Apigee release notes

This page documents production updates to Apigee software in 2022 and later. We recommend that users periodically check this list for any new announcements, or subscribe to this page using a feed reader to get notifications of updates.

What is a feed reader?

Really simple syndication (RSS) feed readers aggregate content from websites that you specify.

Feed reader notifications can be email-, browser-, desktop-, or mobile-based. Some readers are free, or have free versions, and some require a subscription.

A few examples:

More information on RSS:

See also:

Subscribe:

You can see the latest product updates for all of Google Cloud on the Google Cloud page, browse and filter all release notes in the Google Cloud console, or programmatically access release notes in BigQuery.

To get the latest product updates delivered to you, add the URL of this page to your feed reader, or add the feed URL directly.

October 23, 2024

On October 23, 2024, we released an updated version of Apigee (1-14-0-apigee-1).

Bug ID Description
N/A Updates to security infrastructure and libraries.

October 22, 2024

On October 22, 2024, we released a new version of Apigee.

With this release, the following limits for Apigee organizations have changed:

  • The maximum number of deployed API proxies and shared flows per (non-hybrid) organizations is 6000.
  • The maximum number of proxy deployment units per Apigee instance is 6000.
  • The maximum number of API base paths per Apigee organization is 6000.

For more information, see the Apigee Limits page.

October 10, 2024

On October 10, 2024, we released an updated version of Apigee.

Apigee no longer limits the number of Cloud projects that can connect to an Apigee instance. Previously, the limit was 50 projects. For each project, you can now create up to 100 Private Service Connect Network Endpoint Groups. The previous limit was 20. For any Apigee instances created before October 10, 2024, you must perform an update to the consumer accept list for an Apigee instance if you want to take advantage of these new limits. See Updating the consumer accept list for an Apigee instance. See also Limits.

October 08, 2024

On October 8, 2024, we released an updated version of Apigee (1-13-0-apigee-6).

This release addresses the security concerns in GCP-2024-052 from Google Anthos Service Mesh.

Bug ID Description
361714906 Fixed synchronization issue with Cloud KMS keys

Implemented recovery mechanism for the Apigee dataplane in the event of an extended disruption in the CloudKMS key service.

361044374 Resolved issue with incorrect payloads shown in debug trace

When using debug trace with the AssignMessage policy, the UI now displays the correct request and response payloads.

N/A Updates to security infrastructure and libraries.

October 02, 2024

On October 2, 2024, we released an updated version of Apigee.

With this release, all remaining Apigee API Management organizations with Subscription 2021 contracts have been upgraded to introduce standard and extensible API proxy features.

To learn more about:

Subscription Apigee organizations (without hybrid entitlements) upgraded in this release will see changes to the user experience in the Classic Apigee UI. To support management of the upgraded functionality now available to these organizations, a number of feature administration pages are now only available in the Apigee UI in Cloud console.

For more information, see Apigee UI in Cloud console navigation.

September 26, 2024

On September 26, 2024 we released an updated version of Apigee.

If you have CMEK org policy constraints on your Google Cloud project, Apigee will enforce compliance with those constraints and guide you in choosing valid configuration, and prevent you from using Apigee features that are not CMEK-compliant.

The following documents are new and explain how to use CMEK with Apigee:

The following documents have been updated with the relevant CMEK information:

A known issue was added: Apigee does not support Cloud External Key Manager.

A known issue was added: Apigee does not support key re-encryption, which means even after rotation, the old key version will still be used and you cannot change the CMEK key after org creation.

September 20, 2024

On September 20, 2024, we released an updated version of Apigee (1-13-0-apigee-5).

Bug ID Description
366039324 Fixed PEM parsing error in JWT/JWS policies

Resolved a PEM parsing error in JWT/JWS policy execution caused by a problematic PEM format.

353527851 Resolved dropped WebSocket connection

Fixed issue causing a dropped WebSocket connection when using the OAuthV2 policy and the VerifyJWTAccessToken operation or VerifyJWT.

361166073 Fixed issue with JWKS rejection in GenerateJWT policy

Fixed an issue where valid JWKS used to sign encrypted JWTs with the GenerateJWT Policy are incorrectly rejected with steps.jwt.NoMatchingPublicKey.

352593965 Resolved SSL enforcement bug in proxies using the <SSLInfo> block

This release fixes an SSL enforcement bug in proxies where an <SSLInfo> block specifies both <IgnoreValidationErrors> and <Enforce> as true. The bug results in no enforcement for one specific type of SSL violation - a mismatch between the certificate subject name and the real host name of the target (No Subject Alternative Name, or NSAN). With this fix, <Enforce> uniformly overrides <IgnoreValidationErrors> in all cases, including NSAN.

N/A Updates to security infrastructure and libraries.

September 18, 2024

On September 18, 2024 we released an updated version of Apigee

Release of Cloud IAM-based authorization and authentication and the VerifyIAM policy.

This release introduces Cloud IAM-based authorization and authentication for Apigee API access. With this IAM-based solution, access to invoke an API requires the API consumer to have a specific Google Cloud IAM role or permissions.

For information, see IAM-based API authentication overview and VerifyIAM policy.

September 12, 2024

On September 12, 2024, we released an updated version of Apigee.

With this release, Apigee supports Workforce Identity Federation.

Workforce Identity Federation lets you use an external identity provider (IdP) to authenticate and authorize a workforce — a group of users, such as employees, partners, and contractors — using Identity and Access Management (IAM) to access Apigee services.

See Access Apigee using Workforce Identity Federation for more information.

