumi.resources.CustomResourceOptions;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var current = OrganizationsFunctions.getClientConfig(%!v(PANIC=Format method: runtime error: invalid memory address or nil pointer dereference);
var apigeeNetwork = new Network("apigeeNetwork", NetworkArgs.builder()
.name("apigee-network")
.build());
var apigeeRange = new GlobalAddress("apigeeRange", GlobalAddressArgs.builder()
.name("apigee-range")
.purpose("VPC_PEERING")
.addressType("INTERNAL")
.prefixLength(22)
.network(apigeeNetwork.id())
.build());
var apigeeVpcConnection = new Connection("apigeeVpcConnection", ConnectionArgs.builder()
.network(apigeeNetwork.id())
.service("servicenetworking.googleapis.com")
.reservedPeeringRanges(apigeeRange.name())
.build());
var apigeeOrg = new Organization("apigeeOrg", OrganizationArgs.builder()
.analyticsRegion("us-central1")
.projectId(current.project())
.authorizedNetwork(apigeeNetwork.id())
.build(), CustomResourceOptions.builder()
.dependsOn(apigeeVpcConnection)
.build());
var apigeeInstance = new Instance("apigeeInstance", InstanceArgs.builder()
.name("my-instance-name")
.location("us-central1")
.orgId(apigeeOrg.id())
.ipRange("10.87.8.0/22")
.build());
}
}
resources:
apigeeNetwork:
type: gcp:compute:Network
name: apigee_network
properties:
name: apigee-network
apigeeRange:
type: gcp:compute:GlobalAddress
name: apigee_range
properties:
name: apigee-range
purpose: VPC_PEERING
addressType: INTERNAL
prefixLength: 22
network: ${apigeeNetwork.id}
apigeeVpcConnection:
type: gcp:servicenetworking:Connection
name: apigee_vpc_connection
properties:
network: ${apigeeNetwork.id}
service: servicenetworking.googleapis.com
reservedPeeringRanges:
- ${apigeeRange.name}
apigeeOrg:
type: gcp:apigee:Organization
name: apigee_org
properties:
analyticsRegion: us-central1
projectId: ${current.project}
authorizedNetwork: ${apigeeNetwork.id}
options:
dependsOn:
- ${apigeeVpcConnection}
apigeeInstance:
type: gcp:apigee:Instance
name: apigee_instance
properties:
name: my-instance-name
location: us-central1
orgId: ${apigeeOrg.id}
ipRange: 10.87.8.0/22
variables:
current:
fn::invoke:
function: gcp:organizations:getClientConfig
arguments: {}
The ipRange property accepts CIDR notation (e.g., “10.87.8.0/22”) and tells Apigee exactly which addresses to use. This range must be available in your Service Networking peering and is useful for firewall rules and routing configuration.
Add disk encryption with customer-managed keys
Paid subscriptions require customer-managed encryption keys for disk and volume encryption.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const current = gcp.organizations.getClientConfig({});
const apigeeNetwork = new gcp.compute.Network("apigee_network", {name: "apigee-network"});
const apigeeRange = new gcp.compute.GlobalAddress("apigee_range", {
name: "apigee-range",
purpose: "VPC_PEERING",
addressType: "INTERNAL",
prefixLength: 16,
network: apigeeNetwork.id,
});
const apigeeVpcConnection = new gcp.servicenetworking.Connection("apigee_vpc_connection", {
network: apigeeNetwork.id,
service: "servicenetworking.googleapis.com",
reservedPeeringRanges: [apigeeRange.name],
});
const apigeeKeyring = new gcp.kms.KeyRing("apigee_keyring", {
name: "apigee-keyring",
location: "us-central1",
});
const apigeeKey = new gcp.kms.CryptoKey("apigee_key", {
name: "apigee-key",
keyRing: apigeeKeyring.id,
});
const apigeeSa = new gcp.projects.ServiceIdentity("apigee_sa", {
project: project.projectId,
service: apigee.service,
});
const apigeeSaKeyuser = new gcp.kms.CryptoKeyIAMMember("apigee_sa_keyuser", {
cryptoKeyId: apigeeKey.id,
role: "roles/cloudkms.cryptoKeyEncrypterDecrypter",
member: apigeeSa.member,
});
const apigeeOrg = new gcp.apigee.Organization("apigee_org", {
