GSP906

Overview
In this lab, you learn how to add a new environment and environment group to an Apigee X org.
An environment is a runtime execution context for API proxies. An API proxy must be deployed to an environment before the API it exposes is accessible over the network.
An environment group is a logical grouping of environments. Hostnames are defined on an environment group, and Apigee routes requests to the environments within a group based on the hostname. The request will then be handled by an API proxy that is deployed to one of the environments in the environment group and also has a matching basepath.
The instructions in this lab are also appropriate for adding environments and environment groups to paid orgs.
Objectives
In this lab, you learn how to perform the following tasks:
- Add a second environment to an Apigee X org
- Add a second environment group to an Apigee X org, assigning environments and hostnames
- Deploy an environment to a runtime instance
- Deploy and call an API proxy in each environment
Setup and requirements
Before you click the Start Lab button
Read these instructions. Labs are timed and you cannot pause them. The timer, which starts when you click Start Lab, shows how long Google Cloud resources are made available to you.
This hands-on lab lets you do the lab activities in a real cloud environment, not in a simulation or demo environment. It does so by giving you new, temporary credentials you use to sign in and access Google Cloud for the duration of the lab.
To complete this lab, you need:
- Access to a standard internet browser (Chrome browser recommended).
Note: Use an Incognito (recommended) or private browser window to run this lab. This prevents conflicts between your personal account and the student account, which may cause extra charges incurred to your personal account.
- Time to complete the lab—remember, once you start, you cannot pause a lab.
Note: Use only the student account for this lab. If you use a different Google Cloud account, you may incur charges to that account.How to start your lab and sign in to the Google Cloud console
- 
Click the Start Lab button. If you need to pay for the lab, a dialog opens for you to select your payment method.
On the left is the Lab Details pane with the following: 
- The Open Google Cloud console button
- Time remaining
- The temporary credentials that you must use for this lab
- Other information, if needed, to step through this lab
 
- 
Click Open Google Cloud console (or right-click and select Open Link in Incognito Window if you are running the Chrome browser). The lab spins up resources, and then opens another tab that shows the Sign in page. Tip: Arrange the tabs in separate windows, side-by-side. Note: If you see the Choose an account dialog, click Use Another Account.
- 
If necessary, copy the Username below and paste it into the Sign in dialog. {{{user_0.username | "Username"}}}You can also find the Username in the Lab Details pane. 
- 
Click Next. 
- 
Copy the Password below and paste it into the Welcome dialog. {{{user_0.password | "Password"}}}You can also find the Password in the Lab Details pane. 
- 
Click Next. Important: You must use the credentials the lab provides you. Do not use your Google Cloud account credentials. 
 
Note: Using your own Google Cloud account for this lab may incur extra charges.
- 
Click through the subsequent pages: 
- Accept the terms and conditions.
- Do not add recovery options or two-factor authentication (because this is a temporary account).
- Do not sign up for free trials.
 
After a few moments, the Google Cloud console opens in this tab.
Note: To access Google Cloud products and services, click the Navigation menu or type the service or product name in the Search field.
 
Activate Cloud Shell
Cloud Shell is a virtual machine that is loaded with development tools. It offers a persistent 5GB home directory and runs on the Google Cloud. Cloud Shell provides command-line access to your Google Cloud resources.
- 
Click Activate Cloud Shell  at the top of the Google Cloud console. at the top of the Google Cloud console.
 
- 
Click through the following windows: 
- Continue through the Cloud Shell information window.
- Authorize Cloud Shell to use your credentials to make Google Cloud API calls.
 
