Apigee release notes

Support for new Apigee Analytics regions

This release introduces Apigee Analytics support for these new regions: Hong Kong (asia-east2) and São Paulo (southamerica-east1).

NOTE: Apigee Advanced API Security does not support these new regions at this time.

For a list of all of the supported Analytics regions, see Available Apigee API Analytics regions.

Filter APIs by user-defined attributes

You can now filter APIs using your custom, user-defined attributes from the APIs page in the Google Cloud console.

For more information, see Filter resources based on attributes.

Enhanced Validation for API products

Heightened validation logic for creating and updating API products is now available. Apigee now explicitly verifies proxy and environment resources against your organization when creating and updating API products.

Please ensure that all referenced resources exist and are correctly associated with your organization to avoid validation errors.

Support for API-product scoped quotas

You can now set quotas at the API product level to limit the number of requests all API proxies in the API product can process within a specified time frame. See Configuring the quota policy to use API product quota settings for information and instructions.

NOTE: API product-scoped quotas are not supported in Apigee hybrid at this time.

API insights in API hub

API insights is now available in API hub, providing a unified view of your API traffic and performance across all connected gateways. With API insights, you can gain a holistic understanding of your API ecosystem's health and quickly identify areas for optimization.

Currently, API insights supports data sources from Apigee, Apigee hybrid, Apigee Edge Public Cloud, and Apigee Edge Private Cloud (OPDK).

For more information, see API insights overview.

Detailed API resource insights

A new Insights tab is now available on the API details page, providing API-centric analytics to help you understand usage patterns and performance for each of your APIs.

You can now analyze key metrics such as total traffic, average TPS, request/response latencies, and more, directly from the API details page.

For more information, see View API resource insights.

Introduction of the target.evaluated.url flow variable

This release includes a new flow variable, target.evaluated.url, which should be used instead of the target.url flow variable in cases when the URL is dynamically constructed based on user input.

For more information, see the target flow variables documentation.

Introduction of exclusion lists for Abuse Detection and incidents

You can now specify CIDR ranges and IP addresses to exclude from future incident reports. Use this feature to exclude traffic known to be safe, such as requests related to automated testing.

The new functionality includes the ability to create and manage multiple "exclusion lists" which define traffic to exclude and the reasons it is excluded.

Note: Exclusion lists are not available for VPC-SC customers at this time.

For usage information, see Exclude traffic from abuse detection in the documentation.

ApigeeBackendService for the Apigee Operator for Kubernetes (GA)

The ApigeeBackendService resource for the Apigee Operator for Kubernetes is Generally Available (GA).

This new resource enables the integration of the Apigee Operator for Kubernetes with the Google Kubernetes Engine (GKE) Inference Gateway. The GKE Inference Gateway is an extension to the GKE Gateway that provides optimized routing and load balancing for serving generative Artificial Intelligence (AI) workloads. It simplifies the deployment, management, and observability of AI inference workloads.

With this new integration, GKE Inference Gateway users can now leverage Apigee's full suite of features to manage, govern and monetize their AI workload through APIs.

To learn more, see Create an ApigeeBackendService.

New security actions status icons and "expired" note in the security actions UI

This release adds security status icons to the Apigee UI to make it easier to see, at a glance, whether a security action is enabled, disabled, or paused, and an "expired" note when an action is expired.

The status icons display next to the action's status in the security actions list and in the security action details page.

For information on security actions and security action statuses, see the Security Actions customer documentation.

Improvements to the Abuse Detection incident model

This release includes improvements to the incident model, including lower noise and higher accuracy for abuse detection incidents.

Note: This feature is not currently available to customers with VPC-SC enabled.

For information on abuse detection incidents, see the Abuse Detection customer documentation.

Enable and disable semantic search

You can now enable and disable semantic search from the API hub > Settings> Actions page in the Google Cloud console.

For more information, see Enable and disable semantic search.

Workforce Identity Federation users can now manage Integrated Portals using the Apigee Cloud console. This previous limitation has been removed from Accessing features only available in the Classic Apigee UI.

Apigee policies for LLM/GenAI workloads are Generally Available (GA)

Four new Apigee policies supporting LLM/GenAI workloads are now GA:

• SemanticCacheLookup policy
• SemanticCachePopulate policy
• SanitizeUserPrompt
• SanitizeModelResponse

The Apigee semantic caching policies enable intelligent response reuse based on semantic similarity. Using these policies in your Apigee API proxies can minimize redundant backend API calls, reduce latency, and lower operational costs. With this release, the semantic caching policies support URL templating, enabling the use of variables for AI model endpoint values.

The Model Armor policies protect your AI applications by sanitizing user prompts to and responses from large language models (LLMs). Using these policies in your Apigee API proxies can mitigate the risks associated with LLM usage by leveraging Model Armor to detect prompt injection, prevent jailbreak attacks, apply responsible AI filters, filter malicious URLs, and protect sensitive data.

For more information on using these policies in your Apigee API proxies, see:

• Get started with semantic caching policies
• Get started with Apigee Model Armor policies

Apigee Server-Sent Events (SSE) and EventFlows are supported for use with the Apigee Extension Processor.

The Apigee SSE feature enables continuous response streaming from server-sent event (SSE) endpoints to clients in real time. To learn more about this feature, see Streaming server-sent events.

The Apigee Extension Processor is a traffic extension that lets you use Cloud Load Balancing to send callouts from the data processing path of the application load balancer to the Apigee Extension Processor. To learn more, see the Apigee Extension Processor overview.

Additional details and explanations for incidents and traffic identified as anomalous in Abuse Detection Advanced Anomaly Detection

Starting with this release, additional details are available for anomalies detected in incidents and detected traffic, including details on why traffic was flagged as anomalous, the days and times it triggered, time series charts showing anomalous traffic spikes, and direct links to the Google Cloud Logging for events.

See the Abuse detection "Details view" for more information.

Create and delete custom plugins in the UI

You can now create and delete custom plugins from the API hub > Settings > Plugins page in the Google Cloud console.

For more information, see Create custom plugins and Manage custom plugins.

Deprovision API hub in the UI

You can now deprovision an API hub instance from the API hub > Settings > Actions page in the Google Cloud console.

For more information, see Deprovision Apigee API hub.

API observations in API hub (Preview)

API observations in API hub helps you tackle the challenges of undocumented and unmanaged APIs in your API infrastructure. It leverages Apigee shadow API discovery and uses automated discovery processes to bring all your APIs, across Google Cloud projects, into a unified, managed view.

For more information, see API observations in API hub.

Improved performance when viewing IP address-specific details for abuse detection incidents

With this release, the IP address detail information for abuse incidents displays more quickly for IP addresses with high traffic volumes, potentially reducing load times from minutes to seconds.

For usage information, see the Abuse Detection incident detail documentation.

Availability of Shadow API Discovery for APIs in any Google Cloud project

Using Shadow API Discovery, you can find undocumented/shadow APIs in your existing cloud infrastructure. Shadow APIs pose a security risk to your system, since they might be unsecured, unmonitored, and unmaintained.

With this release, you can configure and run API observation jobs in any Google Cloud project, without needing to provision Apigee in that project. You can also centrally view the results of API observation jobs and compare discovered API endpoints and operations to APIs cataloged in API hub to identify shadow APIs.

See the Shadow API Discovery overview for information on Shadow API Discovery and how to add it to projects.

Terraform support for configuring Advanced API Security

We have expanded our Terraform support for Advanced API Security, enabling you to automate the management of your security posture. You can now use Terraform to manage add-on enablement for Subscription and PAYG environments, create Risk Assessment security profiles and monitoring conditions, configure IP address resolution, and create security actions.

For information, see Configure Advanced API Security using Terraform.

Server-sent events and EventFlows are Generally Available (GA)

Apigee supports continuous response streaming from server-sent event (SSE) endpoints to clients in real time. The Apigee SSE feature is useful for handling large language model (LLM) APIs that operate most effectively by streaming their responses back to the client. SSE streaming reduces latency, and clients can receive response data as soon as it is generated by an LLM. This feature supports the use of AI agents that operate in real time environments, such as customer service bots or workflow orchestrators. For more information, see Streaming server-sent events.

Streaming from SSE endpoints is available in Apigee and in Apigee hybrid v1.15.0 and newer.

New data source support for plugins

API hub now supports importing API metadata through new dedicated plugins for the following data sources:

1. Apigee Edge Public Cloud
2. Apigee Edge Private Cloud (OPDK)

For more information, see Plugins overview.

Push-based plugin ingestion

API hub now supports push-based plugin ingestion. This method allows for more real-time synchronization of API metadata. All new Apigee, Apigee hybrid, Apigee Edge Public Cloud, and Apigee Edge Private Cloud (OPDK) plugins are created with push-based ingestion by default.

