This step explains how to set up the Kubernetes service for your Apigee ingress gateway.
The Kubernetes services is needed per ingress deployment to obtain an IP address that can be exposed.
Client calls to proxies will invoke a hostname that will resolve to this IP address.
Options for Kubernetes services for your Apigee ingress gateway
There are two options for providing a kubernetes service to assign the IP address ...
For production environments, Apigee recommends you create a custom Kubernetes service for each ingress
gateway.
Apigee deletes default service, but does not delete the custom kubernetes service upon clean up.
Hence, the IP address won't be released upon reinstallation of Apigee hybrid.
For platforms not on Google Cloud, like EKS, AKS, and OpenShift, you need to customize the
Kubernetes service to work with the cloud provider. Therefore it is better to create a custom
Kubernetes service than to use the default service, as Apigee does not support all customizations to
the default Kubernetes service.
Use the following steps to set up and route traffic to the new ingress gateway.
Create a Kubernetes service with the required pod selector labels, app,
ingress_name, and org. These labels are already present in Apigee ingress gateway pods.
Create a service file using the following as an example:
SERVICE_NAME is a name used to identify this service. For example,
apigee-prod-1.
INGRESS_NAME is the name of this Apigee ingress gateway gateway. It must match the name
you provided for ingressGateways.name in your overrides.yaml file. for
more information see
ingressGateways in the
Configuration properties reference.
ORG_NAME is the name of the Apigee organization. It must match the name
you provided for org in your overrides.yaml file. for
more information see
org in the
Configuration properties reference.
LOAD_BALANCER_IP is the IP adddress for the load balancer.
Apigee ingress gateway exposes the following ports:
Port
Description
443
Runtime traffic.
15021
Health check. status-port exposes a /healthz/ready endpoint
that can be used with GKE Ingress health checks.
Create the service by applying the SERVICE_FILENAME.yaml:
kubectl apply -f SERVICE_FILENAME.yaml
Find the external IP of Apigee ingress gateway with the following command:
kubectl get svc -n apigee SERVICE_NAME
Your output should look something like:
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
apigee-ingressgateway-prod-hybrid-37a39bd LoadBalancer 192.0.2.123 233.252.0.123 15021:32049/TCP,80:31624/TCP,443:30723/TCP 16h
Disable the loadbalancer for the default Apigee ingress gateway service:
INGRESS_IP_ADDRESS is the ingress IP address, for example 233.252.0.123.
On success the command returns:
Apigee Ingress is healthy
Use this IP address to update your DNS record (usually an A or CNAME record)
at your registrar or DNS provider.
Use the default Kubernetes service
For non-production environments or to test initial traffic through the Apigee ingress gateway,
Apigee hybrid provides default Kubernetes service for each ingress deployment.
You can make limited configuration changes to the default service in your overrides.yaml
file. For the available configuration options, see Managing
Apigee ingress gateway. For example, you can add annotations.
For production environments, it is recommended you provide a Kubernetes service for ingress.
Follow the steps in Create your own Kubernetes service.
Find the external IP of the default Apigee ingress service with the following command:
kubectl get svc -n apigee -l app=apigee-ingressgateway
Your output should look something like:
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
apigee-ingressgateway-prod-hybrid-37a39bd LoadBalancer 192.0.2.123 233.252.0.123 15021:32049/TCP,80:31624/TCP,443:30723/TCP 16h