When you are connected, you are already authenticated, and the project is set to your Project_ID, . The output contains a line that declares the Project_ID for this session:
Your Cloud Platform project in this session is set to {{{project_0.project_id | "PROJECT_ID"}}}
gcloud is the command-line tool for Google Cloud. It comes pre-installed on Cloud Shell and supports tab-completion.
- (Optional) You can list the active account name with this command:
gcloud auth list
- Click Authorize.
Output:
ACTIVE: *
ACCOUNT: {{{user_0.username | "ACCOUNT"}}}
To set the active account, run:
    $ gcloud config set account `ACCOUNT`
- (Optional) You can list the project ID with this command:
gcloud config list projectOutput:
[core]
project = {{{project_0.project_id | "PROJECT_ID"}}}
Note: For full documentation of gcloud, in Google Cloud, refer to the gcloud CLI overview guide.
Open the Apigee console
To open the Apigee console:
- In the Google Cloud console, in the Search field, enter Apigee, and then click Apigee API Management in the search results.
The Apigee console opens, and the landing page shows quick links to commonly used locations.
- In the Navigation menu ( ), next to Apigee, click Pin ( ), next to Apigee, click Pin ( ). ).
Apigee is now pinned to the Navigation menu.
Task 1. Examine the eval environment and environment group
In this task, you explore environments and environment groups using the Apigee console.
An evaluation org for Apigee X initially contains a single environment named eval and a single environment group named eval-group. The eval environment is a member of the eval-group environment group.
- Navigate to Apigee UI in the Cloud console.
- Navigate to Management > Environments.
- In Environments tab, click on the eval environment.
The eval environment has been configured as a member of the eval-group environment group.
The eval environment is marked "Ready for deployment," indicating that API proxies may be deployed to the environment.
- Navigate to Management > Environments > Environment Groups.
- On the eval-group environment, click the three dots and then click Edit.
A single hostname (eval.example.com) is currently listed for the eval-group environment group, but more than one hostname may be used.
The eval-group environment group currently contains the eval environment as its only member, but more than one environment may be in an environment group.
- Click Cancel.
Task 2. Create a prod environment
In this task, you create a new environment.
- Navigate to Management > Environments.
- In the Environments tab, click + Create Environment.
- Specify prod for Display name and Name. Other fields should remain unchanged.
- Click Create.
You should get a message that the environment has been defined. The new prod environment is marked Pending Provisioning.
Shortly after, you should see the message that the environment is ready for use, and the environment will no longer be marked Pending Provisioning.
Click Check my progress to verify the objective.
Create a prod environment
Task 3. Create a prod-group environment group
In this task, you create a new environment group.
- Select Management > Environments in the left navigation pane.
- In the Environments pane, select Environment Groups and click + Create Environment Group.
- Name the environment group prod-group.
- For the Hostnames use the link:
prod.example.com
- For the Environments (Optional) select prod and click Ok.
- Click Create.
Click Check my progress to verify the objective.
Create a prod-group environment group
Task 4. Wait for instance provisioning to complete
In this task, you wait for the Apigee evaluation org provisioning to complete.
The Apigee organization provisioning takes quite a while to complete. The org provisioning progress can be monitored by using the Apigee API.
Start monitoring script
- On the top-right toolbar, click Activate Cloud Shell ( ). ).
- If prompted, click Continue.
It takes a few moments to provision and connect to Cloud Shell. When you are connected, you are already authenticated, and the project is set to your PROJECT_ID.
- In Cloud Shell, verify the variable with your Apigee org name:
echo ${GOOGLE_CLOUD_PROJECT}The variable GOOGLE_CLOUD_PROJECT should contain the name of your project, which is the same as your Apigee organization name.
- 
If the GOOGLE_CLOUD_PROJECT variable is not set, set the variable manually using a command that looks like this:
export GOOGLE_CLOUD_PROJECT={{{project_0.project_id |Project ID}}}
- Run the following commands in the Cloud Shell:
export INSTANCE_NAME=eval-instance; export ENV_NAME=eval; export PREV_INSTANCE_STATE=; echo "waiting for runtime instance ${INSTANCE_NAME} to be active"; while : ; do export INSTANCE_STATE=$(curl -s -H "Authorization: Bearer $(gcloud auth print-access-token)" -X GET "https://apigee.googleapis.com/v1/organizations/${GOOGLE_CLOUD_PROJECT}/instances/${INSTANCE_NAME}" | jq "select(.state != null) | .state" --raw-output); [[ "${INSTANCE_STATE}" == "${PREV_INSTANCE_STATE}" ]] || (echo; echo "INSTANCE_STATE=${INSTANCE_STATE}"); export PREV_INSTANCE_STATE=${INSTANCE_STATE}; [[ "${INSTANCE_STATE}" != "ACTIVE" ]] || break; echo -n "."; sleep 5; done; echo; echo "instance created, waiting for environment ${ENV_NAME} to be attached to instance"; while : ; do export ATTACHMENT_DONE=$(curl -s -H "Authorization: Bearer $(gcloud auth print-access-token)" -X GET "https://apigee.googleapis.com/v1/organizations/${GOOGLE_CLOUD_PROJECT}/instances/${INSTANCE_NAME}/attachments" | jq "select(.attachments != null) | .attachments[] | select(.environment == \"${ENV_NAME}\") | .environment" --join-output); [[ "${ATTACHMENT_DONE}" != "${ENV_NAME}" ]] || break; echo -n "."; sleep 5; done; echo; echo "${ENV_NAME} environment attached"; echo "***ORG IS READY TO USE***";This series of commands uses the Apigee API to determine when the runtime instance has been created, and then waits for the eval environment to be attached to the instance.
- Click Authorize if prompted.
When the text ***ORG IS READY TO USE*** is printed, proxies deployed to the eval environment can accept traffic.
Note: Learn about Apigee X users and roles while waiting for the instance and environment to be fully created. Pay attention to the time remaining in the lab and periodically check the Cloud Shell output to see when the org can be tested.
  
