Understanding Edge support for Node.js modules
You're viewingApigee Edge documentation.
Go to theApigee X documentation.info
Private Cloud Deprecation Notice:
Support forNode.js proxies andsecure vaults
Since 2013, Apigee has supported theuse of Node.js proxies within Apigee Edge through the use ofTrireme, which enables you to run your Node.js code within Apigee Edge for Private Cloud and expose it as an API.
Apigee recommends Private Cloud customers take the following steps:
- Migrate data in secure vaults toEncrypted Key Value Maps (KVM) to access sensitive data from an API proxy.
- Migrate Trireme (Node.js) based API proxies to a native Node.js environment outside of Apigee.
See alsoApigee deprecations and retirements.
Public Cloud Retired feature: The traditional, Trireme-based Node.js support on Apigee Edge Cloud is retired and, by extension,apigee-access is also retired because it is only used in Trireme-based Node.js applications deployed on Apigee Edge. Trireme-based Node.js was retired on October 10, 2019. SeeTrireme-based Node.js End of Life.
What version of Node.js is supported on Apigee Edge?
Edge currently supports Node.js 0.10.32.
Which standard Node.js modules are supported on Edge?
Use the following table to determine which standard Node.js modules are included on Edge. In some cases, included modules are only partially supported. These are modules that are built-in to Node.js.| Module | Status | Notes |
|---|---|---|
assert | Supported | |
buffer | Supported | |
child_process | Restricted | An exception will be thrown if an attempt is made to spawn a sub-process. However, "fork" is supported for spawning sub-scripts. |
cluster | Disabled | The method cluster.isMaster always returns true, and other methods are not implemented. One copy of each Node.js script is deployed to each Edge message processor. |
crypto | Supported | |
dns | Supported | |
domain | Supported | |
dgram | Restricted | Node.js applications in the Apigee environment will not be able to access services on the Internet via UDP due to our network architecture. |
events | Supported | |
fs | Restricted | Filesystem access is restricted to the directory where the script was launched: the/resources/node directory. Node.js scripts may read and write files within this directory, for instance as a temporary scratch area, but there are no guarantees as to how long the files will persist. |
http | Supported | The virtual host and path for incoming requests is specified in the API Proxy, not by the HTTP module. See "Understanding support for the http and https modules" for more information. |
https | Supported | Creating an "https" server behaves identically to an "http" server. See "Understanding support for the http and https modules" for more information. |
module | Supported | |
net | Restricted | Attempts to listen for incoming TCP connections will generate an exception. |
path | Supported | |
module | Supported | |
process | Partial support | Functionality to manipulate user ID, group membership, and working directory is not supported. |
punycode | Supported | |
querystring | Supported | |
readline | Disabled | There is no standard input for scripts running on Apigee Edge. |
repl | Disabled | There is no standard input for scripts running on Apigee Edge. |
module | Included | |
STDIO | Supported | Standard output and error are routed to a log file within the Apigee Edge infrastructure. You can view these logs by clicking theNode.js Logs button in and Apigee Edge management UI for your API proxy. There is no standard input for scripts running on Apigee Edge. However, you can pass arguments using the ScriptTarget element of TargetEndpoint. SeeAdvanced ScriptTarget configuration for more information. |
stream | Supported | |
string_decoder | Supported | |
timers | Included | |
tls | Supported | Transport Layer Security (TLS) parameters work basically the same way they work in regular Node.js. SeeUsing the TLS (SSL) Node.js module on Apigee Edge for details. |
tty | Disabled | There is no standard input for scripts running on Apigee Edge. |
url | Supported | |
util | Supported | |
vm | Supported | |
zlib | Supported |
Additional supported modules
This section lists additional modules that are not supported in standard Node.js, but are supported by Trireme and Trireme running on Apigee Edge.Trireme is the open-source Node.js container that runs on Apigee Edge. It is designed to run Node.js scripts inside a Java Virtual Machine (JVM). All of these modules are available on NPM.
