Step 1: Expose Apigee ingress gateway

You are currently viewing version 1.12 of the Apigee hybrid documentation.This version is end of life. You should upgrade to a newer version. For more information, seeSupported versions.

This step explains how to set up the Kubernetes service for your Apigee ingress gateway. The Kubernetes service is needed for each ingress deployment to obtain an IP address that can be exposed. Client calls to proxies will invoke a hostname that will resolve to this IP address.

Options for Kubernetes services for your Apigee ingress gateway

There are two options for providing a kubernetes service to assign the IP address ...

Create your own Kubernetes service

For production environments, Apigee recommends you create a custom Kubernetes service for each ingress gateway.

  • Apigee deletes default service, but does not delete the custom kubernetes service upon cleanup. Hence, the IP address won't be released upon reinstallation of Apigee hybrid.
  • For platforms not on Google Cloud, like EKS, AKS, and OpenShift, you need to customize the Kubernetes service to work with the cloud provider. Therefore it is better to create a custom Kubernetes service than to use the default service, because apigee does not support all customizations to the default Kubernetes service.

Use the following steps to set up and route traffic to the new ingress gateway.

  1. Create a Kubernetes service with the required pod selector labels,app,ingress_name, andorg. These labels are already present in Apigee ingress gateway pods.

    Create a service file using the following template:

    apiVersion: v1kind: Servicemetadata:  name:SERVICE_NAME  namespace: apigeespec:  ports:  - name: status-port    port: 15021    protocol: TCP    targetPort: 15021  - name: https    port: 443    protocol: TCP    targetPort: 8443  selector:    app: apigee-ingressgateway #required    ingress_name:INGRESS_NAME    org:ORG_NAME  type: LoadBalancer  loadBalancerIP:LOAD_BALANCER_IP

    Apigee ingress gateway exposes the following ports:

    PortDescription
    443Runtime traffic.
    15021Health check.status-port exposes a/healthz/ready endpoint that can be used with GKE Ingress health checks.
  2. Create the service by applying theSERVICE_FILENAME.yaml:
    kubectl apply -fSERVICE_FILENAME.yaml
  3. Find the external IP of Apigee ingress gateway with the following command:
    kubectl get svc -n apigeeSERVICE_NAME

    Your output should look something like:

    NAME                                        TYPE           CLUSTER-IP    EXTERNAL-IP     PORT(S)                                      AGEapigee-ingressgateway-prod-hybrid-37a39bd   LoadBalancer   192.0.2.123233.252.0.123   15021:32049/TCP,80:31624/TCP,443:30723/TCP   16h
  4. Disable the loadbalancer for the default Apigee ingress gateway service:
    1. Update theingressGateways[].svcType property toClusterIP in your overrides file:
      ingressGateways:  svcType: ClusterIP
    2. Upgrade theapigee-org chart to apply the changes:
      helm upgradeORG_NAME apigee-org/ \  --install \  --namespace apigee \  --atomic \  -foverrides.yaml

    SeeDisable the loadbalancer for the default Apigee ingress gateway service for more information.

  5. Test the ingress gateway by making a healthcheck call.

    curl -H 'User-Agent: GoogleHC' https://DOMAIN/healthz/ingress -k \  --resolve "DOMAIN:443:INGRESS_IP_ADDRESS"

    Where

    On success the command returns:

    Apigee Ingress is healthy
  6. Use this IP address to update your DNS record (usually anA orCNAME record) at your registrar or DNS provider.

Use the default Kubernetes service

For non-production environments or to test initial traffic through the Apigee ingress gateway, Apigee hybrid provides default Kubernetes service for each ingress deployment.

You can make limited configuration changes to the default service in youroverrides.yaml file. For the available configuration options, seeManaging Apigee ingress gateway. For example, you can add annotations.Note: This service will be deleted when the ingress deployment is deleted (when the ingress gateway is removed from the overrides file).

For production environments, it is recommended you provide a Kubernetes service for ingress. Follow the steps inCreate your own Kubernetes service.

  1. Find the external IP of the default Apigee ingress service with the following command:
    kubectl get svc -n apigee -l app=apigee-ingressgateway

    Your output should look something like:

    NAME                                        TYPE           CLUSTER-IP    EXTERNAL-IP     PORT(S)                                      AGEapigee-ingressgateway-prod-hybrid-37a39bd   LoadBalancer   192.0.2.123233.252.0.123   15021:32049/TCP,80:31624/TCP,443:30723/TCP   16h

  2. Test the ingress gateway by making a healthcheck call.

    curl -H 'User-Agent: GoogleHC' https://DOMAIN/healthz/ingress -k \  --resolve "DOMAIN:443:INGRESS_IP_ADDRESS"

    Where

    On success the command returns:

    Apigee Ingress is healthy
  3. Use this IP address to update your DNS record (usually anA orCNAME record) at your registrar or DNS provider.
Congratulations!

You've successfully set up the Apigee ingress gateway. Now it's time to download a proxy and test your ingress gateway.

Next step

1(NEXT) Step 2: Deploy a proxy

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-02-05 UTC.