Proxying a PCF App with Apigee Edge ("org" plan)

Page last updated:

This topic describes how to push a sample app to Pivotal Cloud Foundry (PCF), create an Apigee Edge service instance, and bind the application to it. After binding the application to the Apigee Edge service instance, requests to the app will be forwarded to an Apigee Edge API proxy for management.

Before performing the procedures in this topic, you must install and configure the Apigee Edge Service Broker for PCF tile.

Steps in these instructions use CF CLI with an Apigee plugin. To see corresponding CF CLI commands, see Mapping for Apigee and Cloud Foundry integration commands.

Step 1: Push the Sample App

Perform the following steps to push a sample application to PCF.

  1. Clone the Apigee Edge GitHub repo:

    $ git clone

  2. Change into the sample-api directory of the cloned repo:

    $ cd cloud-foundry-apigee/samples/org-and-microgateway-sample

  3. In the org-and-microgateway-sample directory, open manifest.yml.

  4. Edit manifest.yml to change the name and host properties to values specific to your deployment. See the following example:

    - name: sample-api 
      memory: 128M 
      instances: 1 
      host: sample-api-apigee 
      path: . 
      buildpack: nodejs_buildpack
  5. Save the edited file.

  6. Set your API endpoint to the Cloud Controller of your deployment.

    $ cf api api.YOUR-SYSTEM-DOMAIN
    Setting api endpoint to api.YOUR-SYSTEM-DOMAIN...
    API endpoint:  https://api.YOUR-SYSTEM-DOMAIN (API version: 2.59.0)
    Not logged in. Use 'cf login' to log in.

  7. Log in to your deployment and select an org and a space.

    $ cf login
    API endpoint: https://api.YOUR-SYSTEM-DOMAIN

  8. Push the sample app to PCF:

    $ cf push YOUR-SAMPLE-APP

  9. Use curl to send a test request to the app you pushed:

    {"hello":"hello from cf app"} 
    If you receive the above response, the sample app is running successfully.

Step 2: Install the plugin

  1. Install the Apigee Broker Plugin as follows.

    $ cf install-plugin -r CF-Community "apigee-broker-plugin"
    Searching CF-Community for plugin apigee-broker-plugin... Plugin apigee-broker-plugin 0.1.1 found in: CF-Community Attention: Plugins are binaries written by potentially untrusted authors. Install and use plugins at your own risk. Do you want to install the plugin apigee-broker-plugin? [yN]: y Starting download of plugin binary from repository CF-Community... 7.85 MiB / 7.85 MiB [===========================================================================================================================================================================================================================================] 100.00% 11s Installing plugin Apigee-Broker-Plugin... OK Plugin Apigee-Broker-Plugin 0.1.1 successfully installed.

  2. Make sure the plugin is available by running the following command:

    $ cf -h
    Commands offered by installed plugins:
      apigee-bind-mg,abm      apigee-unbind-mgc,auc    enable-diego
      apigee-bind-mgc,abc     apigee-unbind-org,auo    has-diego-enabled
      apigee-bind-org,abo     dea-apps                 migrate-apps
      apigee-push,ap          diego-apps               dev,pcfdev
      apigee-unbind-mg,aum    disable-diego

Step 3: Create a Service Instance

Perform the following steps to create an instance of the Apigee Edge service:

  1. List the Marketplace services and locate the Apigee Edge service:

    $ cf marketplace
    Getting services from marketplace in org example / space development as
    service          plans                                              description
    apigee-edge      org, microgateway, microgateway-coresident         Apigee Edge API Platform
  2. Create an instance of the Apigee Edge service. Select either the org service plan.

    $ cf create-service apigee-edge org YOUR-SERVICE-INSTANCE -c \
    '{"org":"YOUR-ORG", "env":"YOUR-ENV"}'
  3. Use the cf service command to display information about the service instance:

    $ cf service apigee-service
    Service instance: apigee-service
    Service: apigee-edge
    Bound apps:
    Plan: org
    Description: Apigee Edge API Platform
    Documentation url:
    Last Operation
    Status: create succeeded
    Started: 2016-10-27T20:47:43Z

Step 4: Bind the App Route to the Service Instance

Perform the following steps to bind the route of your app to your Apigee Edge service instance.

Each bind attempt requires authorization with Apigee Edge, with credentials passed as additional parameters to the apigee-bind-org command. You can pass these credentials as arguments of the apigee-bind-org command or by using a bearer token.

  1. If you’re using a bearer token to authenticate with Apigee Edge, get or update the token using the Apigee SSO CLI script. (If you’re instead using command-line arguments to authenticate with username and password, specify the credentials in the next step.)

    1. Download the Apigee Edge scripts:

      $ curl -o ""
    2. Unzip the file. This includes get_token, a script that gets or updates a token that you use to authenticate with your Apigee Edge organization. You need this token to bind the Apigee Edge route service to your app.

      $ tar xvf
    3. Create a .sso-cli directory in your user directory:

      $ mkdir ~/.sso-cli
    4. Use the get_token script to create a token. When prompted, enter the Apigee Edge username and password you use to log in to your organization.

