If you have a restricted VPC environment where external domains need to be allowed, here is a
list of Google Cloud urls that Apigee hybrid may need to connect with during install
and runtime.
Google Cloud URLs for all Apigee hybrid installations
These URLs are used by all Apigee hybrid installations:
URL
Description
apigee.googleapis.com
The runtime uses these APIs to learn which proxies, shared flows,
etc., it should deploy, and to report its current configuration and health.
apigeeconnect.googleapis.com
This APIs is needed for apigee-mart-server and apigee-connect
communication when you have vpc-sc enabled to talk to the control plane.
Contanier images are hosted in Google Container Registry.
iamcredentials.googleapis.com
Required for generating access tokens used
by other Google Cloud API calls. For example, for runtime to make calls to download runtime
contracts from
apigee.googleapis.com, the permission is granted by a service account. So the runtime
needs to get an access token before making the call to apigee.googleapis.com.
logging.googleapis.com
This API is needed for the logging agent to send logs
to Cloud Logging.
monitoring.googleapis.com
Cloud Monitoring service endpoint to export metrics.
oauth2.googleapis.com
Authentication and authorization
pubsub.googleapis.com
The runtime subscribes to a pubsub topic to learn when to
initialize debug sessions.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-26 UTC."],[[["\u003cp\u003eThis document lists the Google Cloud URLs that Apigee hybrid installations may need to access within a restricted VPC environment.\u003c/p\u003e\n"],["\u003cp\u003eThe listed URLs are essential for various functions, including runtime communication, configuration updates, logging, monitoring, and authentication.\u003c/p\u003e\n"],["\u003cp\u003eSome URLs are used by all Apigee hybrid installations, while others are specific to Anthos deployments or optional features like binary authorization.\u003c/p\u003e\n"],["\u003cp\u003eContainer images are hosted in registries like \u003ccode\u003egcr.io\u003c/code\u003e and \u003ccode\u003equay.io\u003c/code\u003e, which are required for the deployment and operation of Apigee hybrid components.\u003c/p\u003e\n"],["\u003cp\u003eThe access to these URLs enable downloading of proxies, shared flows and other resources needed for the proper function of Apigee Hybrid.\u003c/p\u003e\n"]]],[],null,["# Google Cloud URLs to allow for Hybrid\n\n| You are currently viewing version 1.14 of the Apigee hybrid documentation. For more information, see [Supported versions](/apigee/docs/hybrid/supported-platforms#supported-versions).\n\nIf you have a restricted VPC environment where external domains need to be allowed, here is a\nlist of Google Cloud urls that Apigee hybrid may need to connect with during install\nand runtime.\n\nGoogle Cloud URLs for all Apigee hybrid installations\n-----------------------------------------------------\n\nThese URLs are used by all Apigee hybrid installations:\n\nGoogle Cloud URLs for Anthos installations\n------------------------------------------\n\nAll Apigee hybrid installations on Anthos (on-prem and multi-cloud) use additional Google\nCloud URLs. For more information, see:\n\n- [Proxy and firewall rules\n for Anthos on-prem](/anthos/clusters/docs/on-prem/how-to/firewall-rules)\n- [Proxy\n allowlist for Anthos multi-cloud](/anthos/clusters/docs/multi-cloud/aws/how-to/use-a-proxy#proxy_allowlist_2)"]]