If you only add or change the virtualhosts
property, and nothing else, then you can apply those changes with the ‑‑settings flag. This applies only for apigeectl; for Helm, we are applying apigee-virtualhost with the appropriate variable.
If you modify the virtualhosts and env settings,
you need to apply the changes without using ENV_GROUP_NAME apigee-virtualhost/ for Helm and
‑‑settings virtualhosts for apigeectl. Here's how to update the cluster:
The virtualhost property requires a TLS key and certificate.
The key/cert are used to provide secure communication with the ingress gateway and
must be compatible with the host aliases used in the specified environment group.
It is up to you how you generate proper TLS certificate/key pairs for your hybrid
configuration. The following topics are provided as samples only, intended primarily
for trying out or testing a new hybrid installation if it isn't feasible to obtain
TLS credentials in another way:
See Obtain TLS credentials for a set of sample
steps for creating an authorized TLS certificate/key pair.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-26 UTC."],[[["\u003cp\u003eVirtual hosts in Apigee hybrid enable the handling of API requests directed to host aliases linked with an environment group.\u003c/p\u003e\n"],["\u003cp\u003eThe \u003ccode\u003evirtualhosts\u003c/code\u003e property is an array, allowing the creation of multiple virtual hosts, each of which should ideally have its own TLS certificate/key pair for security.\u003c/p\u003e\n"],["\u003cp\u003eChanges to the \u003ccode\u003evirtualhosts\u003c/code\u003e property can be applied using either \u003ccode\u003eapigeectl\u003c/code\u003e with the \u003ccode\u003e‑‑settings virtualhosts\u003c/code\u003e flag or Helm by targeting \u003ccode\u003eapigee-virtualhost/\u003c/code\u003e specifically.\u003c/p\u003e\n"],["\u003cp\u003eWhen both \u003ccode\u003evirtualhosts\u003c/code\u003e and \u003ccode\u003eenv\u003c/code\u003e settings are modified, Helm and \u003ccode\u003eapigeectl\u003c/code\u003e commands must be applied in a specific sequence to ensure all changes are correctly updated in the cluster.\u003c/p\u003e\n"],["\u003cp\u003eProper TLS key/certificate pairs are required for the \u003ccode\u003evirtualhost\u003c/code\u003e property to ensure secure communication with the ingress gateway, with resources provided for both obtaining and generating them.\u003c/p\u003e\n"]]],[],null,["# Configure virtual hosts\n\n| You are currently viewing version 1.11 of the Apigee hybrid documentation. **This version is end of life.** You should upgrade to a newer version. For more information, see [Supported versions](/apigee/docs/hybrid/supported-platforms#supported-versions).\n\n\nThis topic discusses the [virtualhosts](/apigee/docs/hybrid/v1.11/config-prop-ref#virtualhosts) configuration property.\nVirtual hosts allow Apigee hybrid to handle\nAPI requests to hostaliases associated with an environment group. For more information, see\n[Routing and base\npaths](/apigee/docs/api-platform/fundamentals/environments-overview#routing) in the [About\nenvironments and environment groups](/apigee/docs/api-platform/fundamentals/environments-overview) topic. \n\n```text\n...\nvirtualhosts:\n - name: my-env-group\n sslCertPath: ./certs/fullchain.pem\n sslKeyPath: ./certs/privkey.key\n...\n```\n\n\nWhen an API proxy call comes, it is routed to the host alias(es) of the environment group\nwhere the API proxy is deployed.\n\n\nFor instructions on how to apply `virtualhosts` to the cluster, see\n[Applying virtualhosts changes](#applying). For information about configuring\nTLS, see [Configuring TLS and mTLS on the Istio ingress](/apigee/docs/hybrid/v1.11/ingress-tls).