For more information, see Plugin data ingestion methods.

Create custom plugins [API only]

You can now use the Create Plugin API to create custom plugins in API hub. Custom plugins are created manually to connect API hub to a specific API data source.

For more information, see Create custom plugins.

Server-sent events and EventFlows are Generally Available (GA)

Apigee supports continuous response streaming from server-sent event (SSE) endpoints to clients in real time. The Apigee SSE feature is useful for handling large language model (LLM) APIs that operate most effectively by streaming their responses back to the client. SSE streaming reduces latency, and clients can receive response data as soon as it is generated by an LLM. This feature supports the use of AI agents that operate in real time environments, such as customer service bots or workflow orchestrators. For more information, see Streaming server-sent events.

Streaming from SSE endpoints is available in Apigee and in Apigee hybrid v1.15.0 and newer.

Apigee and hybrid plugin instance management

You can now create and delete plugin instances for Apigee and Apigee Hybrid while associating the respective Apigee runtime projects to API hub.

For more information, see Auto-register Apigee proxies.

Support for editing and deleting security actions

With this release you can edit and delete existing security actions using either the UI or the Apigee Management APIs.

For usage information, see the security actions documentation.

Support for AppGroups in Abuse Detection attributes

Abuse Detection incidents and detected traffic now show information on AppGroups and AppGroup apps when the AppGroup is part of the request or traffic.

Note: This functionality is not available in Apigee hybrid at this time.

For usage information, see the Abuse Detection documentation.

Addition of AppGroup-specific Analytics dimensions for Custom Reports

This release introduces two new AppGroups Analytics dimensions: AppGroup Name and AppGroup App Name.

Use these dimensions with custom reports and report jobs to group metrics by a specific AppGroup or a specific app within an AppGroup.

For additional information see Analytics dimensions and Creating and managing custom reports.

Addition of AppGroup-specific Analytics dimensions for Custom Reports

This release introduces two new AppGroups Analytics dimensions: AppGroup Name and AppGroup App Name.

Use these dimensions with custom reports and report jobs to group metrics by a specific AppGroup or a specific app within an AppGroup.

For additional information see Analytics dimensions and Creating and managing custom reports.

This release adds the Export feature to the Apigee UI in the Cloud console. You can now export publishing data for developers, apps, or API products as a comma-separated values (CSV) file or JSON file.

Documentation: Exporting publishing data

API address drill down details are now available in the preview release of Advanced API Security Abuse Detection incidents in the detected traffic tab.

This new functionality shows details related to specific API addresses when viewing detected abuse in detected traffic.

For usage information, see the Abuse Detection customer documentation for incident details.

Starting with this release, the API proxy performance dashboard includes aggregate metrics such as the average TPS (transactions per second) with each chart.

For information and usage instructions for the API proxy performance dashboard, see the API proxy performance dashboard customer documentation.

Starting with this release, the API proxy performance dashboard includes aggregate metrics such as the average TPS (transactions per second) with each chart.

For information and usage instructions for the API proxy performance dashboard, see the API proxy performance dashboard customer documentation.

New model for Abuse Detection's Advanced Anomaly Detection rule

With this release, we introduced a new and improved machine learning model for anomaly detection in Advanced API Security. This new model includes the following improvements:

• Trained on customer-specific traffic patterns. The new model is trained exclusively on your organization's historical API traffic data. It continues to learn from your API traffic patterns over time to increase accuracy.
• Engineered by Google for anomaly detection. The new model is a custom Vertex AI-based machine learning model, engineered and also used internally by Google specifically to detect anomalies in traffic patterns.

Usage requirements:

• In order to use this new model, you must explicitly opt in to allow the model to use your traffic and other data to train for anomaly detection. Note that your data is never shared with other customers for training purposes.
• The new model is not available for VPC-SC customers at this time.

The new anomaly detection model replaces the old model, with no customer-facing changes to the API or UI. Upon opting in for model training, you can expect to start seeing detected anomalies within 6 hours. If you have already opted in to allow the older version of our anomaly detection model to use your traffic data for training, you will not need to opt in again.

For more information on this model and on Abuse Detection, see Abuse Detection customer documentation, including Detection rules.

Apigee API hub is enabled for new Apigee organizations in supported regions.

With this release, we are enabling Apigee API hub for new Apigee organizations in regions where API hub is supported. All new Apigee organizations, including hybrid organizations, that select an API hub-supported region for their Apigee Analytics region during provisioning will have access to API hub features at no additional cost.

API hub allows you to view, organize, and manage all of the APIs in your Apigee organization in one central location. To learn more, see What is Apigee API hub?

No action on your part is required to provision API hub for your organization, with the following exceptions:

• If your Apigee organization has Data Residency or VPC Service Controls enabled, you must configure your API hub instance manually to support these services. See VPC Service Controls for API hub and API hub and data residency for more information.
• If your Apigee organization uses Customer-Managed Encryption Keys (CMEK), you must deprovision the Apigee API hub instance provided by default and recreate it to support CMEK. See Deprovision Apigee API hub and Provision API hub in the Cloud console for step-by-step instructions.

Contact Google Cloud Support for questions or assistance.

Apigee API hub is enabled for new Apigee organizations in supported regions.

With this release, we are enabling Apigee API hub for new Apigee organizations in regions where API hub is supported. All new Apigee organizations, including hybrid organizations, that select an API hub-supported region for their Apigee Analytics region during provisioning will have access to API hub features at no additional cost.

API hub allows you to view, organize, and manage all of the APIs in your Apigee organization in one central location. To learn more, see What is Apigee API hub?

No action on your part is required to provision API hub for your organization, with the following exceptions:

• If your Apigee organization has Data Residency or VPC Service Controls enabled, you must configure your API hub instance manually to support these services. See VPC Service Controls for API hub and API hub and data residency for more information.
• If your Apigee organization uses Customer-Managed Encryption Keys (CMEK), you must deprovision the Apigee API hub instance provided by default and recreate it to support CMEK. See Deprovision Apigee API hub and Provision API hub in the Cloud console for step-by-step instructions.

Contact Google Cloud Support for questions or assistance.

New flow variables available for VerifyAPIKey policy

Two new flow variables have been added to the VerifyAPIKey policy.

• app_group_app
• app_group_name

To learn more, see Using flow variables.

Announcing the general availability of Gemini Code Assist API development features in Apigee

With this functionality, you can accelerate your API development lifecycle within VS Code using Gemini Code Assist in Apigee. This feature allows you to use natural language prompts to design, create, iterate, and manage OpenAPI specifications with the following capabilities:

• AI-Powered API Design: Generate high-quality OpenAPI specifications from natural language prompts to the Apigee tool in Gemini Code Assist Chat, leveraging the Gemini model and the enterprise context of your API hub.
• Effortless Iteration: Refine existing or newly generated specifications using the intuitive Gemini chat interface.
• Integrated Testing: Quickly validate your APIs by deploying them to a local or Google Cloud-hosted mock server.
• Streamlined Workflow: Publish your completed API specifications directly to Apigee API hub and kick-start proxy development by creating Apigee proxy bundles from your API specifications.
• Duplicate Endpoint Detection: Proactively identify and prevent the creation of duplicate API endpoints already registered in your API hub.

For more information and usage instructions, see Designing and editing APIs, Tutorial: Use Gemini Code Assist to design, develop, and test APIs in Apigee, and Setting up Apigee API Management in Cloud Code for VS Code.

GA: Apigee Integrated Developer Portal Admin UI in the Google Cloud console.

This release adds the Apigee Integrated Developer Portal Admin UI from the Classic Apigee UI into the Google Cloud console.

Leveraging Google Cloud console components provides API providers and Portal Admins with a centralized platform to efficiently configure, publish, and manage your API consumer portals, eliminating the need to switch between different UIs.

No new APIs have been introduced in this release.

See Publishing overview to get started.

Public Preview: Apigee Extension Processor support for request and response body processing

When creating a load balancer service extension, you can customize the behavior of the extension processor proxy to support request body processing, response body processing, or a combination of the two.

For more information, see Get started with the Apigee Extension Processor.

With this release, Advanced API Security expands its runtime region support to include africa-south1 (Johannesburg).

For a list of supported regions, see Apigee locations.

Public preview of server-sent events

Apigee now supports continuous response streaming from server-sent event (SSE) endpoints to clients in real time. The Apigee SSE feature is useful for handling large language model (LLM) APIs that operate most effectively by streaming their responses back to the client. SSE streaming reduces latency, and clients can receive response data as soon as it is generated by an LLM. This feature supports the use of AI agents that operate in real time environments, such as customer service bots or workflow orchestrators. For more information, see Streaming server-sent events.

