Configure virtual hosts

You are currently viewing version 1.11 of the Apigee hybrid documentation.This version is end of life. You should upgrade to a newer version. For more information, seeSupported versions.

This topic discusses thevirtualhosts configuration property. Virtual hosts allow Apigee hybrid to handle API requests to hostaliases associated with an environment group. For more information, seeRouting and base paths in theAbout environments and environment groups topic.

...virtualhosts:  - name: my-env-group    sslCertPath: ./certs/fullchain.pem    sslKeyPath: ./certs/privkey.key...

When an API proxy call comes, it is routed to the host alias(es) of the environment group where the API proxy is deployed.

For instructions on how to applyvirtualhosts to the cluster, seeApplying virtualhosts changes. For information about configuring TLS, seeConfiguring TLS and mTLS on the Istio ingress.

Adding multiple virtual hosts

Thevirtualhosts[] property is an array, and therefore you can create more than one.

...virtualhosts:  - name: my-env-group-1    sslCertPath: ./certs/fullchain1.pem    sslKeyPath: ./certs/privkey1.key  - name: my-env-group-2    sslCertPath: ./certs/fullchain2.pem    sslKeyPath: ./certs/privkey2.key...
Tip: For security purposes, it is best practice to have a separate TLS cert/key pair for each virtual host. If you are using a Subject Alternative Name (SAN ) certificate, this TLS cert/key pair should be used on one virtual host that is shared across the domain.

For information about configuring TLS, seeConfiguring TLS and mTLS on the Istio ingress.

Applyingvirtualhosts changes

If you only add or change thevirtualhosts property, and nothing else, then you can apply those changes with the‑‑settings flag. This applies only forapigeectl; for Helm, we are applyingapigee-virtualhost with the appropriate variable.

Helm

helm upgradeENV_GROUP_NAME apigee-virtualhost/ \  --namespaceapigee \  --atomic \  --set envgroup=ENV_GROUP_NAME \  -fOVERRIDES_FILE.yaml
Note: If you see an error sayingError: UPGRADE FAILED: "ENV_GROUP_NAME" has no deployed releases, replaceupgrade withinstall and try the command again.

apigeectl

$APIGEECTL_HOME/apigeectl apply -fOVERRIDES_FILE.yaml ‑‑settings virtualhosts

If you modify thevirtualhosts andenv settings, you need to apply the changes without usingENV_GROUP_NAME apigee-virtualhost/ for Helm and‑‑settings virtualhosts forapigeectl. Here's how to update the cluster:

Helm

Runhelm upgrade for each environment you want to update.

helm upgradeENV_NAME apigee-env/ \    --namespaceapigee \     --atomic \     --set env=ENV_NAME \     -fOVERRIDES_FILE.yaml

Then upgrade theapigee-virtualhost chart:

helm upgradeENV_GROUP_NAME apigee-virtualhost/ \    --namespaceapigee \    --atomic \    --set envgroup=ENV_GROUP_NAME \    -fOVERRIDES_FILE.yaml
Note: If you see an error sayingError: UPGRADE FAILED: "ENV_NAME" has no deployed releases, replaceupgrade withinstall and try the command again.

apigeectl

$APIGEECTL_HOME/apigeectl apply -fOVERRIDES_FILE.yaml --envENV_NAME

or, to update the component for all environments:

$APIGEECTL_HOME/apigeectl apply -fOVERRIDES_FILE.yaml --all-envs

Then Apply the changes to the virtualhost:

$APIGEECTL_HOME/apigeectl apply -fOVERRIDES_FILE.yamlsettings virtualhosts

TLS keys and certificates

Thevirtualhost property requires a TLS key and certificate. The key/cert are used to provide secure communication with the ingress gateway and must be compatible with the host aliases used in the specified environment group.

It is up to you how you generate proper TLS certificate/key pairs for your hybrid configuration. The following topics are provided as samples only, intended primarily for trying out or testing a new hybrid installation if it isn't feasible to obtain TLS credentials in another way:

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-02-19 UTC.