analyticsRegion: "us-central1",
displayName: "apigee-org",
description: "Auto-provisioned Apigee Org.",
projectId: current.then(current => current.project),
authorizedNetwork: apigeeNetwork.id,
runtimeDatabaseEncryptionKeyName: apigeeKey.id,
}, {
dependsOn: [
apigeeVpcConnection,
apigeeSaKeyuser,
],
});
const apigeeInstance = new gcp.apigee.Instance("apigee_instance", {
name: "my-instance-name",
location: "us-central1",
description: "Auto-managed Apigee Runtime Instance",
displayName: "my-instance-name",
orgId: apigeeOrg.id,
diskEncryptionKeyName: apigeeKey.id,
});
import pulumi
import pulumi_gcp as gcp
current = gcp.organizations.get_client_config()
apigee_network = gcp.compute.Network("apigee_network", name="apigee-network")
apigee_range = gcp.compute.GlobalAddress("apigee_range",
name="apigee-range",
purpose="VPC_PEERING",
address_type="INTERNAL",
prefix_length=16,
network=apigee_network.id)
apigee_vpc_connection = gcp.servicenetworking.Connection("apigee_vpc_connection",
network=apigee_network.id,
service="servicenetworking.googleapis.com",
reserved_peering_ranges=[apigee_range.name])
apigee_keyring = gcp.kms.KeyRing("apigee_keyring",
name="apigee-keyring",
location="us-central1")
apigee_key = gcp.kms.CryptoKey("apigee_key",
name="apigee-key",
key_ring=apigee_keyring.id)
apigee_sa = gcp.projects.ServiceIdentity("apigee_sa",
project=project["projectId"],
service=apigee["service"])
apigee_sa_keyuser = gcp.kms.CryptoKeyIAMMember("apigee_sa_keyuser",
crypto_key_id=apigee_key.id,
role="roles/cloudkms.cryptoKeyEncrypterDecrypter",
member=apigee_sa.member)
apigee_org = gcp.apigee.Organization("apigee_org",
analytics_region="us-central1",
display_name="apigee-org",
description="Auto-provisioned Apigee Org.",
project_id=current.project,
authorized_network=apigee_network.id,
runtime_database_encryption_key_name=apigee_key.id,
opts = pulumi.ResourceOptions(depends_on=[
apigee_vpc_connection,
apigee_sa_keyuser,
]))
apigee_instance = gcp.apigee.Instance("apigee_instance",
name="my-instance-name",
location="us-central1",
description="Auto-managed Apigee Runtime Instance",
display_name="my-instance-name",
org_id=apigee_org.id,
disk_encryption_key_name=apigee_key.id)
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/apigee"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/compute"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/kms"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/organizations"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/projects"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/servicenetworking"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
current, err := organizations.GetClientConfig(ctx, map[string]interface{}{}, nil)
if err != nil {
return err
}
apigeeNetwork, err := compute.NewNetwork(ctx, "apigee_network", &compute.NetworkArgs{
Name: pulumi.String("apigee-network"),
})
if err != nil {
return err
}
apigeeRange, err := compute.NewGlobalAddress(ctx, "apigee_range", &compute.GlobalAddressArgs{
Name: pulumi.String("apigee-range"),
Purpose: pulumi.String("VPC_PEERING"),
AddressType: pulumi.String("INTERNAL"),
PrefixLength: pulumi.Int(16),
Network: apigeeNetwork.ID(),
})
if err != nil {
return err
}
apigeeVpcConnection, err := servicenetworking.NewConnection(ctx, "apigee_vpc_connection", &servicenetworking.ConnectionArgs{
Network: apigeeNetwork.ID(),
Service: pulumi.String("servicenetworking.googleapis.com"),
ReservedPeeringRanges: pulumi.StringArray{
apigeeRange.Name,
},
})
if err != nil {
return err
}
apigeeKeyring, err := kms.NewKeyRing(ctx, "apigee_keyring", &kms.KeyRingArgs{
Name: pulumi.String("apigee-keyring"),
Location: pulumi.String("us-central1"),
})
if err != nil {
return err
}
apigeeKey, err := kms.NewCryptoKey(ctx, "apigee_key", &kms.CryptoKeyArgs{