Public Preview of Apigee policies for LLM/GenAI workloads

Four new Apigee policies supporting LLM/GenAI workloads are now available in Public Preview:

• SemanticCacheLookup policy
• SemanticCachePopulate policy
• SanitizeUserPrompt
• SanitizeModelResponse

The Apigee semantic caching policies enable intelligent response reuse based on semantic similarity. Using these policies in your Apigee API proxies can minimize redundant backend API calls, reduce latency, and lower operational costs.

The Model Armor policies protect your AI applications by sanitizing user prompts to and responses from large language models (LLMs). Using these policies in your Apigee API proxies can mitigate the risks associated with LLM usage by leveraging Model Armor to detect prompt injection, prevent jailbreak attacks, apply responsible AI filters, filter malicious URLs, and protect sensitive data.

For more information on using these policies in your Apigee API proxies, see:

• Get started with semantic caching policies
• Get started with Apigee Model Armor policies

Advanced API Security Abuse Detection incident reports now include the ability to view raw data

With this new functionality, you can view raw data underlying an incident report, including client IP address, API proxy, developer app, and other attributes.

For usage information, see the Abuse Detection customer documentation.

API overview and metrics

The Get Started with API hub page now includes new charts and scorecards to provide a quick overview of your API landscape.

For more information see Get started with API hub.

Improvements to the AppGroups functionality

Scopes and attributes can now be added to the AppGroup App Key via a POST operation on the key using the appGroupAppKey. See the updateAppGroupAppKey API for details.

Large message payload support in Apigee

Apigee now supports message payloads up to 30MB. For more information, see:

• Message payload size.
• Properties in the ProxyEndpoint configuration elements reference.
• Properties in the TargetEndpoint configuration elements reference.

Improvements to the PublishMessage policy

The PublishMessage policy now supports two new elements:

• The <UseMessageAsSource> element uses request or response message content as the source of data to be written to Pub/Sub. For more information, see <UseMessageAsSource>.

• The <Attributes> element lets you specify string attributes (key/value pairs) to include with the request or response message that is written to Pub/Sub. For more information, see <Attributes>.

Apigee now offers a Management API that allows users to list all recent debug sessions for a given proxy, regardless of revision or environment and current deployment status. This API is available for use, and is now used to populate all recent debug sessions in the Apigee Debug UI.

For more information on this method, see: organizations.apis.debugsessions.list

Large message payload support in Apigee

Apigee now supports message payloads up to 30MB. For more information, see:

• Message payload size.
• Properties in the ProxyEndpoint configuration elements reference.
• Properties in the TargetEndpoint configuration elements reference.

Improvements to the PublishMessage policy

The PublishMessage policy now supports two new elements:

• The <UseMessageAsSource> element uses request or response message content as the source of data to be written to Pub/Sub. For more information, see <UseMessageAsSource>.

• The <Attributes> element lets you specify string attributes (key/value pairs) to include with the request or response message that is written to Pub/Sub. For more information, see <Attributes>.

Apigee API hub is enabled for existing Apigee organizations in supported regions.

With this release, we are enabling Apigee API hub for existing Apigee organizations in regions where API hub is supported. All existing Apigee organizations, including hybrid organizations, that selected an API hub-supported region for their Apigee Analytics region will have access to API hub features at no additional cost.

API hub allows you to view, organize, and manage all of the APIs in your Apigee organization in one central location. To learn more, see What is Apigee API hub?

The process of enabling API hub for these organizations will continue over the next several weeks until all eligible organizations are updated. No action on your part is required to provision API hub for your organization, with the following exceptions:

• If your Apigee organization has Data Residency or VPC Service Controls enabled, you must configure your API hub instance manually to support these services. See VPC Service Controls for API hub and API hub and data residency for more information.
• If your Apigee organization uses Customer-Managed Encryption Keys (CMEK), you must deprovision the Apigee API hub instance provided by default and recreate it to support CMEK. See Deprovision Apigee API hub and Provision API hub in the Cloud console for step-by-step instructions.

Contact Google Cloud Support for questions or assistance.

Apigee API hub is enabled for existing Apigee organizations in supported regions.

With this release, we are enabling Apigee API hub for existing Apigee organizations in regions where API hub is supported. All existing Apigee organizations, including hybrid organizations, that selected an API hub-supported region for their Apigee Analytics region will have access to API hub features at no additional cost.

API hub allows you to view, organize, and manage all of the APIs in your Apigee organization in one central location. To learn more, see What is Apigee API hub?

The process of enabling API hub for these organizations will continue over the next several weeks until all eligible organizations are updated. No action on your part is required to provision API hub for your organization, with the following exceptions:

• If your Apigee organization has Data Residency or VPC Service Controls enabled, you must configure your API hub instance manually to support these services. See VPC Service Controls for API hub and API hub and data residency for more information.
• If your Apigee organization uses Customer-Managed Encryption Keys (CMEK), you must deprovision the Apigee API hub instance provided by default and recreate it to support CMEK. See Deprovision Apigee API hub and Provision API hub in the Cloud console for step-by-step instructions.

Contact Google Cloud Support for questions or assistance.

Public Preview: Apigee Integrated Developer Portal Admin UI in the Google Cloud console.

This release adds the Apigee Integrated Developer Portal Admin UI from the Classic Apigee UI into the Google Cloud console.

Leveraging Google Cloud console components provides API providers and Portal Admins with a centralized platform to efficiently configure, publish, and manage your API consumer portals, eliminating the need to switch between different UIs.

No new APIs have been introduced in this release.

See Publishing overview to get started.

Announcing data collectors data residency (DRZ) compliance for Apigee and Apigee hybrid.

Data collectors can be used with data residency for Subscription and Pay-as-you-go organizations and hybrid versions 1.14.0 and later.

See Data residency compatibility for information.

The Apigee Extension Processor is now generally available (GA).

The Apigee Extension Processor lets Apigee customers add API management capabilities to Google Cloud and third-party products and services exposed using Cloud Load Balancing. Select from a range of Apigee policies that enable you to:

• Secure access to your workloads.
• Apply quota enforcement to network traffic.
• Manage Google access token and Google ID token injection to authenticate requests.
• Support native protocols like gRPC, SSE, and HTTP/3.

For more information, see the Apigee Extension Processor overview.

VPC Service Controls (VPC-SC) integration (Preview)

API hub now integrates with VPC Service Controls, providing enhanced network security for your API hub instance provisioned in Google Cloud. Establish service perimeters to control ingress and egress traffic. For more information, see VPC Service Controls for API hub.

Data residency zone compliance

API hub is now compliant with data residency Zone C3 requirements.

For more information, see API hub and data residency.

Terraform support for provisioning

You can now provision API hub instances programmatically using Terraform for Google Cloud within Cloud Shell, enabling infrastructure-as-code practices. For more information, see Provision API hub using Terraform.

Deprovision an API hub instance [API only]

You can now delete an API hub instance from your Google Cloud project using the ApiHubInstance API. For more information, see Deprovision Apigee API hub.

API Supply chain graph view

Visualize and understand the dependencies within your API ecosystem with the new interactive API supply chain graph view. This directed graph allows you to explore the relationships between your APIs and API operations. For more information, see API Supply chain views.

API Metadata Curations

API hub introduces a curation process to transform and enrich API metadata ingested by plugins. This ensures consistency across different sources, enabling effective governance, discovery, and management of your APIs. For more information, see Curations overview.

Enhancements to the Operations entity [API only]

You can now add, edit, or delete operations for an API version even if it lacks a specification file or has an unparsable one. For more information, see Manage operations.

Plugin Framework

API hub now uses a plugin framework to connect and ingest API metadata from various Google Cloud services and external sources where your APIs are managed or defined. This provides a flexible and extensible way to integrate with your existing API landscape. For more information, see Plugins overview.

New flow variable suffixes available for accessing base64-encoded message content.

There are two new read-only flow variable suffixes available for accessing message content in base64-encoded form:

• content.as.base64
• content.as.url.safe.base64

These variable suffixes can be used with the request, response, and message objects, as well as with any Message object created implicitly during API proxy execution when using the AssignMessage or ServiceCallout policies.

For more information, see Flow variables reference.

Availability of client IP resolution functionality with Apigee hybrid.

Client IP resolution functonality is now available with Apigee hybrid versions 1.14.0 and later.

See Client IP resolution for information.

New features added to public preview of Risk Assessment v2

This release introduces new features to the Risk Assessment v2 preview:

• Security monitoring conditions. Security monitoring conditions allow you to map resources (proxies or environments) to security profiles. Cloud Monitoring can then use this mapping to alert or create dedicated dashboards so that you can track security scores over time.
• Alerts on security monitoring conditions. Once you've created a monitoring condition, you can set up alerts using Alerting in Cloud Monitoring so that you're notified when the security scores change.