| Module | Description |
|---|---|
| apigee-access | Allows Node.js applications running on the Apigee Edge platform a way to access Apigee-specific functionality. You can use this module to: access and modify flow variables, retrieve data from the secure store, and use Edge cache, quota, and OAuth services. See alsoUsing the apigee-access module. |
| trireme-support | Lets Node.js applications take advantage of features specific to Trireme. Currently there is only one feature supported -- loading Node.js modules built in Java. Note: loadJars is not supported in Edge Cloud. |
| trireme-xslt | Presents an abstraction of XLST processing. It is specifically designed for the Trireme platform to allow efficient processing of XSLT when Node.js applications are run on Java. |
| trireme-jdbc | Provides access to JDBC from Node.js. Note: Unsupported in Edge Cloud. For Edge Private Cloud, you can put JDPC JAR files in the class path and use this module. |
Support for commonly used Node.js modules
Warning: Node.js on Apigee Edge includes some pre-installed Node.js modules, such as Express, that you can use without uploading them with your Node.js project. However, using these pre-installed modules is not recommended as they are not guaranteed to be up to date, and for this reason, they are no longer documented.Restrictions on Node.js scripts
Note, however, that Edge imposes certain restrictions on Node.js scripts, such as the following:
- Node.js applications in the Apigee Edge environment cannot access services on the Internet via UDP because of the Edge network architecture.
- Filesystem access is restricted to the directory where the Node.js script was launched: the /resources/node directory. Node.js scripts can read and write files within this directory, for instance as a temporary scratch area, but there are no guarantees as to how long the files will persist.
- Attempts to listen for incoming TCP connections generate an exception.
- Functionality to manipulate user ID, group membership, and working directory is not supported.
- For standard input, you are limited to passing arguments using the ScriptTarget element of TargetEndpoint. SeeAdvanced ScriptTarget configuration for more information.
- For standard output, you are limited to using the Node.js Logs button in the Edge management UI for your proxy. You can also use the "apigeetool getlogs" command. For more information, seeDeploying a standalone Node.js app.
- Modules that depend on native code are not supported.
- Modules that depend on EcmaScript 6 features, such as Promises and Generators, are not supported.
- The Node.js runtime flags such as "harmony-proxies" are not supported.
Setting IP connection restrictions on Edge for Private Cloud
Edge for Private Cloud can restrict Node.js code from accessing IP addresses starting with “10.", "192.168", and localhost. If you attempt to access these IP addresses, you will see an error in the form:
{[Error:connectEINVAL]message:'connect EINVAL',code:'EINVAL',errno:'EINVAL',syscall:'connect'}
You can modify these restrictions by setting theconf_nodejs_connect.ranges.denied property in themessage-processors.properties file for each Message Processor. By default, this property has the value:
- Edge 4.17.05 and earlier:conf_nodejs_connect.ranges.denied=10.0.0.0/8,192.168.0.0/16,127.0.0.1/32
- Edge 4.17.09 and later:conf_nodejs_connect.ranges.denied= (meaning no restrictions)
To set this property:
- Open themessage-processor.properties file in an editor. If the file does not exist, create it:
> vi /<inst_root>/apigee/customer/application/message-processor.properties - Set the property as desired. For example, to deny access to only localhost:
conf_nodejs_connect.ranges.denied=127.0.0.1/32 - Save your changes.
- Make sure the properties file is owned by the 'apigee' user:
> chown apigee:apigee /<inst_root>/apigee/customer/application/message-processor.properties - Restart the Message Processor:
> /<inst_root>/apigee/apigee-service/bin/apigee-service edge-message-processor restart
Understanding support for the http and https modules
All Node.js applications running in Apigee Edge must use thehttp orhttps module to listen for incoming requests. If you were to deploy a script that doesn't listen for incoming requests, it would simply execute and exit.
Thelisten method of thehttp andhttps modules in Node.js takes a port number as a parameter. For example:
svr.listen(process.env.PORT||9000,function(){console.log('The server is running.');});
This "port" argument is required in Node.js, but Apigee Edge ignores this parameter. Instead, the API proxy in which the Node.js script runs specifies the "virtual host" that it listens on, and the Node.js application uses those same virtual hosts, just like any other Apigee Edge proxy.
