If you have a restricted VPC environment where external domains need to be allowed, here is a list of Google Cloud urls that Apigee hybrid may need to connect with during install and runtime.
Google Cloud URLs for all Apigee hybrid installations
These URLs are used by all Apigee hybrid installations:
| URL | Description |
|---|---|
| apigee.googleapis.com | The runtime uses these APIs to learn which proxies, shared flows, etc., it should deploy, and to report its current configuration and health. |
| apigeeconnect.googleapis.com | This APIs is needed for apigee-mart-server and apigee-connect communication when you have vpc-sc enabled to talk to the control plane. |
| binaryauthorization.googleapis.com | Optional. Only for Anthos if binary authorization is enabled |
| gcr.io | Contanier images are hosted in Google Container Registry. |
| iamcredentials.googleapis.com | Required for generating access tokens used by other Google Cloud API calls. For example, for runtime to make calls to download runtime contracts from apigee.googleapis.com, the permission is granted by a service account. So the runtime needs to get an access token before making the call to apigee.googleapis.com. |
| logging.googleapis.com | This API is needed for the logging agent to send logs to Cloud Logging. |
| monitoring.googleapis.com | Cloud Monitoring service endpoint to export metrics. |
| oauth2.googleapis.com | Authentication and authorization |
| pubsub.googleapis.com | The runtime subscribes to a pubsub topic to learn when to initialize debug sessions. |
| quay.io | Container registry used by cert-manager. See Step 8: Install cert-manager. |
| serviceusage.googleapis.com | Inspect and manage quota for service consumers on Google Cloud Platform. Required by Anthos Service Mesh |
| storage.googleapis.com | The runtime downloads proxies, shared flows, resource files, and keystore aliases from Google Cloud Storage in tenant project. |
| sts.googleapis.com | The Security Token Server providers API method for third party developers to exchange third party credentials to Google Cloud Platform tokens. |
| www.googleapis.com | Needed by the MART component. |
Google Cloud URLs for Anthos installations
All Apigee hybrid installations on Anthos (on-prem and multi-cloud) use additional Google Cloud URLs. For more information, see:
Google Cloud URLs for data residency
If you are using forward proxy with data residency, you must allowlist:
CONTROL_PLANE_LOCATION-apigee.googleapis.com for each control plane location.