      $ ./get\_token

      The get_token script writes the token file into ~/.sso-cli. For more about get_token, see the Apigee documentation.

      You may be prompted for your Apigee Edge username and password, and an MFA token. This updates the token in the ~/.sso-cli/valid_token.dat file (if that subdirectory exists – otherwise the file is placed in the current working directory). The next step uses this token.

  2. Bind the app to the Apigee service instance with the apigee-bind-org command.

    When you use the command without arguments, you’ll be prompted for argument values. To use the command with arguments, see the command reference at the end of this topic. For help on the command, type cf apigee-bind-org -h. Without arguments, you’ll be prompted for the following:

    Argument Description
    Apigee username Apigee user name. Not used if you pass a bearer token with the --bearer argument.
    Apigee password Apigee password. Not used if you pass a bearer token with the --bearer argument.
    Action to take Required. proxy to generate an API proxy; bind to bind the service with the proxy; proxy bind to generate the proxy and bind with a single command.
    Apigee environment Required. The Apigee environment where your proxy should be deployed.
    Apigee organization Required. The Apigee organization where your proxy should be created.
    Application to bind to Required. Name of the the Cloud Foundry application to bind to.
    Domain to bind to Required. Domain of the application to bind to.
    Route of the application acting as microgateway Required. Route of the application acting as Edge Microgateway.
    Host The host domain to which API calls are made. Specify a value only if your host domain is not the same as that given by your virtual host.
    Target application protocol The application protocol, such as http or https.
    Service instance name to bind to Required. Name of the Apigee service to bind to.

apigee-bind-org reference

Use the apigee-bind-org command to generate an API proxy on Apigee Edge and to bind the Cloud Foundry service to the proxy.

The command requires your Apigee Edge credentials in order to create and bind to an API proxy. You can specify credentials either with a bearer token or by giving a username and password at the command line. To use a token, you must provide the --bearer argument. To be prompted for argument values (and provide a username and password at prompts), use the command without arguments.

cf apigee-bind-org

To specify arguments on the command line, use the following syntax (be sure to use quotes and command expansion, as shown here):

$ cf apigee-bind-org [--app APP_NAME] [--service SERVICE_INSTANCE] \
    [--apigee_org APIGEE_ORGANIZATION] [--apigee_env APIGEE_ENVIRONMENT] \ 
    [--protocol TARGET_APP_PROTOCOL] [--domain APP_DOMAIN] [--action ACTION] \
    [--bearer APIGEE_BEARER_TOKEN] [--host HOST_NAME]
Parameter Purpose Allowed Values
action Required. A value specifying whether to create or bind an API proxy proxy to generate an API proxy; bind to bind the service with the proxy; proxy bind to generate the proxy and bind with a single command.
apigee_env Required. Apigee Edge environment to which the API proxy is (or will be) deployed Your environment.
apigee_org Required. Apigee Edge organization hosting the API proxy to be called Your organization (must be reachable via the authentication token specified in the bearer parameter)
app Required. Name of the the Cloud Foundry application to bind to. The app name.
bearer Path to a file containing an authentication token valid for your organization An authentication token, such as one generated with Apigee’s get_token command. The broker does not store any data; it requires credentials and other parameters for each individual cf command. Instead of a bearer token, credentials can also be expressed as:
  • basic: standard HTTP Base-64 encoded username and password for Authorization: Basic. Note that this is not encrypted and easily converted to clear text. But a jumble of digits and letters may provide some protection in case of momentary exposure (but no better than if the password is already a jumble of digits, letters, and symbols)
  • username and password in clear text
domain Required. Domain of the application to bind to.
host The host domain to which API calls are made. Specify a value only if your host domain is not the same as that given by your virtual host. Your host domain name if different from your virtual host domain. For example:
pass Apigee password. Not used if you pass a bearer token with the –bearer argument. Your password.
protocol The protocol through which the proxy should be accessed by Cloud Foundry http or https; default is https.
service Required. Name of the Apigee service to bind to. The service name.
target_app_route The URL for your Cloud Foundry app. The app URL.
user Apigee user name. Not used if you pass a bearer token with the –bearer argument. Your user name.

Step 4: Test the Binding

Once you’ve bound your app’s path to the Apigee service (creating an Apigee proxy in the process), you can try it out with the sample app you invoked earlier.

  1. Open the Apigee Edge management console.
  2. In the management console, under APIs > API proxies, locate the name of the proxy you just created with bind-route-service. It’s likely to have a name that ends with your domain value, such as
  3. Click the new proxy’s name to view its Overview page.
  4. Click the Trace tab, then click the Start Trace Session button.
  5. Back at the command line, run the curl command you ran earlier to make a request to your Cloud Foundry app you pushed, such as:

    $ curl 
    {"hello":"hello from cf app"} 
    As before, the console outputs the app’s response.

  6. Return to the Apigee Edge management console to see that your request has now been routed through the Edge proxy you created.

The new proxy is just a pass-through, but it is now ready for you or someone on your team to add policies to define security, traffic management, and more.

Create a pull request or raise an issue on the source for this page in GitHub