Bug ID Description
338285095 Fixed a problem where apps associated with an AppGroup did not appear in the Apps list in the Apigee UI in Cloud Console. As a result, users could not access the app's App Detail page in the console. Using search in the console with a partial app name or API key search for the app was not available.

With this fix, users can now view apps associated with an AppGroup in the Apps list, and view details for each app or delete the app. Users will still not be able to create or edit AppGroup apps.

Apigee hybrid organizations were not impacted by this problem, as they use the Classic UI to view the app details.

PEM parsing error in JWT/JWS policies due to non-standard format

For Apigee and Apigee hybrid versions 1.13 and higher, any deviations in the required PEM format of keys used in Apigee JWS or JWT policies may result in a parsing error.

For more information, see Apigee known issues.

August 30, 2024

On August 30, 2024, we released an updated version of Apigee (1-13-0-apigee-4).

Bug ID Description
N/A Updates to security infrastructure and libraries.

August 27, 2024

Clarification: On July 26 we announced monetization support with data residency. Please note that monetization support with data residency is for non-hybrid organizations only at this time.

For more information, see Introduction to data residency.

August 26, 2024

On, August 26, 2024, Apigee announced the GA launch of its non-VPC provisioning option.

With the non-VPC peering provisioning approach, you are not required to provide networks and IP ranges during the Apigee provisioning process. Instead, you use Private Service Connect (PSC) for routing northbound traffic to Apigee and southbound traffic to target services running in your Google Cloud projects. Non-VPC peering is supported for command-line (CLI) steps only. You can perform non-VPC provisioning for subscription, Pay-as-you-go, and evaluation installations of Apigee.

To learn more, see Apigee networking options.

August 19, 2024

Timeouts when deploying API proxies and shared flows

The following endpoints may experience timeouts when used with a high volume of queries per second (QPS):

To reduce the likelihood of timeouts, we recommend a target of three QPS when using these endpoints.

To track the status of this issue, see Apigee Known Issues.

August 16, 2024

On August 16, 2024, we released an updated version of Apigee (1-13-0-apigee-3).

Bug ID Description
324418891 Added improvements to the MessageLogging policy to avoid potential downtime and deployment failures.
351068926 Updated the error format, fault status, and status code returned (from 500 to 404) in cases where an invalid authorization code causes an error.

August 15, 2024

On August 15, 2024 documentation was added describing how to provision Apigee in the Google Cloud console.

See Get started in the Google Cloud console for more information.

Apigee provisioning for Subscription orgs is now performed in the Google Cloud console.

August 12, 2024

On August 12, 2024, we released a new version of Apigee.

We changed the maximum number of Apps per developer from 10 to 100. See the Limits page for more detail.

Note that using more than 10 apps per developer will result in latency when accessing flow variables referencing developer.apps.

With this release, Apigee expanded its support for data residency to additional regions in Japan:

  • asia-northeast1 (Tokyo)
  • asia-northeast2 (Osaka)

Data residency for Apigee meets compliance and regulatory requirements by allowing you to specify the geographic locations (regions) where Apigee data is stored.

For more information, see Introduction to data residency.

August 08, 2024

On August 8, 2024, we announced an increase in the recommended number of API basepaths per Apigee environment or environment group.

The recommended limit of API proxy basepaths per Apigee environment or environment group increased from 1,000 to 3,000. For more information, see the Environment and organization section of the Limits page.

Bug ID Description
329304975, 301845257 Limit on number of basepaths per environment

Fixed issue with the number of total basepaths per environment causing potential failures when deploying API proxy revisions.

August 07, 2024

On August 7, 2024, we published new documentation explaining how to integrate Apigee with a Security Information and Event Management (SIEM) solution. See Integrate Apigee with your SIEM solution for more information.

August 01, 2024

On August 1, 2024, we released an updated version of Apigee (1-13-0-apigee-1).

New flow variables are now available:

  • request.headers.names.string
  • request.queryparams.names.string
  • request.formparams.names.string
  • message.headers.names.string
  • message.queryparams.names.string
  • message.formparams.names.string
  • response.headers.names.string

These context variables can be used to return header, query parameter, and form parameter names in string format that can be used in API proxy logic. Each variable returns a comma-separated list of names.

For more information, see the Flow variables reference.

Bug ID Description
308583363, 332464869 Security fix for apigee-mart.

This addresses the following vulnerabilities:

332465218 Security fix for apigee-runtime.

This addresses the following vulnerabilities:

341994213, 333971421 Security fixes for Cassandra emulator.

These address the following vulnerabilities:

329762216

Security fix for apigee-installer.

This addresses the following vulnerability: CVE-2024-24786

342630443, 342714341, 343202829

Security fixes to address the following vulnerabilities:

Bug ID Description
293150694 <HTTPMonitor> now supports the <UseTargetServerSSLInfo> element and can trust TLS certs from non-public CAs.
329874359 Decreased the default value of <CacheLookupTimeoutInSeconds> from 30 seconds to 12 seconds.
334442202 Added specific and informative error messaging for App query failures resulting from discrepancies between developers and apps.
333919279 Improved reliability for Developer, App and API products APIs.
339169651 Fixed potential HTTP request smuggling vulnerability when using the OPTIONS method.
297539870 <HTTPTargetConnection> property io.timeout.millis is honored when used with WebSockets.
N/A Updated infrastructure and libraries.

July 30, 2024

On July 30, 2024, we released an updated version of Apigee.

With this release, Apigee expanded its support for data residency to an additional region in Europe: europe-west6 (Zurich).

Data residency for Apigee meets compliance and regulatory requirements by allowing you to specify the geographic locations (regions) where Apigee data is stored.

