Configure forward proxying for API proxies

Note: Both Apigee and Apigee hybrid supportforward proxy functionality. Use the instructions on this page to configure forward proxies for hybrid rather than the general Apigee functionality.

Forward proxies provide a single point through which multiple machines send requests to an external server. They can enforce security policies, log and analyze requests, and perform other actions so that requests adhere to your business rules.

Using a forward proxy in Apigee hybrid, you can intercept and manage all egress traffic from your Kubernetes cluster. This includes API proxy requests to Target Endpoints and communication with*.googleapis.com that the hybrid runtime makes for its debug and analytics pipeline and for policies likeMessageLogging.

To use an HTTP forward proxy between hybrid and the TargetEndpoint, you must configure the outbound proxy settings in your overrides file. These environment-scoped properties route target requests from hybrid to the HTTP forward proxy. You also need to ensureuse.proxy is set to "true" for any TargetEndpoint that you want to go through an HTTP forward proxy. See the bottom of the page for instructions.

To configure a hybrid environment for forwarding proxying, add theenvs.httpProxy property to your overrides file and apply it to the cluster. For example:

envs:  - name: test    httpProxy:      scheme: HTTP      host: 10.12.0.47      port: 3128      ...
NOTE: Thescheme must be HTTP and must be uppercase.

For details on each of theenvs.httpProxy configuration properties refer to theConfiguration property reference.

Forward proxying is configured for an environment; all traffic going from API proxies in that environment to backend targets goes through the specified HTTP forward proxy. If the traffic for a specific target of an API proxy should go directly to the backend target, bypassing the forward proxy, then set the following property in the TargetEndpoint to override the HTTP forward proxy:

<Property name="use.proxy">false</Property>

For more information on setting the TargetEndpoint properties, including how to configure the connection to the target endpoint, seeEndpoint properties reference.

Setuse.proxy to "true" for any TargetEndpoint that you want to go through an HTTP forward proxy:

<Property name="use.proxy">true</Property>

If you have a firewall on the backend which is configured to expectHost Header always to include thebackend server host name, while the Message Processor is sending theproxy server hostname, perform the following to configure this option:

Set the propertyuse.proxy.host.header.with.target.urito true in theTargetEndpoint as shown in the following example:

Sample TargetEndpoint configuration:

  <TargetEndpoint name="default">    <HTTPTargetConnection>      <URL>https://mocktarget.apigee.net/json</URL>      <Properties>        <Property name="use.proxy.host.header.with.target.uri">true</Property>      </Properties>    </HTTPTargetConnection>  </TargetEndpoint>

For details on theuse.proxy.host.header.with.target.uri property, seeEndpoint properties reference.

Important note on external calls: Configuring non-API proxy forwarding usinghttpProxy without also settingenvs.httpProxy will not apply the proxy configuration to Apigee Runtime's external calls to services like Pub/Sub or other Google Cloud APIs.

If you only specifyhttpProxy, you must also ensure that*.googleapis.com is allowlisted for your Apigee Runtime pods to enable connectivity to these services.

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-02-19 UTC.