For information on monitoring conditions features and usage see monitoring conditions and alerts. For usage information and a list of all features in Risk Assessment v2, see the Risk Assessment v2 customer documentation.

Note: Rollouts of this functionality to production instances will begin within two business days and may take four or more business days to complete across all Google Cloud zones. Your instances may not have the feature available until the rollout is complete.

Apigee Spaces is now generally available (GA) for use in Apigee organizations.

Apigee Spaces enables identity-based isolation and grouping of API resources within an Apigee organization. With Apigee Spaces, you can have granular IAM control over access to your API proxies, shared flows, and API products.

Spaces also provide the option of resource isolation at a team level, providing a clear separation of resources associated with different teams operating within the same Apigee organization. IAM policies can be applied at the Space level, eliminating the need to manage permissions individually for every API proxy, shared flow, and API product.

Spaces are a brand new resource type with resource-level permissions. This means that Space permissions are not subject to the 64k limitation for project-level IAM conditions. Each space has its own 64k limit.

To learn more, see Apigee Spaces overview.

For Apigee organizations set up without VPC peering, you can now configure Apigee to resolve your private domains by peering your DNS zones with Apigee. See Connecting with private DNS peering zones.

Availability of data obfuscation support with Advanced API Security

With this release, data obfuscation can be used with Advanced API Security.

For usage information, see Obfuscate user data for Apigee API Analytics and Data obfuscation with Advanced API Security.

IAM conditions for fine-grained access

API hub now integrates with IAM Conditions, enabling you to define and enforce granular, conditional attribute-based access control for your API hub resources. For more information, see Add IAM conditions.

This release includes general improvements to performance and availability.

Public Preview of the Apigee APIM Operator for Kubernetes

The Apigee APIM Operator for Kubernetes (Preview) allows you to perform API management tasks using Kubernetes tools. It is designed to support cloud-native developers by providing a command-line interface that integrates with familiar Kubernetes tools like kubectl. The operator works by using various APIM resources to keep your Google Kubernetes Engine (GKE) cluster synchronized with the Apigee runtime.

For more information, see Apigee APIM Operator for Kubernetes overview.

Resource filtering with user-Defined attributes

You can now filter API hub resources based on user-defined attributes using a REST API call. For more information, see Filter resources based on user attributes.

Shadow API Discovery latency improvements

This release improves Shadow API Discovery and removes the latency impact on load balancers previously documented as part of Shadow API Discovery enablement.

For more information on Shadow API Discovery, see the Shadow API Discovery customer documentation.

API key drill down details are now available in the preview release of Advanced API Security Abuse Detection incidents.

This new functionality allows viewing details of detected abuse by the API key used to access the API.

For usage information, see the Abuse Detection customer documentation for incident details.

UI support for environment-level client IP address resolution

This release introduces the ability to view the client IP address resolution setting for an environment in the Apigee Console.

For more information and usage instructions, see the Client IP resolution customer documentation.

Support for environment-level client IP address resolution

This release introduces the ability to specify, per environment, how to capture the client IP address on API requests from the X-Forwarded-For header. When configured for the environment, the specified client IP address is used to apply security actions, populate the ax_resolved_client_ip Analytics variable and the new client.resolved.ip flow variable. The new configuration option can be used to specify the request IP address used in Advanced API Security.

This functionality is not available in Apigee hybrid at this time.

For more information and usage instructions, see the Client IP resolution customer documentation, Analytics dimensions, and client flow variable.

Support for environment-level client IP address resolution

This release introduces the ability to specify, per environment, how to capture the client IP address on API requests from the X-Forwarded-For header. When configured for the environment, the specified client IP address is used to apply security actions, populate the ax_resolved_client_ip Analytics variable and the new client.resolved.ip flow variable. The new configuration option can be used to specify the request IP address used in Advanced API Security.

This functionality is not available in Apigee hybrid at this time.

For more information and usage instructions, see the Client IP resolution customer documentation, Analytics dimensions, and client flow variable.

IP address drill down details are now available in the preview release of Advanced API Security Abuse Detection Incidents.

This new functionality allows viewing details of detected abuse by source IP.

For usage information, see the Abuse Detection customer documentation.

In addition to us-central1 and europe-west1, Apigee API hub now supports the following new hosting regions:

See Provision API hub.

Apigee no longer limits the number of Cloud projects that can connect to an Apigee instance. Previously, the limit was 50 projects. For each project, you can now create up to 100 Private Service Connect Network Endpoint Groups. The previous limit was 20. For any Apigee instances created before October 10, 2024, you must perform an update to the consumer accept list for an Apigee instance if you want to take advantage of these new limits. See Updating the consumer accept list for an Apigee instance. See also Limits.

New features added to the Risk Assessment v2 preview

This release introduces new features to the Risk Assessment v2 preview:

• Support for custom security profiles. You can create your own security profiles, with unique combinations of risk assessment checks and weights, to use for proxy risk assessment.
• New assessment checks. We've added additional checks you can use when assessing proxy risk.
• Assess proxies across multiple profiles. You can now switch between security profiles to see differences in scoring across profiles.

For usage information and a list of all features in Risk Assessment v2, see the Risk Assessment v2 customer documentation.

With this release, all remaining Apigee API Management organizations with Subscription 2021 contracts have been upgraded to introduce standard and extensible API proxy features.

To learn more about:

• Standard and Extensible API Proxy types, see API Proxy types.
• Viewing proxy deployment count, see View proxy deployment usage.

We added a new Supply chain page where you can create, view and manage your dependencies across API operations. The same dependencies can also be created from the API operations page. See Manage dependencies.

A new "Get started with API hub" page was added to the user interface. This new page includes valuable getting started information, including a new FAQ, to help you get the most out of API hub.

The Semantic Search (formerly Smart Search) user interface has been improved, and search results are shown across all API hub entities, such as APIs, deployments, specifications, and versions. See Search and filter APIs.

We added support for GMEK and CMEK in the provisioning steps. While provisioning, you can also choose to host your Vertex search data in a different location or disable Vertex search altogether. See Provision API hub.

While you can use API hub by making direct REST over HTTP requests, we now provide client libraries for several popular languages. See API hub client libraries.

We added support for Cloud audit logging.

The List APIs for specifications, dependencies, and external APIs have been enhanced to return a complete response, including user-defined attributes.

Significant user interface improvements were made, such as standardization of cards on the API details page, unlinking of deployments, various performance fixes, and more.

If you have CMEK org policy constraints on your Google Cloud project, Apigee will enforce compliance with those constraints and guide you in choosing valid configuration, and prevent you from using Apigee features that are not CMEK-compliant.

The following documents are new and explain how to use CMEK with Apigee:

• Using organization policy constraints in Apigee
• Best practices for Apigee CMEK

The following documents have been updated with the relevant CMEK information:

• Introduction to CMEK
• Compare evaluation and paid organizations in Apigee
• Provisioning an eval org
• Provision a paid org without VPC peering
• About the Apigee encryption keys
• Compatible services
• Use Cloud KMS keys in Google Cloud

Release of Cloud IAM-based authorization and authentication and the VerifyIAM policy.

This release introduces Cloud IAM-based authorization and authentication for Apigee API access. With this IAM-based solution, access to invoke an API requires the API consumer to have a specific Google Cloud IAM role or permissions.

For information, see IAM-based API authentication overview and VerifyIAM policy.

With this release, Apigee supports Workforce Identity Federation.

Workforce Identity Federation lets you use an external identity provider (IdP) to authenticate and authorize a workforce — a group of users, such as employees, partners, and contractors — using Identity and Access Management (IAM) to access Apigee services.

See Access Apigee using Workforce Identity Federation for more information.

Proxy-specific security actions

You can now create security actions that apply only to one or more specified proxies.

This new functionality is not available with Apigee hybrid at this time.

See Security actions to learn more about proxy-specific security actions.

With the non-VPC peering provisioning approach, you are not required to provide networks and IP ranges during the Apigee provisioning process. Instead, you use Private Service Connect (PSC) for routing northbound traffic to Apigee and southbound traffic to target services running in your Google Cloud projects. Non-VPC peering is supported for command-line (CLI) steps only. You can perform non-VPC provisioning for subscription, Pay-as-you-go, and evaluation installations of Apigee.

To learn more, see Apigee networking options.

You can now edit an uploaded API specification's metadata through the Cloud console. See Edit specification metadata.

When an Apigee API proxy is auto-registered, its deployment type is now labeled either Apigee X or Apigee hybrid. Existing Apigee proxy deployments registered with API hub will also be labeled with the appropriate type. See Auto-register Apigee proxies.

A validation check has been added to reject an API specification style guide upload if the style guide's extends property contains a URL. See Upload a new style guide.

User interface and performance improvements were made.