For more information, see Introduction to data residency.

For a list of supported geographic locations, see Apigee locations.

July 25, 2024

On July 25, 2024, we released an updated version of Apigee.

This release includes an update to Advanced API Operations Anomaly Detection functionality: the Anomaly Detection functionality is now available in the Apigee UI in Cloud Console and is renamed to "Operations Anomalies."

For information, see the Operations Anomalies overview for information on the functionality in Apigee UI in Cloud Console.

Operations Anomalies supports data residency. Data residency meets compliance and regulatory requirements by allowing you to specify the geographic locations (regions) where Operations Anomalies data is stored. For more information, see Introduction to data residency.

July 11, 2024

On July 11, 2024, we released an updated version of Apigee (1-12-0-apigee-8).

This release addresses the security concerns in GCP-2024-032 from Google Anthos Service Mesh.

Bug ID Description
330175485 Security fix for apigee-ingress.
This addresses the following vulnerabilities:
Bug ID Description
N/A Updated libraries and infrastructure.

July 09, 2024

Updated: Limit on number of basepaths per environment

Apigee is raising the temporary limit of 1000 basepaths per environment to avoid potential failures when deploying API proxy revisions.

While this limit is in place, you can deploy up to 1000 API proxy revisions (each containing a single basepath) per environment. If your API proxies or revisions contain more than one basepath, the total number of basepaths per environment must not exceed 1000.

To track the status of this issue, see Apigee Known Issues.

July 02, 2024

On July 2, 2024, we published a security bulletin for Apigee.

A remote code execution vulnerability, CVE-2024-6387, was recently discovered in OpenSSH. The vulnerability exploits a race condition that could be used to obtain access to a remote shell, enabling attackers to gain root access to GKE or VM nodes.

Security bulletin published: GCP-2024-040

June 27, 2024

On June 27, 2024, we released an updated version of Apigee.

Apigee is now available in new regions:

  • Europe - Berlin (europe-west10)
  • Africa - Johannesburg (africa-south1)

See Apigee locations for more information about available regions.

June 26, 2024

On June 26, 2024, we released an updated version of Apigee (1-12-0-apigee-7).

Bug ID Description
N/A Upgraded infrastructure and libraries.

These issues were fixed in 1-12-0-apigee-4-hotfix and are included in this release:

Bug ID Description
337876238, 330314128, 333762214 Resolved issues resulting in an increase in 404/503 responses.

Upgraded storage for the Apigee router to the latest version to resolve 404 responses.

Adjusted traffic weight and delays in the older replica set to handle traffic divergence during the release process to address any 5xx responses.

335832119 Fixed 404 errors caused during Apigee instance update/rollback.
255772956 Turned off asynchronous services callout when the <Response> element is not present due to inconsistent scaling of runtime pods.
338717278 Reverted problematic commit to address thread pool exhaustion.

June 20, 2024

On June 20, 2024, we released an updated version of Apigee.

This release includes a change in the user experience of selecting a physical location for control plane hosting when provisioning a Subscription or Pay-as-you-go Apigee organization with data regionalization enabled.

The new provisioning experience provides the opportunity to select a control plane hosting jurisdiction that refers to a location within a geopolitical boundary that may span more than one region. For more information, see Select an Apigee API control plane hosting jurisdiction.

June 17, 2024

On June 17, 2024, we released an updated version of Apigee.

Update Pay-as-you-go environment types using the Apigee UI in the Google Cloud console

Apigee Pay-as-you-go customers can modify the type of an existing environment using the Apigee UI in the Cloud console. This feature allows you to add or remove feature capabilities for your environments from the UI.

For more information, see Update your environment type. To learn more about environment types, see Apigee Pay-as-you-go environment types.

June 12, 2024

On June 12, 2024, we released an updated version of Apigee

Feature: Preview release of Google Cloud-based mock servers for API Management features in Gemini Code Assist.

This release introduces the ability to easily deploy a Google Cloud-based remote mock server for Gemini Code Assist API management, which allows interaction with the designed API by anyone with access to the mock server, helping with testing and validating the APIs.

For more information and usage instructions, see Use Gemini Code Assist.

May 29, 2024

On May 29, 2024 we released an updated version of Apigee

Preview release of API Management features in Gemini Code Assist: generative AI API spec creation with enterprise context and Apigee policy code explanation. This release also includes the preview release of enhanced API hub interaction in Cloud Code.

This release introduces features for Gemini Code Assist API management:

  • Use Gemini Code Assist to facilitate API design including OpenAPI spec generation with enterprise context from natural language prompts and built in visual API designer to further refine the specification.
  • Code explain for Apigee policies: When adding or editing a proxy policy, highlight part of the policy XML code, such as an element or attribute, to see Gemini Assist-generated information and guidance about the selection.

For more information and usage instructions, see Use Gemini Code Assist.

This release also includes updates to API hub interaction from Cloud Code: An update to the Cloud Code extension enables you to interact with any API in your API hub using a mock server in Cloud Code, make changes to the API, and publish it back to API hub. For information and usage instructions, see Edit APIs.

May 17, 2024

On May 17, 2024, we released an updated version of Apigee (1-12-0-apigee-4-hotfix, 1-12-0-apigee-5).

Bug ID Description
337876238, 330314128, 333762214 Resolved issues resulting in an increase in 404/503 responses.

Upgraded storage for the Apigee router to the latest version to resolve 404 responses.

Adjusted traffic weight and delays in the older replica set to handle traffic divergence during the release process to address any 5xx responses.

