Google Cloud URLs to allow for Hybrid
You are currently viewing version 1.15 of the Apigee hybrid documentation. For more information, seeSupported versions.
If you have a restricted VPC environment where external domains need to be allowed, here is a list of Google Cloud urls that Apigee hybrid may need to connect with during install and runtime.
Google Cloud URLs for all Apigee hybrid installations
These URLs are used by all Apigee hybrid installations:
| URL | Description |
|---|---|
| accounts.googleapis.com | The gcloud CLI command uses this API to authenticate and authorize the operator during setup. Also, service accounts used by Apigee hybrid use this API during runtime. |
| apigee.googleapis.com | The runtime uses these APIs to learn which proxies, shared flows, etc., it should deploy, and to report its current configuration and health. |
| apigeeconnect.googleapis.com | This API is needed for apigee-mart-server and apigee-connect communication when you have vpc-sc enabled to talk to the control plane. |
| binaryauthorization.googleapis.com | Optional. Only for Anthos ifbinary authorization is enabled |
| cloudresourcemanager.googleapis.com | Allows programmatic management of Google Cloud resources like organizations, folders, and projects. |
| gcr.io | Images for the Apigee hybrid containers are hosted in Artifact Registry, which usesgcr.io. |
| iam.googleapis.com | The Identity and Access Management (IAM) API allows for programmatic management of access controls, permissions, and service accounts for Google Cloud resources. |
| iamcredentials.googleapis.com | Required for generating access tokens used for subsequent Google Cloud API calls. For example, the hybrid runtime makes calls to download runtime contracts fromapigee.googleapis.com; those calls must include an access token. |
| logging.googleapis.com | This API is needed for the logging agent to send logs to Cloud Logging. |
| monitoring.googleapis.com | Cloud Monitoring service endpoint to export metrics. |
| oauth2.googleapis.com | Authentication and authorization |
| pubsub.googleapis.com | The runtime subscribes to a pubsub topic to learn when to initialize debug sessions. |
| quay.io | Container registry used bycert-manager. SeeInstall cert-manager in the install guide. |
| serviceusage.googleapis.com | Inspect and manage quota for service consumers on Google Cloud. Required by Anthos Service Mesh. |
| storage.googleapis.com | The runtime downloads proxies, shared flows, resource files, and keystore aliases from Google Cloud Storage in the tenant project. |
| sts.googleapis.com | The Security Token Server allows the runtime to exchange third party credentials for Google Cloud tokens. |
| www.googleapis.com | Needed by theMART component. |
Google Cloud URLs for Anthos installations
All Apigee hybrid installations on Anthos (on-prem and multi-cloud) use additional Google Cloud URLs. For more information, see:
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2026-02-19 UTC.