You can now choose in the Cloud console to restrict the upload of an API specification file that contains errors. By default, specs containing errors are uploaded. See Add a spec to an existing version.

All API proxy endpoints auto-registered from Apigee will be prefixed with https:// by default. Endpoints for existing API proxies that were added to API hub will be updated.

Apigee provisioning for Subscription orgs is now performed in the Google Cloud console.

Public preview of Risk Assessment v2

This release introduces Risk Assessment v2 in preview. Risk Assessment v2 includes these improvements:

• Improved reliability: Faster score calculations with recent proxy data.
• Simplified score display: The new score is a percentage, where 100% means full alignment with the security profile.

For usage information and a list of all improvements and changes in v2, see Risk Assessment v2.

With this release, Apigee expanded its support for data residency to additional regions in Japan:

• asia-northeast1 (Tokyo)
• asia-northeast2 (Osaka)

Data residency for Apigee meets compliance and regulatory requirements by allowing you to specify the geographic locations (regions) where Apigee data is stored.

For more information, see Introduction to data residency.

We changed the maximum number of Apps per developer from 10 to 100. See the Limits page for more detail.

Note that using more than 10 apps per developer will result in latency when accessing flow variables referencing developer.apps.

Shadow API Discovery, which is in preview, now supports the use of tags to label and organize observation results.

For usage information, see Use tags.

New flow variables are now available:

• request.headers.names.string
• request.queryparams.names.string
• request.formparams.names.string
• message.headers.names.string
• message.queryparams.names.string
• message.formparams.names.string
• response.headers.names.string

These context variables can be used to return header, query parameter, and form parameter names in string format that can be used in API proxy logic. Each variable returns a comma-separated list of names.

For more information, see the Flow variables reference.

With this release, Apigee expanded its support for data residency to an additional region in Europe: europe-west6 (Zurich).

Data residency for Apigee meets compliance and regulatory requirements by allowing you to specify the geographic locations (regions) where Apigee data is stored.

For more information, see Introduction to data residency.

For a list of supported geographic locations, see Apigee locations.

Advanced API Security now supports data residency. Data residency meets compliance and regulatory requirements by allowing you to specify the geographic locations (regions) where Advanced API Security data is stored. For more information, see Introduction to data residency.

Monetization functionality, including rate plan creation and managing rate plans for API Products, is now available in the Apigee UI in Cloud Console.

For information, see Manage Rate Plans and Create API Products.

Monetization now supports data residency. Data residency meets compliance and regulatory requirements by allowing you to specify the geographic locations (regions) where Monetization data is stored. For more information, see Introduction to data residency.

This release includes an update to Advanced API Operations Anomaly Detection functionality: the Anomaly Detection functionality is now available in the Apigee UI in Cloud Console and is renamed to "Operations Anomalies."

For information, see the Operations Anomalies overview for information on the functionality in Apigee UI in Cloud Console.

Operations Anomalies supports data residency. Data residency meets compliance and regulatory requirements by allowing you to specify the geographic locations (regions) where Operations Anomalies data is stored. For more information, see Introduction to data residency.

This release includes general improvements to performance and availability.

Preview release of generative AI incident report summaries

This release introduces the preview release of generative AI summaries and recommendations for Advanced API Security Abuse Detection incidents. The new generative AI features are available for all Advanced API Security-enabled projects and do not require the Gemini Code Assist add-on.

For usage information, see the Abuse Detection customer documentation.

Apigee is now available in new regions:

• Europe - Berlin (europe-west10)
• Africa - Johannesburg (africa-south1)

See Apigee locations for more information about available regions.

Shadow API Discovery, which is in preview, no longer requires separate creation of P4SA permissions in order to enable the functionality.

For usage information, see the Shadow API Discovery documentation.

Update Pay-as-you-go environment types using the Apigee UI in the Google Cloud console

Apigee Pay-as-you-go customers can modify the type of an existing environment using the Apigee UI in the Cloud console. This feature allows you to add or remove feature capabilities for your environments from the UI.

For more information, see Update your environment type. To learn more about environment types, see Apigee Pay-as-you-go environment types.

Feature: Preview release of Google Cloud-based mock servers for API Management features in Gemini Code Assist.

This release introduces the ability to easily deploy a Google Cloud-based remote mock server for Gemini Code Assist API management, which allows interaction with the designed API by anyone with access to the mock server, helping with testing and validating the APIs.

For more information and usage instructions, see Use Gemini Code Assist.

Vertex AI extensions

You can create Vertex AI extensions for the APIs registered in API hub. These extensions can be integrated with Large Language Models (LLMs) to process real-time data. For more information, see Create a Vertex AI extension.

Eventarc triggers

API hub is integrated with Google Cloud's Eventarc. You can now create Eventarc triggers to listen for specific events in API hub, and then trigger custom workflows based on the event. For more information, see Create an Eventarc trigger.

Multi-level delete

By default, you can delete an API only if all underlying versions are deleted. Starting with this release, you can use the force option to delete an API and its child resources in a single step. For more information, see Delete an API resource.

This release includes the general availability (GA) of integrated portal APIs which allow you to manage your integrated portal APIs and reference documentation using API calls. The available functionality has not changed since the public preview release.

The catalog items list view now uses pagination when making requests to the portals service, examples have been added to Publishing your APIs, and new reference documentation is available:

• Publishing your APIs
• API categories reference documentation
• API documents reference documentation

Preview release of Shadow API Discovery

This release introduces Shadow API Discovery in preview. Shadow API Discovery finds shadow APIs (also known as undocumented or unmanaged APIs) in your existing cloud infrastructure. Shadow APIs pose a security risk to your system, since they might be unsecured, unmonitored, and unmaintained.

For a feature overview and usage information, see Shadow API Discovery.

Preview release of API Management features in Gemini Code Assist: generative AI API spec creation with enterprise context and Apigee policy code explanation. This release also includes the preview release of enhanced API hub interaction in Cloud Code.

This release introduces features for Gemini Code Assist API management:

• Use Gemini Code Assist to facilitate API design including OpenAPI spec generation with enterprise context from natural language prompts and built in visual API designer to further refine the specification.
• Code explain for Apigee policies: When adding or editing a proxy policy, highlight part of the policy XML code, such as an element or attribute, to see Gemini Assist-generated information and guidance about the selection.

For more information and usage instructions, see Use Gemini Code Assist.

This release also includes updates to API hub interaction from Cloud Code: An update to the Cloud Code extension enables you to interact with any API in your API hub using a mock server in Cloud Code, make changes to the API, and publish it back to API hub. For information and usage instructions, see Edit APIs.

Preview release of API Management features in Gemini Code Assist: generative AI API spec creation with enterprise context and Apigee policy code explanation.

This release introduces features for Gemini Code Assist API management:

• Use Gemini Code Assist to facilitate API design including OpenAPI spec generation with enterprise context from natural language prompts and built in visual API designer to further refine the specification.
• Code explain for Apigee policies: When adding or editing a proxy policy, highlight part of the policy XML code, such as an element or attribute, to see Gemini Assist-generated information and guidance about the selection.

For more information and usage instructions, see Use Gemini Code Assist.

This release includes general improvements to performance and availability.

Addition of autonomous system numbers (ASN), HTTP methods, and region codes as supported security action rule condition types.

This new functionality is not available with Apigee hybrid at this time.

See Create a security action to learn more.

Addition of CIDR range support when specifying IPv4 addresses for security action rules.

Apigee Advanced API Security now includes support for CIDR range specification when creating security action rules that restrict access based on IP addresses.

This new functionality is not available with Apigee hybrid at this time.

See Create a security action to learn more.

This release contains the General Availability (GA) release of AppGroups for Apigee and Apigee hybrid (version 1.10.0 and later).

AppGroups represent a relationship between one or more apps that are managed by the same set of people. For information, see Using AppGroups to organize app ownership. Client support for AppGroups is available with the latest Drupal Teams module.

Target server SSL enforcement

With this release, Apigee customers can specify strict SSL southbound enforcement in TargetServer configurations using the object's enforce key. If set to true, SSL enforcement is applied to service callouts.

The option to specify this behavior is analogous to usage of the <Enforce> tag in the <SSLInfo> block of the TargetEndpoint configuration.

For more information, see Configure strict SSL enforcement .

Environment-level flag for SSL enforcement

Apigee customers can specify strict SSL southbound enforcement across an Apigee environment, using the SSLInfo.Enforce flag.

If SSLInfo.Enforce is set to true or false, the value specified overrides any granular enforcement options specified in <SSLInfo> blocks in TargetEndpoint or TargetServer configurations.

If SSLInfo.Enforce is unset, SSL enforcement is determined by any values specified using the <Enforce> element within individual <SSLInfo> blocks. For more information, see TLS/SSL TargetEndpoint configuration.