Users and roles
Access to Apigee is granted by using users and roles. A user represents an authenticated account that can access an Apigee organization and the entities within the organization, such as environments and API proxies. The capabilities that you grant to the user depend on the type of *role *assigned to them.
To add a new user to your Apigee organization, you grant access to the user's account, first in the Cloud project, and then optionally in the Apigee UI. Permissions granted on a resource in the Google Cloud resource hierarchy are inherited by resources contained within the resource.
If an Apigee role is assigned to a user on the Cloud project, then the user can access all Apigee resources within the organization (including all environments) in that role. Within the Apigee UI, an Apigee role can also be assigned to a user for a specific environment. This permission is in addition to the role set at the project level.
To adhere to the principle of least privilege, the minimum permissions for a given user should be specified at the project level, with expanded permissions given at the environment level.
This image shows how inheritance works for this access model:

Apigee roles
This table summarizes the pre-defined Apigee roles.
| Apigee role | Description | 
| Apigee Org Admin | Full access to all Apigee resources in an Apigee organization. | 
| Apigee Read Only Admin | Read-only access to all Apigee resources in an Apigee organization. | 
| Apigee Analytics Editor | Creates and analyzes reports on API proxy traffic for an Apigee organization. Can edit queries and reports. | 
| Apigee Analytics Viewer | User of Apigee Analytics. Cannot edit queries or reports. | 
| Apigee API Admin | A developer who creates and tests API proxies. | 
| Apigee Environment Admin | Deploys and undeploys API proxies in environments. | 
| Apigee Developer Admin | Manages developer access to APIs. | 
Learn more about API permissions for each Apigee role from the Apigee roles guide.
Task 5. Add the prod environment to the runtime instance
In this task, you add the prod environment to the runtime instance, allowing proxies deployed to prod to be run.
Attach the prod environment to the instance
- Confirm that the commands run in Cloud Shell returned ***ORG IS READY TO USE***.
- To begin the process of attaching the prod environment to the runtime, run the following command:
export INSTANCE_NAME=eval-instance; curl -s -H "Authorization: Bearer $(gcloud auth print-access-token)" -H "Content-Type: application/json" -X POST "https://apigee.googleapis.com/v1/organizations/${GOOGLE_CLOUD_PROJECT}/instances/${INSTANCE_NAME}/attachments" -d '{ "environment": "prod" }' | jqIf you get an error message, look at the details of the message:
- A NOT_FOUND error might indicate that the prod environment was not created successfully.
- A FAILED_PRECONDITION error with a message that "the resource is locked by another operation" indicates that the full provisioning of the eval environment may not have completed.
When you have successfully begun the process of attaching the prod environment to the runtime, you should see a return message with a state of IN_PROGRESS looking similar to this:
{
  "name": "organizations/qwiklabs-gcp-01-e12f9fd402f4/operations/c4e1a09f-05d2-4c46-95ed-559457507379",
  "metadata": {
    "@type": "type.googleapis.com/google.cloud.apigee.v1.OperationMetadata",
    "operationType": "INSERT",
    "targetResourceName": "organizations/qwiklabs-gcp-01-e12f9fd402f4/instances/eval-instance/attachments/c2e04a79-15e6-4656-9d25-f618080b57fb",
    "state": "IN_PROGRESS"
  }
}
- Check the status of the prod attachment using this command:
export ATTACHING_ENV=prod; export INSTANCE_NAME=eval-instance; echo "waiting for ${ATTACHING_ENV} attachment"; while : ; do export ATTACHMENT_DONE=$(curl -s -H "Authorization: Bearer $(gcloud auth print-access-token)" -X GET "https://apigee.googleapis.com/v1/organizations/${GOOGLE_CLOUD_PROJECT}/instances/${INSTANCE_NAME}/attachments" | jq "select(.attachments != null) | .attachments[] | select(.environment == \"${ATTACHING_ENV}\") | .environment" --join-output); [[ "${ATTACHMENT_DONE}" != "${ATTACHING_ENV}" ]] || break; echo -n "."; sleep 5; done; echo; echo "***${ATTACHING_ENV} ENVIRONMENT ATTACHED***";This series of commands uses the Apigee API to determine when the prod environment is attached to the instance and proxies deployed to prod are ready to take traffic.
When the text ***prod ENVIRONMENT ATTACHED*** is printed, proxies deployed to the prod environment can accept traffic.
Leave the command running and continue with the next task.
Click Check my progress to verify the objective.
Attach the prod environment to the instance
Task 6. Create an API proxy
In this task, you create an API proxy that uses flow variables to return the hostname and environment for the API call.
- Navigate to Apigee UI in the Cloud console.
- On the left navigation menu, select Proxy development > API Proxies.
- To start the proxy wizard, click + Create.
- Select No Target for Proxy template.
Note: Do not select the "No Target" forOpenAPI Spec template.
  