335832119 Fixed 404 errors caused during Apigee instance update/rollback.
255772956 Turned off asynchronous services callout when the <Response> element is not present due to inconsistent scaling of runtime pods.
338717278 Reverted problematic commit to address thread pool exhaustion.

Navigation menus in the Classic Apigee UI have been restored to support the transition from the Classic console to Apigee in the Google Cloud console.

Each menu item in the Classic console now directs you to the corresponding feature location in the Cloud console where you can carry out your task. Please see Apigee UI in Cloud console navigation for more details.

Correction: Apigee hybrid entitlements are available in Apigee Subscription 2024 plans. For more information, see Apigee Subscription 2024 entitlements.

May 09, 2024

Limit on number of basepaths per environment

Apigee is enforcing a temporary limit of 500 basepaths per environment to avoid potential failures when deploying API proxy revisions.

While this limit is in place, you can deploy up to 500 API proxy revisions (each containing a single basepath) per environment. If your API proxies or revisions contain more than one basepath, the total number of basepaths per environment must not exceed 500.

To track the status of this issue, see Apigee Known Issues.

May 08, 2024

On May 8, 2024, we released an updated version of Apigee X.

This release contains the General Availability (GA) release of AppGroups for Apigee and Apigee hybrid (version 1.10.0 and later).

AppGroups represent a relationship between one or more apps that are managed by the same set of people. For information, see Using AppGroups to organize app ownership. Client support for AppGroups is available with the latest Drupal Teams module.

May 07, 2024

On May 7, 2024, we released an updated version of Apigee.

Target server SSL enforcement

With this release, Apigee customers can specify strict SSL southbound enforcement in TargetServer configurations using the object's enforce key. If set to true, SSL enforcement is applied to service callouts.

The option to specify this behavior is analogous to usage of the <Enforce> tag in the <SSLInfo> block of the TargetEndpoint configuration.

For more information, see Configure strict SSL enforcement .

Environment-level flag for SSL enforcement

Apigee customers can specify strict SSL southbound enforcement across an Apigee environment, using the SSLInfo.Enforce flag.

If SSLInfo.Enforce is set to true or false, the value specified overrides any granular enforcement options specified in <SSLInfo> blocks in TargetEndpoint or TargetServer configurations.

If SSLInfo.Enforce is unset, SSL enforcement is determined by any values specified using the <Enforce> element within individual <SSLInfo> blocks. For more information, see TLS/SSL TargetEndpoint configuration.

Two-way HTTPS health monitor support

Apigee health monitors using <HTTPMonitor> can now use all SSL parameters available in the <SSLInfo> block of their TargetServer configurations when performing health checks.

To enable access, set <UseTargetServerSSLInfo> to true in the <Request> block of the HTTPMonitor configuration.

For more information, see Health monitor using HTTP monitor .

April 26, 2024

On April 26, 2024, we released an updated version of Apigee.

Logging Apigee access logs

Apigee Subscription and Pay-as-you-go customers can now enable Cloud Logging ingress access logs for each Apigee instance in their organization. Once enabled, this feature allows you to view the logs generated by ingress gateways in your Apigee infrastructure, such as an external Application Load Balancer or an Anthos gateway, to assist in troubleshooting Apigee API calls.

For more information, see Logging Apigee access logs.

April 19, 2024

On April 19, 2024, we released an updated version of Apigee.

With this release, Apigee API Management organizations with Subscription 2021 contracts have been upgraded to introduce standard and extensible API proxy features and expanded limits on deployments.

With this upgrade:

  • Standard and extensible API proxy calls are counted equally when calculating overall API call entitlement for Subscription 2021 contracts.
  • The maximum number of shared flow deployments is 75 per environment.
  • There are no limits on the total number of API proxy deployments per environment.
  • The maximum limit of total deployment units (API proxies or shared flows) per organization is 4250.

Note: The fleetwide upgrade is complete for the majority of Subscription 2021 contract organizations. Organization administrators for the remaining 5% of organizations have been contacted by Apigee representatives regarding timelines for the release.

To learn more about:

Subscription Apigee organizations (without hybrid entitlements) upgraded in this release will see changes to the user experience in the Classic Apigee UI. To support management of the upgraded functionality now available to these organizations, a number of feature administration pages are now only available in the Apigee UI in Cloud console.

For more information, see Apigee UI in Cloud console navigation.

April 15, 2024

On April 15, 2024, we released an updated version of Apigee (1-12-0-apigee-4).

Bug ID Description
332981542 Optimized VerifyAPI policy execution time for high count of API products.

April 03, 2024

On April 3, 2024, we released an updated version of Apigee.

With this release, Apigee expanded its support for data residency to additional regions in Asia-Pacific and the Middle East. Data residency for Apigee meets compliance and regulatory requirements by allowing you to specify the geographic locations (regions) where Apigee data is stored.

For more information, see Introduction to data residency.

For a list of supported geographic locations, see Apigee locations.

April 02, 2024

On April 2, 2024, we announced an increase in the rate limits for the Spike Arrest policy.

The limit on the rate you can specify increased from 1,000 requests per second, 60,000 requests per minute to 4,000 requests per second, 240,000 requests per minute.

See the Spike Arrest section of the Limits page for information on Spike Arrest limits.

April 01, 2024

On April 1, 2024, we released an updated version of Apigee.

With this release, Apigee expanded its support for data residency to additional regions in Canada. Data residency for Apigee meets compliance and regulatory requirements by allowing you to specify the geographic locations (regions) where Apigee data is stored.

For more information, see Introduction to data residency.

For a list of supported geographic locations, see Apigee locations.

March 29, 2024

On March 29, 2024, we released an updated version of Apigee (1-12-0-apigee-2).