Name: pulumi.String("apigee-key"),
KeyRing: apigeeKeyring.ID(),
})
if err != nil {
return err
}
apigeeSa, err := projects.NewServiceIdentity(ctx, "apigee_sa", &projects.ServiceIdentityArgs{
Project: pulumi.Any(project.ProjectId),
Service: pulumi.Any(apigee.Service),
})
if err != nil {
return err
}
apigeeSaKeyuser, err := kms.NewCryptoKeyIAMMember(ctx, "apigee_sa_keyuser", &kms.CryptoKeyIAMMemberArgs{
CryptoKeyId: apigeeKey.ID(),
Role: pulumi.String("roles/cloudkms.cryptoKeyEncrypterDecrypter"),
Member: apigeeSa.Member,
})
if err != nil {
return err
}
apigeeOrg, err := apigee.NewOrganization(ctx, "apigee_org", &apigee.OrganizationArgs{
AnalyticsRegion: pulumi.String("us-central1"),
DisplayName: pulumi.String("apigee-org"),
Description: pulumi.String("Auto-provisioned Apigee Org."),
ProjectId: pulumi.String(current.Project),
AuthorizedNetwork: apigeeNetwork.ID(),
RuntimeDatabaseEncryptionKeyName: apigeeKey.ID(),
}, pulumi.DependsOn([]pulumi.Resource{
apigeeVpcConnection,
apigeeSaKeyuser,
}))
if err != nil {
return err
}
_, err = apigee.NewInstance(ctx, "apigee_instance", &apigee.InstanceArgs{
Name: pulumi.String("my-instance-name"),
Location: pulumi.String("us-central1"),
Description: pulumi.String("Auto-managed Apigee Runtime Instance"),
DisplayName: pulumi.String("my-instance-name"),
OrgId: apigeeOrg.ID(),
DiskEncryptionKeyName: apigeeKey.ID(),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var current = Gcp.Organizations.GetClientConfig.Invoke();
var apigeeNetwork = new Gcp.Compute.Network("apigee_network", new()
{
Name = "apigee-network",
});
var apigeeRange = new Gcp.Compute.GlobalAddress("apigee_range", new()
{
Name = "apigee-range",
Purpose = "VPC_PEERING",
AddressType = "INTERNAL",
PrefixLength = 16,
Network = apigeeNetwork.Id,
});
var apigeeVpcConnection = new Gcp.ServiceNetworking.Connection("apigee_vpc_connection", new()
{
Network = apigeeNetwork.Id,
Service = "servicenetworking.googleapis.com",
ReservedPeeringRanges = new[]
{
apigeeRange.Name,
},
});
var apigeeKeyring = new Gcp.Kms.KeyRing("apigee_keyring", new()
{
Name = "apigee-keyring",
Location = "us-central1",
});
var apigeeKey = new Gcp.Kms.CryptoKey("apigee_key", new()
{
Name = "apigee-key",
KeyRing = apigeeKeyring.Id,
});
var apigeeSa = new Gcp.Projects.ServiceIdentity("apigee_sa", new()
{
Project = project.ProjectId,
Service = apigee.Service,
});
var apigeeSaKeyuser = new Gcp.Kms.CryptoKeyIAMMember("apigee_sa_keyuser", new()
{
CryptoKeyId = apigeeKey.Id,
Role = "roles/cloudkms.cryptoKeyEncrypterDecrypter",
Member = apigeeSa.Member,
});
var apigeeOrg = new Gcp.Apigee.Organization("apigee_org", new()
{
AnalyticsRegion = "us-central1",
DisplayName = "apigee-org",
Description = "Auto-provisioned Apigee Org.",
ProjectId = current.Apply(getClientConfigResult => getClientConfigResult.Project),
AuthorizedNetwork = apigeeNetwork.Id,
RuntimeDatabaseEncryptionKeyName = apigeeKey.Id,
}, new CustomResourceOptions
{
DependsOn =
{
apigeeVpcConnection,
apigeeSaKeyuser,
},
});
var apigeeInstance = new Gcp.Apigee.Instance("apigee_instance", new()
{
Name = "my-instance-name",
Location = "us-central1",
Description = "Auto-managed Apigee Runtime Instance",
DisplayName = "my-instance-name",
OrgId = apigeeOrg.Id,
DiskEncryptionKeyName = apigeeKey.Id,
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.organizations.OrganizationsFunctions;
import com.pulumi.gcp.compute.Network;
import com.pulumi.gcp.compute.NetworkArgs;
import com.pulumi.gcp.compute.GlobalAddress;
import com.pulumi.gcp.compute.GlobalAddressArgs;
import com.pulumi.gcp.servicenetworking.Connection;
import com.pulumi.gcp.servicenetworking.ConnectionArgs;
import com.pulumi.gcp.kms.KeyRing;
import com.pulumi.gcp.kms.KeyRingArgs;