- 
Specify the following properties: 
| Property | Value |  
| Proxy name | test-env |  
| Base path | /test-env |  
 
- 
Click Next. 
- 
Leave the other setting as default, and click Create. 
Your API proxy will be generated. You will deploy your proxy later.
- Click the Develop tab.
This tab is used to edit the API proxy. The Proxy Endpoint PreFlow is selected.
- 
In the Navigate menu, click Proxy endpoints > Preflow. 
- 
In Flow pane, click + icon beside PreFlow in Response section.
 
 
You will add a policy step to the PreFlow response. A policy implements a specific, limited management function.
- Select Create new policy then click Assign Message from Mediationsection, then specify AM-SetResponse as the Name and Display Name, and then click Add.

- Select AM-SetResponse from the Policies section. This attaches a new AssignMessage policy to the API proxy. You should see the AssignMessage code below the Flow pane:

- Replace the AssignMessage code with the following:
<AssignMessage continueOnError="false" enabled="true" name="AM-SetResponse">
    <Set>
        <Payload contentType="application/json">{
    "environment": "{environment.name}",
    "hostname": "{request.header.Host}"
}
</Payload>
    </Set>
    <IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>
    <AssignTo createNew="true" transport="http" type="response"/>
</AssignMessage>This policy creates a response returning the environment name and hostname. The proxy flow variable environment.name contains the environment of the deployed proxy that has received the traffic, and the variable request.header.Host contains the Host header, which indicates the hostname used for the API call.
- 
Click Save. 
- 
Click Deploy, then for Environment select eval then click Deploy and Confirm. 
This deploys the proxy to the eval environment.
- Click Deploy again, and then select prod for Environment then click Deploy and Confirm.

This deploys the proxy to the prod environment.
- Click the Overview tab.
- Wait for both deployments to complete.
When the proxy is deployed to both environments, the Deployments section of the Overview tab should look like this:

Note: If after a few minutes the proxy is not deployed to the prod environment, the prod environment may not have finished attaching to the runtime instance. You can check the status by returning to Cloud Shell and waiting for the commands to return "***prod ENVIRONMENT ATTACHED***".
  