Two-way HTTPS health monitor support

Apigee health monitors using <HTTPMonitor> can now use all SSL parameters available in the <SSLInfo> block of their TargetServer configurations when performing health checks.

To enable access, set <UseTargetServerSSLInfo> to true in the <Request> block of the HTTPMonitor configuration.

For more information, see Health monitor using HTTP monitor .

Logging Apigee access logs

Apigee Subscription and Pay-as-you-go customers can now enable Cloud Logging ingress access logs for each Apigee instance in their organization. Once enabled, this feature allows you to view the logs generated by ingress gateways in your Apigee infrastructure, such as an external Application Load Balancer or an Anthos gateway, to assist in troubleshooting Apigee API calls.

For more information, see Logging Apigee access logs.

With this release, Apigee API Management organizations with Subscription 2021 contracts have been upgraded to introduce standard and extensible API proxy features and expanded limits on deployments.

With this upgrade:

• Standard and extensible API proxy calls are counted equally when calculating overall API call entitlement for Subscription 2021 contracts.
• The maximum number of shared flow deployments is 75 per environment.
• There are no limits on the total number of API proxy deployments per environment.
• The maximum limit of total deployment units (API proxies or shared flows) per organization is 4250.

Note: The fleetwide upgrade is complete for the majority of Subscription 2021 contract organizations. Organization administrators for the remaining 5% of organizations have been contacted by Apigee representatives regarding timelines for the release.

To learn more about:

• Standard and Extensible API Proxy types, see API Proxy types.
• Expanded limits for API proxy and shared flow deployments, see Limits.
• Account level deployment limits, see Subscription 2021 entitlements.
• Viewing proxy deployment count, see View proxy deployment usage.

With this release, Apigee expanded its support for data residency to additional regions in Asia-Pacific and the Middle East. Data residency for Apigee meets compliance and regulatory requirements by allowing you to specify the geographic locations (regions) where Apigee data is stored.

For more information, see Introduction to data residency.

For a list of supported geographic locations, see Apigee locations.

With this release, Apigee expanded its support for data residency to additional regions in Canada. Data residency for Apigee meets compliance and regulatory requirements by allowing you to specify the geographic locations (regions) where Apigee data is stored.

For more information, see Introduction to data residency.

For a list of supported geographic locations, see Apigee locations.

New Apigee API Monitoring Metrics

An new suite of metrics for monitoring Apigee proxies and target endpoints is now available. With improved scalability and accuracy, the new suite can support large workloads and withstand underlying infrastructure changes.

Apigee's API Monitoring tables and dashboards have been updated to include the following new metrics, which can be used to configure alerts and create custom dashboards:

proxy/request_count
proxy/response_count
proxy/latencies
target/request_count
target/response_count
target/latencies

With this release, Apigee expanded its support for data residency to additional regions in the European Union. Data residency for Apigee meets compliance and regulatory requirements by allowing you to specify the geographic locations (regions) where Apigee data is stored.

For more information, see Introduction to data residency.

For a list of supported geographic locations, see Apigee locations.

New Apigee API Monitoring Metrics

An new suite of metrics for monitoring Apigee proxies and target endpoints is now available. With improved scalability and accuracy, the new suite can support large workloads and withstand underlying infrastructure changes.

Apigee's API Monitoring tables and dashboards have been updated to include the following new metrics, which can be used to configure alerts and create custom dashboards:

proxy/request_count
proxy/response_count
proxy/latencies
target/request_count
target/response_count
target/latencies

New conditions for security actions

You can now create security actions based on the following condition types (in addition to the condition types for Detection rules and IP addresses that were already available):

• API keys
• API products
• Access tokens
• Developers
• Developer apps
• User agents

These new conditions are not available with Apigee hybrid at this time.

See Create a security action to learn more.

API support for update operations on KeyValueMap entries

Starting with this release, the Apigee APIs support update operations for KeyValueMap entries. See the API reference page for REST Resource: organizations.environments.keyvaluemaps.entries for information.

We modified or added these limits:

• Changed the maximum API proxy endpoints per API proxy from 5 to 10
• Specified the maximum API base paths per organization as 21,250

See the Limits page for details.

Training machine learning models for abuse detection on your data

You now have the option to allow Apigee to train your organization's machine learning models for abuse detection on your data. Training the models on your data helps improve their accuracy for detecting security incidents.

Update Pay-as-you-go environment types with Apigee APIs.

Use Apigee APIs to upgrade or downgrade the type of an existing environment to add or remove feature capabilities and manage your Apigee Pay-as-you-go billing and resource usage. For more information, see Update Pay-as-you-go environment types.

Apigee Advanced API Security add-on for Pay-as-you-go organizations is generally available (GA).

With this release, Apigee Advanced API Security is available as a paid add-on capability for Pay-as-you-go organizations. The add-on can be enabled in any Apigee Intermediate or Comprehensive environment from the Apigee UI in Cloud Console or using the Apigee APIs. For more information, see Manage the Advanced API Security add-on.

Public preview of archiving security incidents

With this release, you can now archive security incidents that you no longer want to see displayed in the incidents list. For example, you might want to archive incidents that you have already dealt with and no longer need to track. Archiving incidents can help you focus on those incidents that still require your attention. Archiving does not delete the incident: you can always unarchive it whenever you want.

Performance improvements to Risk Assessment security scores

Risk Assessment security scores now load faster in the Apigee UI, due to improved server side caching of scores.

You can now restrict the creation of Apigee location based resources (Organization, Instances and EndpointAttachments) to specific locations using an Organization Policy Service constraint. This feature is generally available. To learn more, see Restricting Resource Locations.

Apigee now supports Forward Proxying. Forward Proxying provides the ability to forward traffic received in a particular environment to a specified URI. See Forward proxying.

Apigee now supports data residency. Data residency for Apigee meets compliance and regulatory requirements by allowing you to specify the geographic locations (regions) where Apigee data is stored. See Introduction to data residency.

Apigee now supports CMEK for the control plane. If you have specific compliance or regulatory requirements related to the keys that protect your data, you can use customer-managed encryption keys (CMEK). See Introduction to CMEK.

General Availability (GA) of Apigee gRPC passthrough

Apigee's gRPC proxy passthrough functionality provides the ability to create proxies which receive gRPC client requests and pass them through to a gRPC target server.

For information, see Creating gRPC API proxies.

New button to create a security action is now in several places in the Abuse detection and Risk assessment pages

The new button links directly to the Security actions page from the Abuse detection or Risk assessment pages, so you can easily create a security action for the environment you are currently viewing. The button is in the following locations:

• The Source assessment view in the Risk assessment page
• The Detected Traffic, Incident, and Incident details views in the Abuse detection page

This release includes the public preview of integrated portal APIs which allow you to manage your integrated portal APIs and reference documentation using API calls.

The catalog items list view now uses pagination when making requests to the portals service, examples have been added to Publishing your APIs, and new reference documentation is available:

• Publishing your APIs
• API categories reference documentation
• API documents reference documentation

Apigee is now available in a new region: Middle East - Dammam (me-central2).

See Apigee locations for more information about available regions.

Public preview of Advanced API Security custom profiles in the Apigee UI

With this release, you can now create and edit custom security profiles in the Apigee UI. Custom profiles let you specify the security categories that your security scores are based on.

The Security scores page in the Apigee UI has been renamed to the Risk assessment page, and the page now has tabs for security scores and security profiles.

With this release, the HeaderName element is available as a child element of Authentication. This element appears in the ServiceCallout and ExternalCallout policies, and in the TargetEndpoint proxy configuration.

By default, when an Authentication configuration is present, Apigee generates and injects a bearer token into the Authorization header, in the message sent to the target system. The new HeaderName element allows the configuration to specify the name of a different header to hold that bearer token.

Looker Studio Integration

This release includes the public preview of Looker Studio Integration, which connects Apigee data to Google's Looker Studio. Looker Studio is a powerful and flexible tool that you can use to display Apigee data in fully customizable dashboards and reports.

Public Preview of Advanced API Security Actions

Advanced API Security's new Security Actions feature lets you create security actions that define how Apigee handles detected traffic. You can create the following security actions:

• Deny actions, which deny requests that meet specified conditions, for example, originating at an IP address that has been identified as a source of abuse.

• Flag actions, which let requests pass through, but add headers to requests to identify them as suspicious.

• Allow actions, which are used to override deny actions in specific cases when the request is trusted.

Updated pricing attributes in Subscription plans are available.

To get started with subscription plans that include new pricing attributes (consistent with Pay-as-you-go pricing), contact your Google Cloud sales specialist.

For more information, see Apigee Subscription 2024 entitlements. Apigee hybrid is not available in the new subscription plan at this time.