import com.pulumi.gcp.kms.CryptoKey;
import com.pulumi.gcp.kms.CryptoKeyArgs;
import com.pulumi.gcp.projects.ServiceIdentity;
import com.pulumi.gcp.projects.ServiceIdentityArgs;
import com.pulumi.gcp.kms.CryptoKeyIAMMember;
import com.pulumi.gcp.kms.CryptoKeyIAMMemberArgs;
import com.pulumi.gcp.apigee.Organization;
import com.pulumi.gcp.apigee.OrganizationArgs;
import com.pulumi.gcp.apigee.Instance;
import com.pulumi.gcp.apigee.InstanceArgs;
import com.pulumi.resources.CustomResourceOptions;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var current = OrganizationsFunctions.getClientConfig(%!v(PANIC=Format method: runtime error: invalid memory address or nil pointer dereference);
var apigeeNetwork = new Network("apigeeNetwork", NetworkArgs.builder()
.name("apigee-network")
.build());
var apigeeRange = new GlobalAddress("apigeeRange", GlobalAddressArgs.builder()
.name("apigee-range")
.purpose("VPC_PEERING")
.addressType("INTERNAL")
.prefixLength(16)
.network(apigeeNetwork.id())
.build());
var apigeeVpcConnection = new Connection("apigeeVpcConnection", ConnectionArgs.builder()
.network(apigeeNetwork.id())
.service("servicenetworking.googleapis.com")
.reservedPeeringRanges(apigeeRange.name())
.build());
var apigeeKeyring = new KeyRing("apigeeKeyring", KeyRingArgs.builder()
.name("apigee-keyring")
.location("us-central1")
.build());
var apigeeKey = new CryptoKey("apigeeKey", CryptoKeyArgs.builder()
.name("apigee-key")
.keyRing(apigeeKeyring.id())
.build());
var apigeeSa = new ServiceIdentity("apigeeSa", ServiceIdentityArgs.builder()
.project(project.projectId())
.service(apigee.service())
.build());
var apigeeSaKeyuser = new CryptoKeyIAMMember("apigeeSaKeyuser", CryptoKeyIAMMemberArgs.builder()
.cryptoKeyId(apigeeKey.id())
.role("roles/cloudkms.cryptoKeyEncrypterDecrypter")
.member(apigeeSa.member())
.build());
var apigeeOrg = new Organization("apigeeOrg", OrganizationArgs.builder()
.analyticsRegion("us-central1")
.displayName("apigee-org")
.description("Auto-provisioned Apigee Org.")
.projectId(current.project())
.authorizedNetwork(apigeeNetwork.id())
.runtimeDatabaseEncryptionKeyName(apigeeKey.id())
.build(), CustomResourceOptions.builder()
.dependsOn(
apigeeVpcConnection,
apigeeSaKeyuser)
.build());
var apigeeInstance = new Instance("apigeeInstance", InstanceArgs.builder()
.name("my-instance-name")
.location("us-central1")
.description("Auto-managed Apigee Runtime Instance")
.displayName("my-instance-name")
.orgId(apigeeOrg.id())
.diskEncryptionKeyName(apigeeKey.id())
.build());
}
}
resources:
apigeeNetwork:
type: gcp:compute:Network
name: apigee_network
properties:
name: apigee-network
apigeeRange:
type: gcp:compute:GlobalAddress
name: apigee_range
properties:
name: apigee-range
purpose: VPC_PEERING
addressType: INTERNAL
prefixLength: 16
network: ${apigeeNetwork.id}
apigeeVpcConnection:
type: gcp:servicenetworking:Connection
name: apigee_vpc_connection
properties:
network: ${apigeeNetwork.id}
service: servicenetworking.googleapis.com
reservedPeeringRanges:
- ${apigeeRange.name}
apigeeKeyring:
type: gcp:kms:KeyRing
name: apigee_keyring
properties:
name: apigee-keyring
location: us-central1
apigeeKey:
type: gcp:kms:CryptoKey
name: apigee_key
properties:
name: apigee-key
keyRing: ${apigeeKeyring.id}
apigeeSa:
type: gcp:projects:ServiceIdentity
name: apigee_sa
properties:
project: ${project.projectId}
service: ${apigee.service}
apigeeSaKeyuser:
type: gcp:kms:CryptoKeyIAMMember
name: apigee_sa_keyuser
properties:
cryptoKeyId: ${apigeeKey.id}
role: roles/cloudkms.cryptoKeyEncrypterDecrypter
member: ${apigeeSa.member}
apigeeOrg:
type: gcp:apigee:Organization
name: apigee_org
properties:
analyticsRegion: us-central1
displayName: apigee-org
description: Auto-provisioned Apigee Org.