Click Check my progress to verify the objective.
Create an API proxy
Task 7. Test the prod and eval environments
In this task, you make calls to the test and prod environments.
A virtual machine named apigeex-test-vm was automatically created. Use this virtual machine to call the Apigee runtime using a private IP address.
Make calls to the Apigee runtime
- In Cloud Shell, run the following to open an SSH connection to the VM:
TEST_VM_ZONE=$(gcloud compute instances list --filter="name=('apigeex-test-vm')" --format "value(zone)")
gcloud compute ssh apigeex-test-vm --zone=${TEST_VM_ZONE} --force-key-file-overwrite
- For each question asked, click Enter or Return to specify the default input.
Your logged in identity is the owner of the project, so SSH to this machine is allowed.
Your Cloud Shell session is now running inside the VM.
- In the VM's shell, set required shell variables:
export PROJECT_NAME=$(gcloud config get-value project)
export ORG=${PROJECT_NAME}
export INSTANCE_NAME=eval-instance
export INTERNAL_LB_IP=$(curl -s -H "Authorization: Bearer $(gcloud auth print-access-token)" -X GET "https://apigee.googleapis.com/v1/organizations/${ORG}/instances/${INSTANCE_NAME}" | jq ".host" --raw-output)
export EVAL_ENVGROUP_HOSTNAME=$(curl -s -H "Authorization: Bearer $(gcloud auth print-access-token)" -X GET "https://apigee.googleapis.com/v1/organizations/${ORG}/envgroups/eval-group" | jq ".hostnames[0]" --raw-output)
export PROD_ENVGROUP_HOSTNAME=$(curl -s -H "Authorization: Bearer $(gcloud auth print-access-token)" -X GET "https://apigee.googleapis.com/v1/organizations/${ORG}/envgroups/prod-group" | jq ".hostnames[0]" --raw-output)
echo "INTERNAL_LB_IP=${INTERNAL_LB_IP}"
echo "EVAL_ENVGROUP_HOSTNAME=${EVAL_ENVGROUP_HOSTNAME}"
echo "PROD_ENVGROUP_HOSTNAME=${PROD_ENVGROUP_HOSTNAME}"The PROD_ENVGROUP_HOSTNAME was retrieved from the prod-group environment group you created in a previous task.
- Call the deployed test-env API proxy in the eval environment:
curl -i -k --resolve "${EVAL_ENVGROUP_HOSTNAME}:443:${INTERNAL_LB_IP}" \
  "https://${EVAL_ENVGROUP_HOSTNAME}/test-env"The --resolve setting forces commands sent to the environment group hostname to resolve to the internal load balancer IP address instead of using DNS to resolve the IP address. The -k option skips verification of the TLS certificate of the internal load balancer, since the internal load balancer does not host a TLS certificate with the hostnames you are using.
Your curl command should return the response generated by the test-env proxy, which should look similar to this:
HTTP/2 200
content-type: application/json
content-length: 66
date: Tue, 10 Aug 2021 17:02:53 GMT
server: apigee
{
    "environment": "eval",
    "hostname": "eval.example.com"
}
- Call the deployed test-env API proxy in the prod environment:
curl -i -k --resolve "${PROD_ENVGROUP_HOSTNAME}:443:${INTERNAL_LB_IP}" \
  "https://${PROD_ENVGROUP_HOSTNAME}/test-env"This time, the environment and hostname should both return prod instead of eval.
Congratulations!
In this lab, you created a new environment and environment group for your org, and attached the environment to your runtime instance. You then created and deployed an API proxy. Finally, you called the proxy using the eval and prod hostnames and the API proxy was able to detect the environment that was being called.
Next steps / learn more
Google Cloud training and certification
...helps you make the most of Google Cloud technologies. Our classes include technical skills and best practices to help you get up to speed quickly and continue your learning journey. We offer fundamental to advanced level training, with on-demand, live, and virtual options to suit your busy schedule. Certifications help you validate and prove your skill and expertise in Google Cloud technologies.
Manual Last Updated September 23, 2025
Lab Last Tested September 23, 2025
Copyright 2025 Google LLC. All rights reserved. Google and the Google logo are trademarks of Google LLC. All other company and product names may be trademarks of the respective companies with which they are associated.