With this release, Apigee expanded its support for data residency to additional regions in the European Union. Data residency for Apigee meets compliance and regulatory requirements by allowing you to specify the geographic locations (regions) where Apigee data is stored.

For more information, see Introduction to data residency.

For a list of supported geographic locations, see Apigee locations.

New Apigee API Monitoring Metrics

An new suite of metrics for monitoring Apigee proxies and target endpoints is now available. With improved scalability and accuracy, the new suite can support large workloads and withstand underlying infrastructure changes.

Apigee's API Monitoring tables and dashboards have been updated to include the following new metrics, which can be used to configure alerts and create custom dashboards:

proxy/request_count
proxy/response_count
proxy/latencies
target/request_count
target/response_count
target/latencies
Bug ID Description
322843888 Fixed issue with incorrect proxy routing when using base paths in proxy chaining.
293933387 KVM list operation now permits entries with null or empty values.
239523766 Removed Unable to evaluate jsonVariable, returning null error string from ExtractVariable Policy logging.
285592278 Fixed issue with deduction of recurring fees from prepaid balances.
237656263 Resolved issue with async mode in the ServiceCallout policy when the <Response> element is removed.

This note is incorrect; this fix is not included in this release.

321744310 Added support for caching JSON results retrieved from the ExtractVariables policy.
295341973 Resolved issue causing delay in updating southbound SSL certificates in truststore and keystore references.

March 26, 2024

On March 26, 2024, we released an updated version of Apigee (1-12-0-apigee-1).

New Apigee API Monitoring Metrics

An new suite of metrics for monitoring Apigee proxies and target endpoints is now available. With improved scalability and accuracy, the new suite can support large workloads and withstand underlying infrastructure changes.

Apigee's API Monitoring tables and dashboards have been updated to include the following new metrics, which can be used to configure alerts and create custom dashboards:

proxy/request_count
proxy/response_count
proxy/latencies
target/request_count
target/response_count
target/latencies
Bug ID Description
322843888 Fixed issue with incorrect proxy routing when using base paths in proxy chaining.
293933387 KVM list operation now permits entries with null or empty values.
239523766 Removed Unable to evaluate jsonVariable, returning null error string from ExtractVariable Policy logging.
285592278 Fixed issue with deduction of recurring fees from prepaid balances.
237656263 Resolved issue with async mode in the ServiceCallout policy when the <Response> element is removed.

This note is incorrect; this fix is not included in this release.

321744310 Added support for caching JSON results retrieved from the ExtractVariables policy.
295341973 Resolved issue causing delay in updating southbound SSL certificates in truststore and keystore references.

March 13, 2024

As of March 13, 2024, the conversion of Apigee API Management organizations with Pay-as-you-go pricing provisioned before October 1, 2023, to Pay-as-you-go organizations that use updated attributes for pricing is complete, with the exception of one organization that requires customer action.

The Apigee API Analytics add-on is enabled in converted organizations.The Analytics add-on can be disabled if it is not required. In addition, you can update your Pay-as-you-go environment types using the API.

For more information on the updated pricing and enhanced features now available for these organizations, see Pay-as-you-go (updated attributes) overview.

Updated pricing attributes will be reflected in March invoices. For billing questions related to this change, contact Google Cloud Billing support.

February 12, 2024

On February 12, 2024, we released an updated version of Apigee (1-11-0-apigee-17).

This release addresses the security concerns in GCP-2024-007 from Google Anthos Service Mesh.

Bug ID Description
322389251 Security fix for apigee-ingress.
This addresses the following vulnerabilities:
Bug ID Description
230082910 Fixed issue causing null values for system.timestamp and system.time.millisecond proxy variables.

This note is incorrect; this fix is not included in this release.

| 285592278 | Fixed issue with deduction of recurring fees from prepaid balances.

This note is incorrect; see entry for March 26, 2024.

February 08, 2024

On February 8, 2024 we released an updated version of the Apigee APIs.

API support for update operations on KeyValueMap entries

Starting with this release, the Apigee APIs support update operations for KeyValueMap entries. See the API reference page for REST Resource: organizations.environments.keyvaluemaps.entries for information.

February 02, 2024

On February 2, 2024, we released an updated version of Apigee.

We modified or added these limits:

  • Changed the maximum API proxy endpoints per API proxy from 5 to 10
  • Specified the maximum API base paths per organization as 21,250

See the Limits page for details.

February 01, 2024

On February 1, 2024, we released an updated version of Apigee.

With this release, Apigee API Management organizations with Pay-as-you-go pricing provisioned before October 1, 2023, will be converted to Pay-as-you-go organizations that use updated attributes for pricing.

Prior to the conversion, these organizations were billed for API runtimes based on Apigee gateway node usage and the total number of API requests processed by Apigee analytics.

Once converted, these organizations will be billed for the following:

  • Volume of API calls processed by a given proxy type
  • Usage of deployment environments (per hour per region)
  • Usage of additional deployment units (API proxies or shared flows)
  • Any additional add-on capabilities (Advanced API security, Monetization, Analytics)

The conversion process is expected to last about 5 minutes and traffic will continue to be processed normally during this time. If proxy revision deployments are interrupted during this time frame, revisions can be deployed after conversion completes.

The Apigee API Analytics add-on will be enabled by default in converted organizations.The Analytics add-on can be disabled after the pricing change if it is not required.

For more information on the updated pricing and enhanced features now available for these organizations, see Pay-as-you-go (updated attributes) overview.

Updated pricing attributes will be reflected in March invoices. For billing questions related to this change, contact Google Cloud Billing support.