Tip: Coding the port number to be retrieved from an environment variable conditionally, as shown in the example above, is considered a best practice by Apigee.Every environment in Apigee has at least one virtual host. The virtual host defines the HTTP settings for connection with the Apigee organization. All API proxies in an environment share the same virtual hosts. By default, two virtual hosts are available for each environment:default andsecure. For more information, see Get Virtual Host andAPI development lifecycle.
Theapigeetool deploynodeapp command generates an Apigee Edge proxy wrapper around the Node.js application. When deployed, the Node.js application listens on the default virtual host defined for the environment. The URL for a Node.js application will always behttp://{org_name}-{env_name}.apigee.net.
Handling incoming requests
Like other Apigee Edge applications, if the proxy application is set up to listen on thesecure virtual host, then it will accept incoming requests using HTTPS.
Handling outgoing requests
In addition to receiving incoming traffic, Node.js applications inside Apigee Edge may use thehttp andhttps modules to make outbound requests like any other Node.js application. These modules work just as they always do inside Node.js.
Understanding support for the tls module
Apigee Edge supports theNode.js tls module. This module uses OpenSSL to provide Transport Layer Security (TLS) and/or Secure Socket Layer (SSL) encrypted stream communication. You can use thetls module to create secure connections to backend services from Node.js applications running on Edge.
To understand how thetls module works on Apigee Edge, it's important to understand howvirtual hosts are used on Apigee Edge. Every environment in Apigee has at least one virtual host. The virtual host defines the HTTP settings for connection with the Apigee organization. All API proxies in an environment share the same virtual hosts. By default, two virtual hosts are available for each environment:default andsecure. For more information on virtual hosts, see Get Virtual Host andAPI development lifecycle.
Now, let's look at how Apigee Edge handles TLS (SSL) communication for incoming and outgoing requests on Node.js applications:
Handling incoming requests
Depending on how virtual hosts are configured for your organization, Edge provides these options:
- If the API proxy is configured to listen on the
defaultvirtual host, then it accepts requests over HTTP. - If the API proxy is configured to listen on the
securevirtual host, then it accepts requests over HTTPS. The URL will be under theapigee.netdomain, and a wildcard SSL certificate for*.apigee.netwill be used. As long as apps make requests to theapigee.netdomain, then the SSL certificate will validate normally.
Handling outgoing requests
You can make outgoing requests with thetls module the same way you would normally in Node.js. Basically, you need to add client-side keys and certificates (.pem files) to theresources/node directory and load them inside your script. For information on using thetls module and its methods, see theNode.js tls module documentation.
Advanced ScriptTarget Configuration
<TargetEndpointname="default"><ScriptTarget><ResourceURL>node://hello.js</ResourceURL><EnvironmentVariables><EnvironmentVariablename="NAME">VALUE</EnvironmentVariable></EnvironmentVariables><Arguments><Argument>ARG</Argument></Arguments></ScriptTarget></TargetEndpoint>
Tip: You can get a listing of all environment variables that are set when a Node.js app starts up on Edge by executing this line of code in your Node.js server:
console.log('environment variables: ' + JSON.stringify(process.env));Variables set includeAPIGEE_ORGANIZATION andAPIGEE_ENVIRONMENT. For example (actual values are omitted):
{"TERM":"","JAVA_HOME":"","SHLVL":"","XFILESEARCHPATH":"","APIGEE_HOME":"","microkernel_overrideTokenFolder":"","working_dir":"","microkernel_host":"","PWD":"","microkernel_overrideTokenDirs":"","LOGNAME":"","_APIGEE_APP_ID":"","_":"","microkernel_defaultTokenFolder":"","NLSPATH":"","microkernel_timeout":"","SHELL":"","TMPDIR":"""microkernel_hasMonetization":"","USE_TOKENIZED_CONFIG":"","microkernel_org":"","PATH":"","microkernel_application":"","microkernel_installType":"","microkernel_instanceType":"","USER":"","HOME":"","APIGEE_ORGANIZATION":"","CONFIG_UTIL_HOME":"","microkernel_pod":"","APIGEE_ENVIRONMENT":"","microkernel_defaultTokenDirs":"","microkernel_region":"","LANG":""}
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2026-02-02 UTC.