This note is incorrect; see entry for May 17, 2024.

HTTPModifier and ReadPropertySet policies and templating support for message elements are generally available (GA).

The HTTPModifier policy can change an existing request or response message and provides a subset of the functionality already available in the AssignMessage policy. See HTTPModifier policy.

The ReadPropertySet policy reads property sets and populates flow variables with the results. See ReadPropertySet policy.

HTTPModifier and ReadPropertySet are standard policies. Proxies built exclusively with standard policies are called standard proxies and can be deployed to any environment type. See Pay-as-you-go (updated attributes) pricing overview.

With this release, template support for message elements is also generally available. See URL templating.

New environment types are generally available (GA).

With this release, Apigee introduces three distinct environments that have access to varying degrees of Apigee capabilities and costs: Base, Intermediate, and Comprehensive.

For more information, see Apigee Pay-as-you-go environment types.

New attributes for Pay-as-you-go pricing are generally available (GA).

Apigee updated its Pay-as-you-go pricing model, making it possible for customers to onboard at a significantly reduced initial cost and right-size their ongoing expenses to usage.

To learn more about the updated Pay-as-you-go pricing experience, see Pay-as-you-go (updated attributes) pricing overview.

Apigee API Analytics add-on for Pay-as-you-go organizations is generally available (GA).

With this release, Apigee API Analytics is available as a paid add-on capability for Pay-as-you-go organizations. The add-on can be enabled in any Apigee Intermediate or Comprehensive environment. For more information, see Manage the Apigee API Analytics add-on.

One click provisioning for Apigee Pay-as-you-go organizations is generally available (GA).

Simplify your onboarding experience with one click provisioning for new Pay-as-you-go organizations, using smart default configurations. To learn more, see Provision Apigee with one click.

Standard and extensible API proxies are generally available (GA).

Standard and extensible API proxies are generally available for use with Apigee organizations.

For more information about standard and extensible API proxies, see API proxy types.

Public preview of Advanced API Security Alerting

Advanced API Security's new alerting feature lets you create alerts for events related to API security using Google Cloud Monitoring, such as changes to your security scores or incidents involving detected API abuse. You can configure alerts to send you notifications by email or other channels when these events occur, so you can take action to counteract them.

This release includes custom profiles for Advanced API Security scores. Custom profiles let you specify the security categories you want your security scores to be based on. In this release, you must create a security profile in the security scores API. However, you can view scores for the profile in the security scores UI.

This release includes a major redesign of the Advanced API Security scores page in the Apigee UI in Cloud console. The Security scores page now:

• Highlights the top recommendations for improving security scores.
• Links directly to the Apigee UI Proxy Editor and Target Server tabs , where you can implement recommended changes to your API proxies and target servers.

Public preview of Apigee gRPC passthrough

Apigee's new gRPC proxy passthrough functionality provides the ability to create proxies which receive gRPC client requests and pass them through to a gRPC target server.

For information, see Creating gRPC API proxies.

Preview release of non-VPC peering option for Apigee provisioning Apigee now supports a provisioning option that does not require VPC peering. With this approach, you are not required to provide networks and IP ranges during the Apigee provisioning process. Instead, you use Private Service Connect (PSC) for routing northbound traffic to Apigee and southbound traffic to target services running in your Google Cloud projects.

Non-VPC peering is supported for command-line (CLI) provisioning steps only. You can perform non-VPC provisioning for subscription, Pay-as-you-go, and evaluation installations of Apigee.

To learn more, see Apigee networking options.

Preview release of Pay-as-you-go pricing with updated attributes

Apigee is updating its Pay-as-you-go pricing model, making it possible to start using Apigee at a significantly reduced initial cost and right-size ongoing expenses to match precise usage.

To learn how to get started with the updated Pay-as-you-go pricing experience, see Pay-as-you-go (updated attributes) pricing overview.

Preview release of new environment types

Apigee announces the Preview release of three distinct environment types: Base, Intermediate, and Comprehensive. Each environment type offers varying degrees of capabilities and costs; you can tailor pricing to suit your needs.

For more information, see Apigee Pay-as-you-go environment types.

Preview release of standard and extensible API proxies

Apigee announces the Preview release of standard and extensible API proxies, available for use with preview organizations using Pay-as-you-go (updated attributes) pricing.

For more information about standard and extensible API proxies, see API proxy types.

Preview release of new HTTPModifier and ReadPropertySet policies and templating support for message <URL> elements

Apigee announces the Preview release of the HTTPModifier and ReadPropertySet policies.

The HTTPModifier policy can change an existing request or response message and provides a subset of the functionality already available in the AssignMessage policy. See HTTPModifier policy.

The ReadPropertySet policy reads property sets and populates flow variables with the results. See ReadPropertySet policy.

HTTPModifier and ReadPropertySet are standard policies. Proxies built exclusively with standard policies are called standard proxies and can be deployed to any environment type. See Pay-as-you-go (updated attributes) pricing overview.

This release also includes template support for message <URL> elements. See URL templating.

Public preview of AppGroups

Introduces the concept of AppGroups, which represent a relationship between one or more apps that are managed by the same set of people. For information, see Using AppGroups to organize app ownership.

Note that the purpose of this release is to support upgrades from Apigee Edge customers who used company-apps without monetization; however, it is available to any Apigee X/hybrid customer during the public preview stage.

This release contains a new Advanced API Security Detected Traffic view, which displays information about API traffic originating from detected bots. This information was previously displayed in the Abuse metrics section of the Security scores view.

This release contains a new Advanced API Security Detected Traffic view, which displays information about API traffic originating from detected bots. This information was previously displayed in the Abuse metrics section of the Security scores view.

New features now supported in Apigee in VS Code for local development

The following features are now supported with Apigee in VS Code for local development as part of the Insiders build (as of v1.22.1-insiders.3):

• Create multi-repository workspaces - Choose individual storage locations for artifacts, such as API proxies that are stored as individual SCMs, but develop them together using a single workspace. You no longer have to create a single repository that contains all of your API proxies. See Understanding the structure of an Apigee multi-repository workspace.
• Use keystore - Introduces a new environment-level setting for creating the required keystores in the Apigee Emulator by using locally available keys. See Configuring the keystrokes (keystores.json).
• Test API proxies that require service accounts (for example, calling a cloud logging process as part of an API proxy flow) - Set up your Apigee Emulators with a service account key to enable service accounts, add policies and targets that rely on service accounts, and deploy the API proxies to the Apigee Emulator to test them. See Customizing the Apigee Emulator to support service account-based authentication.

Public preview release of Advanced API Security abuse detection

Advanced API Security's new abuse detection feature lets you view security incidents involving your APIs. Abuse detection uses Google's machine learning algorithms to detect API traffic patterns that are a sign of malicious activity targeting your APIs.

Abuse detection includes two new types of detection rules powered by machine learning models:

• Advanced Anomaly Detection: Detects unusual patterns of API traffic.
• Advanced API scraper: Detects attempts to extract information from APIs for malicious purposes.

Users are now able to enable the content security policy feature for their portal for Apigee and Apigee hybrid. Previously, this feature was available in Apigee Edge only.

See: Configure a content security policy

Public preview release of Advanced API Security abuse detection

Advanced API Security's new abuse detection feature lets you view security incidents involving your APIs. Abuse detection uses Google's machine learning algorithms to detect API traffic patterns that are a sign of malicious activity targeting your APIs.

Abuse detection includes two new types of detection rules powered by machine learning models:

• Advanced Anomaly Detection: Detects unusual patterns of API traffic.
• Advanced API scraper: Detects attempts to extract information from APIs for malicious purposes.

Receive Cloud console notifications when Pay-as-you-go provisioning completes.

While provisioning is in progress, users can navigate away from the Apigee provisioning page and monitor notifications in the Cloud console for updates when provisioning completes.

Customize SSL certs for access routing when provisioning Apigee Pay-as-you-go organizations.

Users can now select existing self-managed SSL certs when customizing access routing during Apigee Pay-as-you-go provisioning. For more information, see Step 4: Customize access routing .

JWTs can now add a claim named customattributes that will pass the value on to the target in a header called x-apigee-customattributes (if append_metadata_headers is configured to be true).

The VerifyAPIKey policy and the VerifyAccessToken action of the OAuth2 policy now support CacheExpiryInSeconds. Setting this variable enforces TTL on the cache and enables customization of the time period for cached token expiry.

GA release of Simplified Onboarding for Apigee X (Pay-as-you-go) in the Google Cloud console.

With this release, new Apigee customers using Pay-as-you-go pricing can quickly configure Apigee using a simplified onboarding flow accessible from the Google Cloud console.