January 22, 2024

On January 22, 2023, we released an updated version of Apigee (1-11-0-apigee-14).

Note: Rollouts of this release to production instances will begin within two business days and may take four or more business days to be completed across all Google Cloud zones. Your instances may not have the features and fixes available until the rollout is complete.

Bug ID Description
316093865 Fixed issue where empty LoadBalancer configuration in the Target Endpoint results in a failed proxy deployment with NullPointerException.
312966965 Resolved proxy chaining issue resulting in incorrect post-target service callout hostnames.
318909276 Fixed issue withLookupCache policy failures under certain circumstances.
262071551 Resolved issue with the use of combinators such as allOf in the OASValidation Policy.
311049371 Resolved issue causing SSL error in proxy chaining and path chaining flows.
308196929 Use of target.header.host flow variable with gRPC targets is now fixed.

December 15, 2023

On December 15, 2023, we released an updated version of Apigee.

Update Pay-as-you-go environment types with Apigee APIs.

Use Apigee APIs to upgrade or downgrade the type of an existing environment to add or remove feature capabilities and manage your Apigee Pay-as-you-go billing and resource usage. For more information, see Update Pay-as-you-go environment types.

Apigee Advanced API Security add-on for Pay-as-you-go organizations is generally available (GA).

With this release, Apigee Advanced API Security is available as a paid add-on capability for Pay-as-you-go organizations. The add-on can be enabled in any Apigee Intermediate or Comprehensive environment from the Apigee UI in Cloud Console or using the Apigee APIs. For more information, see Manage the Advanced API Security add-on.

December 13, 2023

On December 13, 2023, we released an updated version of Apigee.

Note: Rollouts of this release to production instances will begin within two business days and may take four or more business days to be completed across all Google Cloud zones. Your instances may not have the features and fixes available until the rollout is complete.

You can now restrict the creation of Apigee location based resources (Organization, Instances and EndpointAttachments) to specific locations using an Organization Policy Service constraint. This feature is generally available. To learn more, see Restricting Resource Locations.

Apigee now supports data residency. Data residency for Apigee meets compliance and regulatory requirements by allowing you to specify the geographic locations (regions) where Apigee data is stored. See Introduction to data residency.

Apigee now supports Forward Proxying. Forward Proxying provides the ability to forward traffic received in a particular environment to a specified URI. See Forward proxying.

Apigee now supports CMEK for the control plane. If you have specific compliance or regulatory requirements related to the keys that protect your data, you can use customer-managed encryption keys (CMEK). See Introduction to CMEK.

December 07, 2023

On December 7, 2023, we released an updated version of Apigee X.

General Availability (GA) of Apigee gRPC passthrough

Apigee's gRPC proxy passthrough functionality provides the ability to create proxies which receive gRPC client requests and pass them through to a gRPC target server.

For information, see Creating gRPC API proxies.

December 01, 2023

On December 1, 2023, we released an updated version of Apigee (1-11-0-apigee-8).

Note: Rollouts of this release to production instances will begin within two business days and may take four or more business days to be completed across all Google Cloud zones. Your instances may not have the features and fixes available until the rollout is complete.

Dynamic endpoint target metrics aggregated into a single metric.

With this release, all request, response, and latency target metrics for dynamically-configured endpoints are aggregated and presented as a single metric per proxy, using the endpoint label Dynamic Target. This feature does not change monitoring behavior for statically configured endpoints.

Bug ID Description
294882858 Fixed issue with ServiceCallout policy overriding target_ip value in proxy.
279037851 Improved performance when running debug sessions with masked payload.
312026988 Resolved possible usage counting issue for monetization prepaid developers using proxies with multiple proxy endpoints configured.

November 10, 2023

As of November 10, 2023, Configurable API Proxies (preview) is no longer available. For more information, see Configurable API Proxies (preview) deprecation.

On November 10, 2023 we released an updated version of Apigee.

Apigee is now available in a new region: Middle East - Dammam (me-central2).

See Apigee locations for more information about available regions.

November 03, 2023

On November 3, 2023, we updated the following security bulletin:

Bug ID Description
304599411 Security bulletin updated
GCP-2023-32
A Denial-of-Service (DoS) vulnerability was recently discovered in multiple implementations of the HTTP/2 protocol (CVE-2023-44487), including the Apigee Ingress (Anthos Service Mesh) server used by Apigee X. The vulnerability could lead to a DoS of Apigee API management functionality.

The shutdown of the Configurable API Proxy (Preview) feature is approaching. On or after November 10, 2023, the preview feature will no longer be available. For more information, see Configurable API proxies (preview) deprecation.

October 24, 2023

On October 24, 2023, we released an updated version of Apigee (1-11-0-apigee-7).

Note: Rollouts of this release to production instances will begin within two business days and may take four or more business days to be completed across all Google Cloud zones. Your instances may not have the features and fixes available until the rollout is complete.

With this release, the HeaderName element is available as a child element of Authentication. This element appears in the ServiceCallout and ExternalCallout policies, and in the TargetEndpoint proxy configuration.

By default, when an Authentication configuration is present, Apigee generates and injects a bearer token into the Authorization header, in the message sent to the target system. The new HeaderName element allows the configuration to specify the name of a different header to hold that bearer token.

Bug ID Description
294293907 Fixed issue with Google authentication for gRPC-based target servers.
292454825 Fixed issue causing Null Pointer Exception when creating or updating an API product.
291784631 Implemented fix to permit the use of hyphens (-) in flow variables used to define target URLs in <HTTPTargetConnection>.
267229604 Fixed issue where updates to a TLS truststore reference were not reflected for in-use southbound target server connections.
277353680 Fixed issue causing target server HealthMonitors to continue beyond revision or deletion of the proxy.

