Creating a Compute Engine instance

To create a Compute Engine instance:

1. In the Google Cloud console, go to the Create an instance page.

   Go to Create an instance

2. In the Firewall section, select Allow HTTP traffic and Allow HTTPS traffic.
3. To create the VM, click Create.



Allow a short time for the instance to start up. Once ready, it is listed on the VM Instances page with a green status icon.

4. Make sure you that you can connect to your VM instance.
   1. In the list of virtual machine instances, click SSH in the row of the instance that you want to connect to.
   2. You can now use the terminal to run Linux commands on your Debian instance.
   3. Enter exit to disconnect from the instance.
5. Make a note the instance name, zone, and external IP address because they are needed later.

Downloading the sample code

Download the sample code to your local machine.

Configuring Endpoints

You must have an OpenAPI document based on either OpenAPI 2.0 or OpenAPI 3.x that describes the surface of your apps and any authentication requirements. To learn more, see Supported OpenAPI versions.

You also need to add a Google-specific field that contains the URL for each app so that ESPv2 has the information it needs to invoke an app. If you are new to OpenAPI, see OpenAPI overview for more information.

swagger: "2.0"
info:
  description: "A simple Google Cloud Endpoints API example."
  title: "Endpoints Example"
  version: "1.0.0"

host: "echo-api.endpoints.YOUR_PROJECT_ID.cloud.goog"

consumes:
  - "application/json"
produces:
  - "application/json"

schemes:
# Uncomment the next line if you configure SSL for this API.
# - "https"
  - "http"

paths:
  /echo:
    post:
      description: "Echo back a given message."
      operationId: "echo"
      produces:
        - "application/json"
      responses:
        200:
          description: "Echo"
          schema:
            $ref: "#/definitions/echoMessage"
      parameters:
        -
          description: "Message to echo"
          in: body
          name: message
          required: true
          schema:
            $ref: "#/definitions/echoMessage"
      security:
        - api_key: []
  /auth/info/googlejwt:
    get:
      description: "Returns the requests' authentication information."
      operationId: "auth_info_google_jwt"
      produces:
        - "application/json"
      responses:
        200:
          description: "Authenication info."
          schema:
            $ref: "#/definitions/authInfoResponse"
      security:
        - api_key: []
          google_jwt: []
  /auth/info/googleidtoken:
    get:
      description: "Returns the requests' authentication information."
      operationId: "authInfoGoogleIdToken"
      produces:
        - "application/json"
      responses:
        200:
          description: "Authentication info."
          schema:
            $ref: "#/definitions/authInfoResponse"
      security:
        - api_key: []
          google_id_token: []

definitions:
  echoMessage:
    type: "object"
    properties:
      message:
        type: "string"
  authInfoResponse:
    properties:
      id:
        type: "string"
      email:
        type: "string"

securityDefinitions:
  # This section configures basic authentication with an API key.
  api_key:
    type: "apiKey"
    name: "key"
    in: "query"

  # This section configures authentication using Google API Service Accounts
  # to sign a json web token. This is mostly used for server-to-server
  # communication.
  google_jwt:
    authorizationUrl: ""
    flow: "implicit"
    type: "oauth2"
    # This must match the 'iss' field in the JWT.
    x-google-issuer: "jwt-client.endpoints.sample.google.com"
    # Update this with your service account's email address.
    x-google-jwks_uri: "https://www.googleapis.com/service_accounts/v1/jwk/YOUR_SERVICE_ACCOUNT_EMAIL"
    # This must match the "aud" field in the JWT. You can add multiple
    # audiences to accept JWTs from multiple clients.
    x-google-audiences: "echo.endpoints.sample.google.com"
  # This section configures authentication using Google OAuth2 ID Tokens.
  # ID Tokens can be obtained using OAuth2 clients, and can be used to access
  # your API on behalf of a particular user.

  google_id_token:
    authorizationUrl: ""
    flow: "implicit"
    type: "oauth2"
    x-google-issuer: "https://accounts.google.com"
    x-google-jwks_uri: "https://www.googleapis.com/oauth2/v3/certs"
    # Your OAuth2 client's Client ID must be added here. You can add
    # multiple client IDs to accept tokens from multiple clients.
    x-google-audiences: "YOUR_CLIENT_ID"

This tutorial uses a Google-specific extension to the OpenAPI specification that lets you configure the service name. The method for specifying the service name depends on which version of the OpenAPI specification you are using.

host: echo-api.endpoints.YOUR_PROJECT_ID.cloud.goog

servers:
- url: https://echo-api.endpoints.YOUR_PROJECT_ID.cloud.goog
    x-google-endpoint: {}

After you have finished all the following configuration steps such that you can successfully send requests to the sample API by using an IP address, see Configuring Endpoints DNS for information on how to configure echo-api.endpoints.YOUR_PROJECT_ID.cloud.goog to be the fully qualified domain name (FQDN).