• The new onboarding UI provides stepped navigation consistent with other products available in the console.
• Apigee X (Pay-as-you-go) provisioning is simplified but remains flexible. Default settings are provided, with the option to customize as needed.
• Improved contextual help streamlines decision-making during onboarding.

See Before you begin and Get started in the Cloud Console for more details on provisioning Apigee X with Pay-as-you-go pricing from the Google Cloud console.

Added support for a new recurring fees

Apigee X now supports optional recurring fees charged to API developers. For more information on fees, see Understanding billing.

Added support for a new setup fee

Apigee X now supports an optional setup fee charged to new API developers. For more information on fees, see Understanding billing.

Apigee support for using Private Service Connect (PSC) for client-to-Apigee (northbound) traffic is now GA. In addition, we now support using PSC for northbound routing in multi-region configurations. For details, see Expanding Apigee to multiple regions. See also Northbound networking with Private Service Connect and Migrate northbound routing to Private Service Connect.

This release contains the General Acceptance (GA) release of Advanced API Security, which:

• Detects unwanted requests sent to your APIs, including attacks by bots or other malicious agents.
• Evaluates the security of your API configurations and provides recommendations for improvements.

Advanced API Security is a paid add-on to Apigee. You can try out Advanced API Security for free in any trial org—follow the procedure described in Enable Advanced API Security. Contact Apigee to learn more.

Some runtime error messages have been improved with a reason code. To display only the error codes with a reason code, scroll down to Search and type reason. The error catalog filters the view.

See: Runtime error catalog

If you have an Apigee instance that was created before January 25, 2022, Apigee recommends that you replace it with a new instance. If you do not recreate the older instance, you may experience scaling issues and the number of environments you can add to an instance will continue to be limited to 10.

For more information and detailed instructions, see Recreating an Apigee instance with zero downtime

When using local development with Apigee in VS Code, the following pre-release features are available as part of the Insiders build (v1.21.0 and higher):

• Using a different version of the Apigee Emulator

• Customizing the Apigee runtime Docker container

With this release, Apigee support for Private Service Connect (PSC) is GA. PSC allows you to privately connect Apigee to target services running across VPC networks in addition to the peered network. For more information, see Southbound networking patterns.

With this release, the Apigee Pay-as-you-go pricing model includes a maximum Apigee gateway node count of 1,000 across all environments in a region.

This release contains the new Abuse page in Advanced API Security, which displays information about bots that have been detected by analysis of your API traffic. The Abuse page displays the IP addresses of detected bots, as well as their locations, the bot rules that led to their detection, and other details.

The Advanced API Security's target assessment, which evaluates the security of target servers in your API, is now available. See Security scores in the Apigee UI to learn more.

This release contains the Public Preview of Advanced API Security, which protects your APIs from unwanted requests, including attacks by malicious clients such as bots, and evaluates the security level of your API configurations.

Advanced API Security lets you:

• Create security reports to detect bots and other threats to your APIs.
• View security scores, which rate the security of your APIs and provide recommendations for improving security.

Added the ability to sort by Name and Created fields in the Apps and Teams tables. Click the column heading to sort.

Use a GraphQL schema to publish your APIs to an integrated portal.

For details, see:

• What is GraphQL schema
• GraphQL Explorer

Apigee X APIs for managing key value entries in a key value map scoped to an organization, environment, or API proxy are now available. For more information, see the Apigee API reference documentation.

Export support for additional monetization-related values

Apigee X now supports export of additional fee-based values for organizations using monetization. For more information, see Generating monetization reports.

The GoogleIDToken.Audience tag now includes the useTargetUrl attribute to simplify audience configuration of Google ID tokens for Apigee policies.

Error messages for rejected logins for an inactive user are now more informative to the user.

Emails from portal-sso will either be the email address of the sender that the user sets up in the custom smtp settings, or it will be no-reply@google.com, instead of the human-readable name orgname-portalname. This screenshot illustrates emails sent from portal-sso in e2e. It shows one email with custom smtp settings (tsnow-custom-smtp) and one email with the default settings (no-reply).

You can now use Private Service Connect (PSC) to connect to Apigee. This architectural pattern eliminates the need to create managed instance groups to forward requests from the global load balancer to Apigee. For details, see Using Private Service Connect.

You can now use Private Service Connect (PSC) to connect Apigee with backend target services running in VPC networks other than the one that is peered with your Apigee organization. For details, see Southbound networking patterns.

Support for conditions in IAM policies

You can add resource conditions in your IAM policies. A resource condition lets you have granular control over your Apigee resources. For more information, see Adding resource conditions in IAM policies.

KVM pagination support now available (via the API only).

GraphQL policy now supports JSON-encoded payloads.

HTTP request transforms are now available for use with configurable API proxies.

With HTTP request transforms, configurable API proxy developers can quickly rewrite HTTP request paths, header, and query parameters using HTTP Request Transforms. Rewriting is enabled using a simple configuration that can reference incoming path template segments, header values, or query parameter values.

For more information, see HTTP request transforms for configurable proxies.

Google authentication for securing targets is now supported when using configurable API proxies.

With this feature, configurable API proxy developers can secure their Google backend services using Google OAuth and automatically grant access to authorized API consumers. This offers the advantage of seamless integration with other Google services, without requiring API producers to manage private keys.

For more information, see Securing targets for configurable proxies.

Configurable API proxies now support the use of template variables.

Apigee property sets can be used to specify template variables for configurable API proxies in archive deployments. This feature enables customers to use string templates in their proxy configuration YAML files.

For more information, see Template variables for configurable proxies.

Southbound mTLS can be enabled for use with configurable API proxies .

By adding south bound mTLS functionality to configurable proxies, Apigee customers can seamlessly maintain their current usage of mTLS when transitioning to the use of configurable proxies, or increase security for communications between existing configurable proxies and their backends.

For more information, see Enable south bound mTLS for configurable proxies.

Backend target routing with Private Service Connect

You can now use Private Service Connect (PSC) to connect Apigee with backend target services running in VPC networks other than the one that is peered with your Apigee organization. For details, see Southbound networking patterns.

UI updates for service networking and instance creation

UI updates were made to support changes to network IP CIDR range requirements for service networking and instance creation. These changes simplify Apigee provisioning.

Reduce the IP range required to peer your VPC network

The required IP range needed to peer your VPC network to the Apigee network is now limited to a non-overlapping CIDR range of /22. This change simplifies Apigee provisioning. Note that the provisioning step for service network configuration has been updated to reflect this change. For more information, see Understanding peering ranges.

The list of supported Envoy and Istio versions for the CLI samples command has been updated. These versions are now supported for samples:

• Envoy versions 1.18 to 1.20
• Istio versions 1.10 to 1.12

Dynamic consumption pricing

To calculate the cost of a transaction, you can specify a multiplier (perUnitPriceMultiplier) value on top of the pre-configured base price in your DataCapture policy.

Prepaid billing

Apigee now supports the prepaid billing of developers, as well as postpaid billing. In prepaid billing, app developers pay in advance even before using your API products. The upfront payment made by the developers is available in the developer's wallet, which can have different currencies. You can track a developer's balance in real time and block API calls if a developer has insufficient funds.

DataCapture policy captures monetization variables

You can configure the DataCapture policy to capture a transaction's monetization information such as revenue, currency, price multiplier, and status. For more information, see Monetization variables.

Criteria for successful transaction

You can specify if a transaction must be monetized or not by configuring the transactionSuccess monetization variable in your DataCapture policy.

Revenue sharing with developers

The revenue sharing feature enables developers to receive a percentage of the total revenue generated. As an API provider, you can configure Revenue share in your rate plan to share a specific percentage of the revenue with your developer partners.

Volume banded consumption pricing

Rate plan supports the new Banded type of consumption based fees. You can configure variable fees for each monetized transaction based on a band. A band refers to an API consumption range, and you can configure a different fee for each band.

Advanced API Operations

This is the GA release of Apigee's Advanced API Operations (AAPI Ops), which provides tools to help you ensure that your APIs stay up and running as intended. AAPI Ops automatically detects unusual patterns in API traffic—called anomalies—such as spikes in latency or error rate.

AAPI Ops enables you to:

• Detect anomalies and view them in the Anomaly Events dashboard
• Investigate anomalies
• Create anomaly alerts

Additional channels for sending alert notifications

Apigee API Monitoring now supports the following channels for sending alert notifications:

• Email
• PagerDuty
• Slack
• Webhooks

See Creating a notification for an alert.

Recent view

The new API Monitoring Recent view displays treemaps of API traffic by proxy. A treemap displays traffic data for each proxy as a rectangle, whose size is proportional to the amount of traffic in the proxy. The colors of the rectangle indicate the relative sizes of the following variables:

• Number of incidents triggered by alerts.
• Error rate
• Maximum latency 50th percentile (median)

See Using the Recent view.