Test the ingress gateway by making a healthcheck call.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-26 UTC."],[[["\u003cp\u003eApigee hybrid version 1.8 is end of life and should be upgraded to a newer version.\u003c/p\u003e\n"],["\u003cp\u003eThe Apigee ingress gateway feature, introduced in version 1.8.0, requires a Kubernetes service to obtain an IP address for client calls to proxies.\u003c/p\u003e\n"],["\u003cp\u003eFor production environments, it's strongly recommended to create a custom Kubernetes service for each Apigee ingress gateway, as opposed to using the default service, due to control over the IP address retention and cloud provider customization requirements.\u003c/p\u003e\n"],["\u003cp\u003eTo set up the ingress gateway, you need to create a Kubernetes service with specific pod selector labels, apply it, and then find the external IP address for updating your DNS records.\u003c/p\u003e\n"],["\u003cp\u003eThe default Kubernetes service for the Apigee ingress gateway is suitable for non-production environments or testing, but it will be deleted when the ingress deployment is removed.\u003c/p\u003e\n"]]],[],null,["# Step 9: Expose Apigee ingress gateway\n\n| You are currently viewing version 1.8 of the Apigee hybrid documentation. **This version is end of life.** You should upgrade to a newer version. For more information, see [Supported versions](/apigee/docs/hybrid/supported-platforms#supported-versions).\n| Apigee ingress gateway is a new feature introduced in Apigee hybrid version 1.8.0. It replaces Anthos Service Mesh to provide the ingress gateway.\n\n\nThis step explains how to set up the Kubernetes service for your Apigee ingress gateway.\nThe Kubernetes services is needed per ingress deployment to obtain an IP address that can be exposed.\nClient calls to proxies will invoke a hostname that will resolve to this IP address.\n\nOptions for Kubernetes services for your Apigee ingress gateway\n---------------------------------------------------------------\n\n\nThere are two options for providing a kubernetes service to assign the IP address ...\n\n- Create a [custom Kubernetes service](#customservice) for each Apigee ingress gateway (recommended).\n- Use the [default Kubernetes service](#defaultservice).\n\n### Create your own Kubernetes service\n\n\nFor production environments, Apigee recommends you create a custom Kubernetes service for each ingress\ngateway.\n\n- Apigee deletes default service, but does not delete the custom kubernetes service upon clean up. Hence, the IP address won't be released upon reinstallation of Apigee hybrid.\n- For platforms not on Google Cloud, like EKS, AKS, and OpenShift, you need to customize the Kubernetes service to work with the cloud provider. Therefore it is better to create a custom Kubernetes service than to use the default service, as Apigee does not support all customizations to the default Kubernetes service.\n\n\nUse the following steps to set up and route traffic to the new ingress gateway.\n\n1. Create a Kubernetes service with the required pod selector labels, `app`, `ingress_name`, and `org`. These labels are already present in Apigee ingress gateway pods. Create a service file using the following as an example: \n\n ```\n apiVersion: v1\n kind: Service\n metadata:\n name: SERVICE_NAME\n namespace: apigee\n spec:\n ports:\n - name: status-port\n port: 15021\n protocol: TCP\n targetPort: 15021\n - name: https\n port: 443\n protocol: TCP\n targetPort: 8443\n selector:\n app: apigee-ingressgateway #required\n ingress_name: INGRESS_NAME\n org: ORG_NAME\n type: LoadBalancer\n loadBalancerIP: LOAD_BALANCER_IP\n ```\n - \u003cvar translate=\"no\"\u003eSERVICE_NAME\u003c/var\u003e is a name used to identify this service. For example, `apigee-prod-1`. **Note:** To more easily identify your services, use the ingress name as part of the service name.\n - \u003cvar translate=\"no\"\u003eINGRESS_NAME\u003c/var\u003e is the name of this Apigee ingress gateway gateway. It must match the name you provided for `ingressGateways.name` in your `overrides.yaml` file. for more information see [`ingressGateways` in the\n Configuration properties reference](/apigee/docs/hybrid/v1.8/config-prop-ref#ingressgateways).\n - \u003cvar translate=\"no\"\u003eORG_NAME\u003c/var\u003e is the name of the Apigee organization. It must match the name you provided for `org` in your `overrides.yaml` file. for more information see [`org` in the\n Configuration properties reference](/apigee/docs/hybrid/v1.8/config-prop-ref#org).\n - \u003cvar translate=\"no\"\u003eLOAD_BALANCER_IP\u003c/var\u003e is the IP adddress for the load balancer.