Deploying the Endpoints configuration

To deploy the Endpoints configuration, you use the gcloud endpoints services deploy command. This command uses Service Management to create a managed service.

To deploy the Endpoints configuration:

1. Make sure you are in the directory where your openapi.yaml configuration file is located.
2. Upload the configuration and create a managed service:

   gcloud endpoints services deploy openapi.yaml
   

The gcloud command then calls the Service Management API to create a managed service with the name that you specified in the host or servers.url field of the openapi.yaml file. Service Management configures the service according to the settings in the openapi.yaml file. When you make changes to openapi.yaml, you must redeploy the file to update the Endpoints service.

As it is creating and configuring the service, Service Management outputs information to the terminal. You can safely ignore the warnings about the paths in the openapi.yaml file not requiring an API key. When it finishes configuring the service, Service Management displays a message with the service configuration ID and the service name, similar to the following:

Service Configuration [2017-02-13r0] uploaded for service [echo-api.endpoints.example-project-12345.cloud.goog]

In the preceding example, 2017-02-13r0 is the service configuration ID, and echo-api.endpoints.example-project-12345.cloud.goog is the Endpoints service. The service configuration ID consists of a date stamp followed by a revision number. If you deploy the openapi.yaml file again on the same day, the revision number is incremented in the service configuration ID. You can view the Endpoints service configuration on the Endpoints > Services page in the Google Cloud console.

If you get an error message, see Troubleshooting Endpoints configuration deployment.

Checking required services

At a minimum, Endpoints and ESP require the following Google services to be enabled:

In most cases, the gcloud endpoints services deploy command enables these required services. However, the gcloud command completes successfully but doesn't enable the required services in the following circumstances:

• If you used a third-party application such as Terraform, and you don't include these services.

• You deployed the Endpoints configuration to an existing Google Cloud project in which these services were explicitly disabled.

Use the following command to confirm that the required services are enabled:

gcloud services list

If you do not see the required services listed, enable them:

gcloud services enable servicemanagement.googleapis.com
gcloud services enable servicecontrol.googleapis.com

Also enable your Endpoints service:

gcloud services enable ENDPOINTS_SERVICE_NAME

To determine the ENDPOINTS_SERVICE_NAME you can either:

• After deploying the Endpoints configuration, go to the Endpoints page in the Cloud console. The list of possible ENDPOINTS_SERVICE_NAME are shown under the Service name column.

• For OpenAPI, the ENDPOINTS_SERVICE_NAME is what you specified in the host field of your OpenAPI spec. For gRPC, the ENDPOINTS_SERVICE_NAME is what you specified in the name field of your gRPC Endpoints configuration.

For more information about the gcloud commands, see gcloud services.

Deploying the API backend

So far you have deployed the OpenAPI document to Service Management, but you haven't yet deployed the code that serves the API backend. This section walks you through getting Docker set up on your VM instance and running the API backend code and the ESP in a Docker container.

Checking required permissions

• In the Google Cloud console, go to the Compute Engine instances page.

  Go to the Compute Engine page

• Select your instance from the list.
• You can see the associated service account and the permissions it has.

• Grant required permissions to the service account:

  gcloud projects add-iam-policy-binding PROJECT_ID 
  
  --member "serviceAccount:SERVICE_ACCOUNT" 
  
  --role roles/servicemanagement.serviceController

  For more information, see What are roles and permissions?

Install Docker on the VM instance

To install Docker on the VM instance:

1. Set the zone for your project by running the command:

   gcloud config set compute/zone YOUR_INSTANCE_ZONE
   

   Replace YOUR_INSTANCE_ZONE with the zone where your instance is running.

2. Connect to your instance by using the following command:

   gcloud compute ssh INSTANCE_NAME
   

   Replace INSTANCE_NAME with your VM instance name.

3. See the Docker documentation to set up the Docker repository. Make sure to follow the steps that match the version and architecture of your VM instance:
   • Jessie or newer
   • x86_64 / amd64

Run the API and ESP in a Docker container

The ESP is an nginx-based proxy that sits in front of your backend code. It processes incoming traffic to provide authentication, API key management, logging, and other Endpoints API management features.