\n\nAdding multiple virtual hosts\n-----------------------------\n\n\nThe `virtualhosts[]` property is an array, and therefore you can create more than\none. \n\n```text\n...\nvirtualhosts:\n - name: my-env-group-1\n sslCertPath: ./certs/fullchain1.pem\n sslKeyPath: ./certs/privkey1.key\n\n - name: my-env-group-2\n sslCertPath: ./certs/fullchain2.pem\n sslKeyPath: ./certs/privkey2.key\n...\n```\n| **Tip:** For security purposes, it is best practice to have a separate TLS cert/key pair for each virtual host. If you are using a Subject Alternative Name (SAN ) certificate, this TLS cert/key pair should be used on one virtual host that is shared across the domain.\n\n\nFor information about configuring\nTLS, see [Configuring TLS and mTLS on the Istio ingress](/apigee/docs/hybrid/v1.11/ingress-tls).\n\nApplying `virtualhosts` changes\n-------------------------------\n\n\nIf you only add or change the `virtualhosts`\nproperty, and nothing else, then you can apply those changes with the `‑‑settings` flag. This applies only for `apigeectl`; for Helm, we are applying `apigee-virtualhost` with the appropriate variable.\n\n### Helm\n\n```\nhelm upgrade ENV_GROUP_NAME apigee-virtualhost/ \\\n --namespace apigee \\\n --atomic \\\n --set envgroup=ENV_GROUP_NAME \\\n -f OVERRIDES_FILE.yaml\n```\n| **Note:** If you see an error saying `Error: UPGRADE FAILED: \"`*ENV_GROUP_NAME*`\" has no deployed releases`, replace `upgrade` with `install` and try the command again.\n\n### `apigeectl`\n\n```\n$APIGEECTL_HOME/apigeectl apply -f OVERRIDES_FILE.yaml ‑‑settings virtualhosts\n```\n\nIf you modify the `virtualhosts` and `env` settings,\nyou need to apply the changes without using \u003cvar translate=\"no\"\u003eENV_GROUP_NAME\u003c/var\u003e` apigee-virtualhost/` for Helm and\n`‑‑settings virtualhosts` for `apigeectl`. Here's how to update the cluster:\n\n### Helm\n\nRun helm upgrade for each environment you want to update. \n\n```\nhelm upgrade ENV_NAME apigee-env/ \\\n --namespace apigee \\\n --atomic \\\n --set env=ENV_NAME \\\n -f OVERRIDES_FILE.yaml\n```\n\nThen upgrade the `apigee-virtualhost` chart: \n\n```\nhelm upgrade ENV_GROUP_NAME apigee-virtualhost/ \\\n --namespace apigee \\\n --atomic \\\n --set envgroup=ENV_GROUP_NAME \\\n -f OVERRIDES_FILE.yaml\n```\n| **Note:** If you see an error saying `Error: UPGRADE FAILED: \"`*ENV_NAME*`\" has no deployed releases`, replace `upgrade` with `install` and try the command again.\n\n### `apigeectl`\n\n```\n$APIGEECTL_HOME/apigeectl apply -f OVERRIDES_FILE.yaml --env ENV_NAME\n```\n\n\nor, to update the component for all environments: \n\n```\n$APIGEECTL_HOME/apigeectl apply -f OVERRIDES_FILE.yaml --all-envs\n```\n\nThen Apply the changes to the virtualhost:\n\n```\n$APIGEECTL_HOME/apigeectl apply -f OVERRIDES_FILE.yaml settings virtualhosts\n```\n\nTLS keys and certificates\n-------------------------\n\nThe `virtualhost` property requires a TLS key and certificate.\nThe key/cert are used to provide secure communication with the ingress gateway and\nmust be compatible with the host aliases used in the specified environment group.\n\n\nIt is up to you how you generate proper TLS certificate/key pairs for your hybrid\nconfiguration. The following topics are provided as samples only, intended primarily\nfor trying out or testing a new hybrid installation if it isn't feasible to obtain\nTLS credentials in another way:\n\n- See [Obtain TLS credentials](/apigee/docs/hybrid/v1.11/lets-encrypt) for a set of sample steps for creating an authorized TLS certificate/key pair.\n- You can use a self-signed certificate/key pair(s) for testing purposes only. See [Generate self-signed TLS credentials](/apigee/docs/hybrid/v1.11/environment-self-signed-tls)."]]