Target health checks are now terminated as soon as the proxy is removed from the runtime (undeployed or deleted). Note: There may be a delay between removal of the proxy and termination of the target server health checks.

N/A Upgraded infrastructure and libraries.

October 19, 2023

On October 19, 2023, we released an updated version of Apigee

Looker Studio Integration

This release includes the public preview of Looker Studio Integration, which connects Apigee data to Google's Looker Studio. Looker Studio is a powerful and flexible tool that you can use to display Apigee data in fully customizable dashboards and reports.

October 13, 2023

On October 13, 2023, we released an updated version of Apigee (1-11-0-apigee-6).

Bug ID Description
304681330 Security fix for apigee-ingress.
This addresses the following vulnerability:
CVE-2023-44487
305127632 Security bulletin published.
GCP-2023-032

Description

A Denial-of-Service (DoS) vulnerability was recently discovered in multiple implementations of the HTTP/2 protocol (CVE-2023-44487), including the Apigee Ingress (Anthos Service Mesh) server used by Apigee X. The vulnerability could lead to a DoS of Apigee API management functionality.

Affected Products

Deployments of Apigee X that are accessible through a Google Cloud Network Load Balancer (Layer 4), or a custom layer 4 load balancer, are affected. A hotfix is being applied to all Apigee X instances. Your Apigee X instances will be automatically updated within the next few days.

Unaffected products

Apigee X instances which are accessed only via Google Cloud Application Load Balancers (Layer 7) are not affected. This includes deployments that have HTTP/2 enabled for gRPC proxies.

What Should I Do?

All Apigee X instances will be automatically updated within the next few days. Customers do not need to take any actions.

What Vulnerabilities Are Addressed By These Patches?

The vulnerability, CVE-2023-44487, allows an attacker to execute a denial-of-service attack on Apigee ingresses.

September 29, 2023

On September 29, 2023, we released an updated version of Apigee.

New attributes for Pay-as-you-go pricing are generally available (GA).

Apigee updated its Pay-as-you-go pricing model, making it possible for customers to onboard at a significantly reduced initial cost and right-size their ongoing expenses to usage.

To learn more about the updated Pay-as-you-go pricing experience, see Pay-as-you-go (updated attributes) pricing overview.

Standard and extensible API proxies are generally available (GA).

Standard and extensible API proxies are generally available for use with Apigee organizations.

For more information about standard and extensible API proxies, see API proxy types.

HTTPModifier and ReadPropertySet policies and templating support for message elements are generally available (GA).

The HTTPModifier policy can change an existing request or response message and provides a subset of the functionality already available in the AssignMessage policy. See HTTPModifier policy.

The ReadPropertySet policy reads property sets and populates flow variables with the results. See ReadPropertySet policy.

HTTPModifier and ReadPropertySet are standard policies. Proxies built exclusively with standard policies are called standard proxies and can be deployed to any environment type. See Pay-as-you-go (updated attributes) pricing overview.

With this release, template support for message elements is also generally available. See URL templating.

New environment types are generally available (GA).

With this release, Apigee introduces three distinct environments that have access to varying degrees of Apigee capabilities and costs: Base, Intermediate, and Comprehensive.

For more information, see Apigee Pay-as-you-go environment types.

Apigee API Analytics add-on for Pay-as-you-go organizations is generally available (GA).

With this release, Apigee API Analytics is available as a paid add-on capability for Pay-as-you-go organizations. The add-on can be enabled in any Apigee Intermediate or Comprehensive environment. For more information, see Manage the Apigee API Analytics add-on.

One click provisioning for Apigee Pay-as-you-go organizations is generally available (GA).

Simplify your onboarding experience with one click provisioning for new Pay-as-you-go organizations, using smart default configurations. To learn more, see Provision Apigee with one click.

Updated pricing attributes in Subscription plans are available.

To get started with subscription plans that include new pricing attributes (consistent with Pay-as-you-go pricing), contact your Google Cloud sales specialist.

For more information, see Apigee Subscription 2024 entitlements. Apigee hybrid is not available in the new subscription plan at this time.

This note is incorrect; see entry for May 17, 2024.

September 19, 2023

On September 19, 2023, we released an updated version of Apigee X (1-11-0-apigee-5).

Bug ID Description
296296456 Implemented fix to ensure that continueOnError is honored in the SpikeArest policy.
229615887 The flow variable target.scheme is now set consistently with the target server URL.
78106145 Fixed issue in the RegularExpressionProtection policy to ensure that multiple JSONPaths elements in a JSON payload are checked.
294090782 Implemented fix to allow the Apigee runtime to connect to a target server using a wildcard CNAME that references a wildcard A record.
285592278 Fixed issue with deduction of recurring fees from prepaid balances.

This note is incorrect; see entry for March 26, 2024.

N/A Upgraded infrastructure and libraries.
Bug ID Description
296506425, 295936113, 295925991, 295688738, 296110120, 281112632 Security fix for apigee-runtime.
This addresses the following vulnerabilities:
287218068 Fixed security vulnerability to prevent header injection using flow variables.

August 15, 2023

On August 15, 2023, we released an updated version of Apigee X (1-11-0-apigee-1).