To install and run the sample API and ESP in a Docker container:

1. Create your own container network called esp_net.

   sudo docker network create --driver bridge esp_net
   

2. Run the sample Echo server that serves the sample API:
   Java

   sudo docker run --detach --name=echo --net=esp_net gcr.io/google-samples/echo-java:1.0
   

   Python

   sudo docker run --detach --name=echo --net=esp_net gcr.io/google-samples/echo-python:1.0
   

   Go

   sudo docker run --detach --name=echo --net=esp_net gcr.io/google-samples/echo-go:1.0
   

   PHP

   sudo docker run --detach --name=echo --net=esp_net gcr.io/google-samples/echo-php:1.0
   

   Ruby

   sudo docker run --detach --name=echo --net=esp_net gcr.io/google-samples/echo-ruby:1.0
   

   NodeJS

   sudo docker run --detach --name=echo --net=esp_net gcr.io/google-samples/echo-node:1.0
   

3. Run the pre-packaged public ESP Docker container. In the ESP startup options, replace SERVICE_NAME with the name of your service. This is the same name that you configured in the host field of your OpenAPI document.

   sudo docker run \
       --name=esp \
       --detach \
       --publish=80:8080 \
       --net=esp_net \
       gcr.io/endpoints-release/endpoints-runtime:1 \
       --service=SERVICE_NAME \
       --rollout_strategy=managed \
       --backend=echo:8080
   

   The --rollout_strategy=managed option configures ESP to use the latest deployed service configuration. When you specify this option, up to 5 minutes after you deploy a new service configuration, ESP detects the change and automatically begins using it. We recommend that you specify this option instead of a specific configuration ID for ESP to use. For information about the other ESP options used, see ESP startup options.

If you get an error message, see Troubleshooting Endpoints on Compute Engine.

See Deploying the API Backend for additional information.

Sending a request by using an IP address

After the sample API and the ESP are running on the Compute Engine instance, you can send requests to the API from your local machine.

Create an API key and set an environment variable

The sample code requires an API key. To simplify the request, you set an environment variable for the API key.

1. In the same Google Cloud project that you used for your API, create an API key on the API credentials page. If you want to create an API key in a different Google Cloud project, see Enabling an API in your Google Cloud project.

   Go to the Credentials page

2. Click Create credentials, and then select API key.
3. Copy the key to the clipboard.
4. Click Close.
5. On your local computer, paste the API key to assign it to an environment variable:
   • In Linux or macOS: export ENDPOINTS_KEY=AIza...
   • In Windows PowerShell: $Env:ENDPOINTS_KEY="AIza..."

Send the request

curl --request POST \
   --header "content-type:application/json" \
   --data '{"message":"hello world"}' \
   "http://IP_ADDRESS:80/echo?key=${ENDPOINTS_KEY}"

(Invoke-WebRequest -Method POST -Body '{"message": "hello world"}' `
    -Headers @{"content-type"="application/json"} `
    -URI "http://IP_ADDRESS:80/echo?key=$Env:ENDPOINTS_KEY").Content

The API echoes back the message that you send, and responds with the following:

{
  "message": "hello world"
}

If you didn't get a successful response, see Troubleshooting response errors.

You just deployed and tested an API in Endpoints!

Configuring DNS for Endpoints

Because the Endpoints service name for the API is in the .endpoints.YOUR_PROJECT_ID.cloud.goog domain, you can use it as the fully qualified domain name (FQDN) by making a small configuration change in your openapi.yaml file. This way, you can send requests to the sample API by using echo-api.endpoints.YOUR_PROJECT_ID.cloud.goog instead of the IP address.

To configure Endpoints DNS:

For example, assume the openapi.yaml file has the following configured:

host: "echo-api.endpoints.example-project-12345.cloud.goog"
x-google-endpoints:
- name: "echo-api.endpoints.example-project-12345.cloud.goog"
  target: "192.0.2.1"

servers:
  - url: "echo-api.endpoints.example-project-12345.cloud.goog"
    x-google-endpoint:
      target: "192.0.2.1"

When you deploy the openapi.yaml file by using the preceding gcloud command, Service Management creates a DNS A-record, echo-api.endpoints.my-project-id.cloud.goog, which resolves to the target IP address, 192.0.2.1. It might take a few minutes for the new DNS configuration to propagate.

Configuring SSL

For more details on how to configure DNS and SSL, see Enabling SSL for Endpoints.

Sending a request by using FQDN

Now that you have the DNS record configured for the sample API, send a request to it by using the FQDN (replace YOUR_PROJECT_ID with your project ID) and the ENDPOINTS_KEY environment variable set previously:

• In Linux or mac OS:

  curl --request POST \
      --header "content-type:application/json" \
      --data '{"message":"hello world"}' \
      "http://echo-api.endpoints.YOUR_PROJECT_ID.cloud.goog:80/echo?key=${ENDPOINTS_KEY}"

• In Windows PowerShell:

  (Invoke-WebRequest -Method POST -Body '{"message": "hello world"}' -Headers @{"content-type"="application/json"} -URI "http://echo-api.endpoints.[YOUR_PROJECT_ID].cloud.goog:80/echo?key=$Env:ENDPOINTS_KEY").Content

Tracking API activity

To track API activity:

1. Look at the activity graphs for your API in the Endpoints > Services page.
   

   Go to the Endpoints Services page

   
   It may take a few moments for the request to be reflected in the graphs.

2. Look at the request logs for your API in the Logs Explorer page.
   

   Go to the Logs Explorer page