If you have a restricted VPC environment where external domains need to be allowed, here is a
list of Google Cloud urls that Apigee hybrid may need to connect with during install
and runtime.
Google Cloud URLs for all Apigee hybrid installations
These URLs are used by all Apigee hybrid installations:
URL
Description
apigee.googleapis.com
The runtime uses these APIs to learn which proxies, shared flows,
etc., it should deploy, and to report its current configuration and health.
apigeeconnect.googleapis.com
This APIs is needed for apigee-mart-server and apigee-connect
communication when you have vpc-sc enabled to talk to the control plane.
Contanier images are hosted in Google Container Registry.
iamcredentials.googleapis.com
Required for generating access tokens used
by other Google Cloud API calls. For example, for runtime to make calls to download runtime
contracts from
apigee.googleapis.com, the permission is granted by a service account. So the runtime
needs to get an access token before making the call to apigee.googleapis.com.
logging.googleapis.com
This API is needed for the logging agent to send logs
to Cloud Logging.
monitoring.googleapis.com
Cloud Monitoring service endpoint to export metrics.
oauth2.googleapis.com
Authentication and authorization
pubsub.googleapis.com
The runtime subscribes to a pubsub topic to learn when to
initialize debug sessions.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-26 UTC."],[[["\u003cp\u003eThis document outlines the Google Cloud URLs that Apigee hybrid installations require for proper functionality, both during setup and runtime.\u003c/p\u003e\n"],["\u003cp\u003eThese URLs facilitate various essential operations, including proxy deployment, configuration reporting, logging, monitoring, authentication, and access token generation.\u003c/p\u003e\n"],["\u003cp\u003eAdditional URLs are necessary for Apigee hybrid installations on Anthos, as well as for environments utilizing data residency with forward proxy configurations.\u003c/p\u003e\n"],["\u003cp\u003eContainer images are hosted on \u003ccode\u003egcr.io\u003c/code\u003e while \u003ccode\u003equay.io\u003c/code\u003e is a container registry used by cert-manager.\u003c/p\u003e\n"],["\u003cp\u003e\u003ccode\u003eapigeeconnect.googleapis.com\u003c/code\u003e is needed for communication between \u003ccode\u003eapigee-mart-server\u003c/code\u003e and \u003ccode\u003eapigee-connect\u003c/code\u003e in vpc-sc enabled environments.\u003c/p\u003e\n"]]],[],null,["# Google Cloud URLs to allow for Hybrid\n\n| You are currently viewing version 1.12 of the Apigee hybrid documentation. **This version is end of life.** You should upgrade to a newer version. For more information, see [Supported versions](/apigee/docs/hybrid/supported-platforms#supported-versions).\n\nIf you have a restricted VPC environment where external domains need to be allowed, here is a\nlist of Google Cloud urls that Apigee hybrid may need to connect with during install\nand runtime.\n\nGoogle Cloud URLs for all Apigee hybrid installations\n-----------------------------------------------------\n\nThese URLs are used by all Apigee hybrid installations:\n\nGoogle Cloud URLs for Anthos installations\n------------------------------------------\n\nAll Apigee hybrid installations on Anthos (on-prem and multi-cloud) use additional Google\nCloud URLs. For more information, see:\n\n- [Proxy and firewall rules\n for Anthos on-prem](/anthos/clusters/docs/on-prem/how-to/firewall-rules)\n- [Proxy\n allowlist for Anthos multi-cloud](/anthos/clusters/docs/multi-cloud/aws/how-to/use-a-proxy#proxy_allowlist_2)\n\nGoogle Cloud URLs for data residency\n------------------------------------\n\nIf you are using forward proxy with [data residency](/apigee/docs/hybrid/v1.12/using-data-residency-with-apigee-hybrid), you must allowlist:\n\u003cvar translate=\"no\"\u003eCONTROL_PLANE_LOCATION\u003c/var\u003e`-apigee.googleapis.com` for each control plane location.\n| **Tip:** If your security protocols permit, you can allowlist `*-apigee.googleapis.com`"]]