projectId: ${current.project}
authorizedNetwork: ${apigeeNetwork.id}
runtimeDatabaseEncryptionKeyName: ${apigeeKey.id}
options:
dependsOn:
- ${apigeeVpcConnection}
- ${apigeeSaKeyuser}
apigeeInstance:
type: gcp:apigee:Instance
name: apigee_instance
properties:
name: my-instance-name
location: us-central1
description: Auto-managed Apigee Runtime Instance
displayName: my-instance-name
orgId: ${apigeeOrg.id}
diskEncryptionKeyName: ${apigeeKey.id}
variables:
current:
fn::invoke:
function: gcp:organizations:getClientConfig
arguments: {}
The diskEncryptionKeyName property references a Cloud KMS crypto key. Before the instance can use the key, the Apigee service account needs the cryptoKeyEncrypterDecrypter role. The dependsOn ensures the IAM binding completes before instance creation.
Beyond these examples
These snippets focus on specific instance-level features: VPC peering and network connectivity, IP range allocation (auto, sized, explicit), and customer-managed encryption keys. They’re intentionally minimal rather than full API management deployments.
The examples rely on pre-existing infrastructure such as VPC networks with Service Networking peering, Apigee Organizations, and KMS key rings and crypto keys for encryption. They focus on configuring the runtime instance rather than provisioning the surrounding infrastructure.
To keep things focused, common instance patterns are omitted, including:
- Access logging configuration (accessLoggingConfig)
- Consumer accept lists for Private Service Connect
- Instance scaling and performance tuning
- Environment and environment group attachments
These omissions are intentional: the goal is to illustrate how each instance feature is wired, not provide drop-in API platform modules. See the Apigee Instance resource reference for all available configuration options.
Let's deploy GCP Apigee Runtime Instances
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Instance Configuration & Immutability
What properties can't I change after creating an Apigee instance?
The following properties are immutable and require instance recreation if changed:
location, name, orgId, peeringCidrRange, ipRange, diskEncryptionKeyName, displayName, description, and accessLoggingConfig.What projects can privately connect to my Apigee instance?
By default, the customer project associated with the Apigee organization is included in
consumerAcceptLists. You can add additional project IDs/numbers during instance creation.Networking & VPC Setup
Why does my instance creation fail without VPC peering?
The VPC peering connection must complete before creating the Apigee instance. Use
dependsOn: [apigeeVpcConnection] to ensure proper ordering.Should I use peeringCidrRange or ipRange for IP allocation?
Use
peeringCidrRange (e.g., SLASH_22) to let Apigee automatically allocate a CIDR block from Service Networking. Use ipRange (e.g., 10.87.8.0/22) to provide a specific /22 CIDR block from your allocated range.What CIDR block size does Apigee require?
Apigee instances require a /22 CIDR block. If you don’t provide
ipRange, Apigee automatically requests an available /22 block from Service Networking.Encryption & Security
Do I need to configure customer-managed encryption keys?
Customer-managed encryption keys (CMEK) via
diskEncryptionKeyName are required for Apigee paid subscriptions only. They’re optional for other subscription types.How do I set up customer-managed encryption for my instance?
Create a KMS crypto key, provision the Apigee service identity, grant it
roles/cloudkms.cryptoKeyEncrypterDecrypter on the key, then set diskEncryptionKeyName to the key’s resource name. Use dependsOn to ensure IAM binding completes first.How do I enable access logging for my instance?
Configure
accessLoggingConfig during instance creation to ship access logs to your project’s Cloud Logging. This property is immutable after creation.Using a different cloud?
Explore integration guides for other cloud providers: