Managing Apigee ingress gateway
Configuring Apigee ingress gateway
You can configure your ingress gateways in youroverrides.yaml. For example:
Syntax
ingressGateways:- name:INGRESS_NAME replicaCountMin:REPLICAS_MIN replicaCountMax:REPLICAS_MAX resources: requests: cpu:CPU_COUNT_REQ memory:MEMORY_REQ limits: cpu:CPU_COUNT_LIMIT memory:MEMORY_LIMIT svcAnnotations: # optional.SVC_ANNOTATIONS_KEY:SVC_ANNOTATIONS_VALUE svcLoadBalancerIP:SVC_LOAD_BALANCER_IP # optional
Example
ingressGateways:- name: prod1 replicaCountMin: 2 replicaCountMax: 100 resources: requests: cpu: 1 memory: 1Gi limits: cpu: 2 memory: 2Gi svcAnnotations: # optional. SeeKnown issue 243599452. networking.gke.io/load-balancer-type: "Internal" svcLoadBalancerIP: 198.252.0.123
- INGRESS_NAME is the name of the ingress gateway deployment. This can be any name that meets the following requirements:
- Have a maximum length of 17 characters
- Contain only lowercase alphanumeric characters, '-' or '.'
- Start with an alphanumeric character
- End with an alphanumeric character
See
ingressGateways[].namein the Configuration property reference - REPLICAS_MIN andREPLICAS_MAX The minimum and maximum replica counts for Apigee ingress gateway in your installation. See
ingressGateways[].replicaCountMinandingressGateways[].replicaCountMaxin the Configuration property reference. - CPU_COUNT_REQ andMEMORY_REQ The CPU and memory request for each replica of Apigee ingress gateway in your installation.Set these properties if you had previously set them for your Anthos Service Mesh ingress gateway in Apigee hybrid version 1.8 or earlier, for example in your
overlay.yamlfile.See
ingressGateways[].resources.requests.cpuandingressGateways[].resources.requests.memoryin the Configuration property reference. - CPU_COUNT_LIMIT andMEMORY_LIMIT The maximum CPU and memory limits for each replica of Apigee ingress gateway in your installation.Set these properties if you had previously set them for your Anthos Service Mesh ingress gateway in Apigee hybrid version 1.8 or earlier, for example in your
overlay.yamlfile.See
ingressGateways[].resources.limits.cpuandingressGateways[].resources.limits.memoryin the Configuration property reference. - SVC_ANNOTATIONS_KEYSVC_ANNOTATIONS_VALUE (optional):Note: The
ingressGateways[].svcAnnotationsfield inoverrides.yamlis not working as expected. SeeKnown issue 243599452This is a key-value pair that provides annotations for your default ingress service. Your cloud platform uses annotations to help configure your hybrid installation, for example setting the loadbalancer type to either internal or external. For example:
ingressGateways: svcAnnotations: networking.gke.io/load-balancer-type: "Internal"
Annotations vary from platform to platform. See your platform documentation for required and suggested annotations.
Note: You do not need to setAnnotationshere if you are creating your own Kubernetes service for ingress gateway deployment as documented inExpose Apigee ingress gateway. SeeingressGateways[].svcAnnotationsin the Configuration property reference. - SVC_LOAD_BALANCER_IP (optional). On platforms that support specifying the load balancer IP address, the load balancer will be created with this IP address. On platforms that do not allow you to specify the load balancer IP address, this property is ignored.Caution: Make sure not to specify the same IP address as the current istio-ingressgateway. This could cause problems while that service is still on the cluster.Note: You do not need to set
LoadBalancerIPif you are creating your own Kubernetes service for ingress gateway deployment as documented inExpose Apigee ingress gateway. SeeingressGateways[].svcLoadBalancerIPin the Configuration property reference.
Apply the Apigee ingress gateway configuration
Apply changes to the organization scope:
Helm
helm upgradeORG_NAME apigee-org/ \ --namespaceapigee \ --atomic \ -fOVERRIDES_FILE.yaml
Error: UPGRADE FAILED: "ORG_NAME" has no deployed releases, replaceupgrade withinstall and try the command again.apigeectl
$APIGEECTL_HOME/apigeectl apply -fOVERRIDES_FILE.yaml --org
Management tasks
Some common management tasks for the Apigee ingress gateway:
Scaling Apigee ingress gateway:
Update the following properties in your overrides file.
ingressGateways[].replicaCountMaxingressGateways[].replicaCountMin
SeeingressGateways in the Configuration properties reference for details.
Apply the changes:
Helm
helm upgradeORG_NAME apigee-org/ \ --namespaceapigee \ --atomic \ -fOVERRIDES_FILE.yaml
apigeectl
$APIGEECTL_HOME/apigeectl apply -fOVERRIDES_FILE.yaml --org
Updating resource allocation
Update the following properties in your overrides file.
ingressGateways[].resources.limits.cpuingressGateways[].resources.limits.memoryingressGateways[].resources.requests.cpuingressGateways[].resources.requests.memory
SeeingressGateways in the Configuration properties reference for details.
Apply the changes:
Helm
helm upgradeORG_NAME apigee-org/ \ --namespaceapigee \ --atomic \ -fOVERRIDES_FILE.yaml
apigeectl
$APIGEECTL_HOME/apigeectl apply -fOVERRIDES_FILE.yaml --org
Updating the Apigee ingress gateway service
Update the following properties in your overrides file.
ingressGateways[].svcAnnotationsingressGateways[].svcLoadBalancerIP
SeeingressGateways in the Configuration properties reference for details.
Apply the changes:
Helm
helm upgradeORG_NAME apigee-org/ \ --namespaceapigee \ --atomic \ -fOVERRIDES_FILE.yaml
apigeectl
$APIGEECTL_HOME/apigeectl apply -fOVERRIDES_FILE.yaml --org
Disable the loadbalancer for the default Apigee ingress gateway service:
If you create acustom Kubernetes service for your ingress gateway deployment, you can disable creation of a load balancer on the default Kubernetes service. Update theingressGateways[].svcType property toClusterIP in your overrides file. For example:
ingressGateways: - name: my-ingress-gateway replicaCountMin: 2 replicaCountMax: 10svcType: ClusterIP
Apply the changes:
Helm
helm upgradeORG_NAME apigee-org/ \ --namespaceapigee \ --atomic \ -fOVERRIDES_FILE.yaml
apigeectl
$APIGEECTL_HOME/apigeectl apply -fOVERRIDES_FILE.yaml --org
Configure TLS and mTLS
SeeConfiguring TLS and mTLS on the ingress gateway.
Enabling non-SNI clients
SeeEnable non-SNI and HTTP clients.
Installing additional Apigee ingress gateways
In theoverrides.yaml file you can add multiple ingress gateways. TheingressGateways configuration property is an array. For more information, seeingressGateways in the Configuration properties reference.
For example:
ingressGateways:- name:fruit replicaCountMin: 2 replicaCountMax: 10- name:meat replicaCountMin: 2 replicaCountMax: 10
Apply the changes:
Helm
helm upgradeORG_NAME apigee-org/ \ --namespaceapigee \ --atomic \ -fOVERRIDES_FILE.yaml
apigeectl
$APIGEECTL_HOME/apigeectl apply -fOVERRIDES_FILE.yaml --org
Mapping virtual hosts to Apigee ingress gateway deployments
You can use selector labels to map a virtual host to an Apigee ingress gateway deployment. In the following example, the virtual host You can add custom ciphersuites to your Apigee ingress gateway deployment with the See You can enable older versions of TLS with the For example, to enable TLS v.1.1: You can customize the Apigee ingress gateway access log destination and format with the You can disable Apigee ingress gateway access logging by assigningspam-vh is configured to run on the ingress gateway labeledmeat and the other two virtual hosts run on thefruit ingress gateway. The ingress gateways must be properly labeled, as explained inInstalling additional Anthos Service Mesh gateways.Note:You must specify both of the selectors:selector:app andselector:ingress_name to properly apply an ingress gateway to a virtual host.Tip: For security purposes, it is best practice to have a separate TLS cert/key pair for each virtual host. If you are using a Subject Alternative Name (SAN ) certificate, this TLS cert/key pair should be used on one virtual host that is shared across the domain.virtualhosts:- name: spam-vh sslCertPath: cert-spam.crt sslKeyPath: cert-spam.keyselector: app: apigee-ingressgateway ingress_name: meat- name: banana-vh sslCertPath: cert-banana.crt sslKeyPath: cert-banana.keyselector: app: apigee-ingressgateway ingress_name: fruit- name: plum-vh sslCertPath: cert-plum.crt sslKeyPath: cert-plum.keyselector: app: apigee-ingressgateway ingress_name: fruit
Adding custom ciphersuites to Apigee ingress gateway deployments
virtualhosts.cipherSuites property in your overrides file.virtualhosts.cipherSuites for the default ciphersuites enabled in Apigee hybrid.virtualhosts.minTLSProtocolVersion property and add custom ciphersuites to your Apigee ingress gateway deployment with thevirtualhosts.cipherSuites property in your overrides file.virtualhosts:- name: ENV_GROUP_NAME minTLSProtocolVersion: "1.1" cipherSuites: - "ECDHE-ECDSA-AES128-GCM-SHA256" - "ECDHE-RSA-AES128-GCM-SHA256" - "ECDHE-ECDSA-AES256-GCM-SHA384" - "ECDHE-RSA-AES256-GCM-SHA384" - "ECDHE-ECDSA-CHACHA20-POLY1305" - "ECDHE-RSA-CHACHA20-POLY1305" - "ECDHE-ECDSA-AES128-SHA" - "ECDHE-RSA-AES128-SHA" - "ECDHE-ECDSA-AES256-SHA" - "ECDHE-RSA-AES256-SHA" ...
Customize Ingress access logs
istiod.accessLogFile andistiod.accessLogFormat configuration properties. In the following example, the output will be sent to/dev/stdout, which is the default value foristiod.accessLogFile:istiod: accessLogFormat: '{"request_path":"%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%","status":"%RESPONSE_CODE%"}'istiod.accessLogFile and empty value. For example:istiod: accessLogFile: ''
FAQ
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2026-02-05 UTC.