\n\n\n Apigee ingress gateway exposes the following ports:\n\n2. Create the service by applying the \u003cvar translate=\"no\"\u003eSERVICE_FILENAME\u003c/var\u003e`.yaml`: \n\n ```\n kubectl apply -f SERVICE_FILENAME.yaml\n ```\n3. Find the external IP of Apigee ingress gateway with the following command: \n\n ```\n kubectl get svc -n apigee SERVICE_NAME\n ```\n\n\n Your output should look something like: \n\n ```\n NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE\n apigee-ingressgateway-prod-hybrid-37a39bd LoadBalancer 192.0.2.123 233.252.0.123 15021:32049/TCP,80:31624/TCP,443:30723/TCP 16h\n ```\n4. Disable the loadbalancer for the default Apigee ingress gateway service:\n 1. Update the [`ingressGateways[].svcType`](/apigee/docs/hybrid/v1.8/config-prop-ref#ingressgateways-svctype) property to `ClusterIP` in your overrides file: \n\n ```\n ingressGateways:\n svcType: ClusterIP\n ```\n 2. Apply the changes with `apigeectl apply --org`. \n\n ```\n ${APIGEECTL_HOME}/apigeectl apply -f ${HYBRID_FILES}/overrides/overrides.yaml\n ```\n\n See [Disable the loadbalancer for the default\n Apigee ingress gateway service](/apigee/docs/hybrid/v1.8/managing-ingress#disable-loadbalancer) for more information.\n5. Test the ingress gateway by making a healthcheck call.\n\n ```\n curl -H 'User-Agent: GoogleHC/' https://DOMAIN/healthz/ingress -k \\\n --resolve \"DOMAIN:443:INGRESS_IP_ADDRESS\"\n ```\n\n Where\n - \u003cvar translate=\"no\"\u003eDOMAIN\u003c/var\u003e is the domain you provided as the hostname for the environment group you created in [Project and org setup - Step 3: Create an\n environment group](/apigee/docs/hybrid/v1.8/precog-add-environment).\n - \u003cvar translate=\"no\"\u003eINGRESS_IP_ADDRESS\u003c/var\u003e is the ingress IP address, for example `233.252.0.123`.\n\n\n On success the command returns: \n\n ```\n Apigee Ingress is healthy\n ```\n6. Use this IP address to update your DNS record (usually an `A` or `CNAME` record) at your registrar or DNS provider.\n\n### Use the default Kubernetes service\n\n\nFor non-production environments or to test initial traffic through the Apigee ingress gateway,\nApigee hybrid provides default Kubernetes service for each ingress deployment.\n\n\nYou can make limited configuration changes to the default service in your `overrides.yaml`\nfile. For the available configuration options, see [Managing\nApigee ingress gateway](/apigee/docs/hybrid/v1.8/managing-ingress). For example, you can add annotations.\n\n| **Note:** This service will be deleted when the ingress deployment is deleted (when the ingress gateway is removed from the overrides file).\n\n\nFor production environments, it is recommended you provide a Kubernetes service for ingress.\nFollow the steps in [Create your own Kubernetes service](#customservice).\n\n1. Find the external IP of the default Apigee ingress service with the following command: \n\n ```\n kubectl get svc -n apigee -l app=apigee-ingressgateway\n ```\n\n\n Your output should look something like: \n\n ```\n NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE\n apigee-ingressgateway-prod-hybrid-37a39bd LoadBalancer 192.0.2.123 233.252.0.123 15021:32049/TCP,80:31624/TCP,443:30723/TCP 16h\n ```\n2. Test the ingress gateway by making a healthcheck call.\n\n ```\n curl -H 'User-Agent: GoogleHC/' https://DOMAIN/healthz/ingress -k \\\n --resolve \"DOMAIN:443:INGRESS_IP_ADDRESS\"\n ```\n\n Where\n - \u003cvar translate=\"no\"\u003eDOMAIN\u003c/var\u003e is the domain you provided as the hostname for the environment group you created in [Project and org setup - Step 3: Create an\n environment group](/apigee/docs/hybrid/v1.8/precog-add-environment).\n - \u003cvar translate=\"no\"\u003eINGRESS_IP_ADDRESS\u003c/var\u003e is the ingress IP address, for example `233.252.0.123`.\n\n\n On success the command returns: \n\n ```\n Apigee Ingress is healthy\n ```\n3. Use this IP address to update your DNS record (usually an `A` or `CNAME` record) at your registrar or DNS provider.\n\n| **Congratulations!**\n|\n| You've successfully set up the Apigee ingress gateway. Now it's time to download a proxy and test\n| your ingress gateway.\n[1](/apigee/docs/hybrid/v1.8/install-create-cluster) [2](/apigee/docs/hybrid/v1.8/install-cert-manager) [3](/apigee/docs/hybrid/v1.8/install-apigeectl) [4](/apigee/docs/hybrid/v1.8/install-service-accounts) [5](/apigee/docs/hybrid/v1.8/install-create-tls-certificates) [6](/apigee/docs/hybrid/v1.8/install-configure-cluster) [7](/apigee/docs/hybrid/v1.8/install-enable-synchronizer-access) [8](/apigee/docs/hybrid/v1.8/install-hybrid-runtime) [9](/apigee/docs/hybrid/v1.8/install-expose-apigee-ingress) [(NEXT) Step 10: Deploy a proxy](/apigee/docs/hybrid/v1.8/install-deploy-proxy)\n\n\u003cbr /\u003e"]]