Bug ID Description
155498623 XPaths in maskconfigs now mask values with special characters.
291746838 Implemented fix to prevent service callouts from overwriting timeouts on clients used by other policies or target endpoints.
274663992 Fixed issue in AccessControl policy to avoid race condition.
294441215 Implemented fix to resolve quota count in the Quota policy.
287659763 Fixed issue causing incorrect target endpoint URLs to display in debug sessions.
283285631 Fixed issue where base environment debug sessions were not recorded for Pay-as-you-go (updated attributes) organizations.
196216798 Fixed issue with access to monetization flow variables in the post client flow.
N/A Upgraded infrastructure and libraries.
Bug ID Description
281112632, 294892189 Security fix for apigee-runtime.
This addresses the following vulnerability:
294891556 Security fix for apigee-emulator, apigee-mock-server, and apigee-runtime.
This addresses the following vulnerability:
287207717 Fixed sandbox bypass vulnerability.
286993631 Fixed message template injection vulnerability.

August 14, 2023

On August 14, 2023, we released an updated version of Apigee X.

This release includes a major redesign of the Advanced API Security scores page in the Apigee UI in Cloud console. The Security scores page now:

  • Highlights the top recommendations for improving security scores.
  • Links directly to the Apigee UI Proxy Editor and Target Server tabs , where you can implement recommended changes to your API proxies and target servers.

August 09, 2023

The Apigee documentation site navigation has been updated to be more consistent with other Google Cloud product documentation sites. The changes include:

  • Added a new Overview tab that provides links to Apigee documentation, training and tutorials, use cases, and videos.
  • Moved the Getting started tab content to the Guides tab.

August 07, 2023

On August 7, 2023, we released an updated version of Apigee X (1-10-0-apigee-7).

Bug ID Description
N/A Upgraded infrastructure and libraries.

August 03, 2023

On August 3, 2023, we released an updated version of Apigee X.

Previously, Advanced API Security scores didn't evaluate proxies calling shared flows via flow hooks and the FlowCallout policy in the proxy. With this release, security scores take into account proxies calling shared flows this way. As a result, your security scores may change because they now factor in the shared flows in the environment.

July 24, 2023

On July 24, 2023, we released an updated version of Apigee X.

Public preview of Apigee gRPC passthrough

Apigee's new gRPC proxy passthrough functionality provides the ability to create proxies which receive gRPC client requests and pass them through to a gRPC target server.

For information, see Creating gRPC API proxies.

July 21, 2023

On July 21, 2023, we released an updated version of Apigee X.

The Advanced API Security Abuse detection Incident details page now displays unique IP addresses, even if more than one incident corresponds to the same IP address. Previously, the Incident details page could display the same IP address more than once for different incidents.

Also, the Attributes tab of the Incident details page no longer displays the following attributes:

  • Top App Key
  • Detected Rules
  • Top URL

July 20, 2023

On July 20, 2023, we released an updated version of Apigee X (1-10-0-apigee-6).

Bug ID Description
290943249 Fixed latency issue between Istio and runtime container.
205666368 Fixed issue with default validation of TLS target endpoint certificates.

To enable strict SSL on southbound connections to a proxy target endpoint, add the tag <Enforce>true</Enforce> in the target <SSLInfo> block.

For more information about using <Enforce>true</Enforce> in <SSLInfo>, see About setting TLS options in a target endpoint or target server.

Bug ID Description
290709899 Security fix for apigee-runtime.
This addresses the following vulnerability:
N/A Security fixes for apigee-redis and apigee-connect-agent.
These address the following vulnerabilities:
N/A Security fixes for apigee-connect-agent.
These address the following vulnerabilities:

July 12, 2023

On July 12, 2023, we released an updated version of Apigee X.

Preview release of non-VPC peering option for Apigee provisioning Apigee now supports a provisioning option that does not require VPC peering. With this approach, you are not required to provide networks and IP ranges during the Apigee provisioning process. Instead, you use Private Service Connect (PSC) for routing northbound traffic to Apigee and southbound traffic to target services running in your Google Cloud projects.

Non-VPC peering is supported for command-line (CLI) provisioning steps only. You can perform non-VPC provisioning for subscription, Pay-as-you-go, and evaluation installations of Apigee.

To learn more, see Apigee networking options.

July 10, 2023

On July 10, 2023, we released an updated version of Apigee X (1-10-0-apigee-5).

Bug ID Description
289254725 Implemented fix to prevent failure of proxy deployments that include the OASValidation policy.
N/A Upgraded infrastructure and libraries.
Bug ID Description
273693152 Fixed SAMLAssertion policy parsing to limit the number of entities that will be parsed to 10000.

Any attempt to parse more than 10000 entities will generate an error.

273695718 Fixed DataCapture policy to avoid evaluation of external entities during XML parsing for variable collection.
273929507 Fixed issue with potential Java security bypass in LookupCache policy.

Certain objects which implement PostDeserializer interface are now cached.

273950705 Fixed issue in PythonScript policy to prevent execution of arbitrary Java code.

With this fix, the runtime does not allow execution of python code added to a .js resource file.

July 06, 2023

On July 6, 2023, we released an updated version of Apigee X.

Preview release of Pay-as-you-go pricing with updated attributes

Apigee is updating its Pay-as-you-go pricing model, making it possible to start using Apigee at a significantly reduced initial cost and right-size ongoing expenses to match precise usage.

To learn how to get started with the updated Pay-as-you-go pricing experience, see Pay-as-you-go (updated attributes) pricing overview.

Preview release of new environment types

Apigee announces the Preview release of three distinct environment types: Base, Intermediate, and Comprehensive. Each environment type offers varying degrees of capabilities and costs; you can tailor pricing to suit your needs.

For more information, see Apigee Pay-as-you-go environment types.

Preview release of standard and extensible API proxies

Apigee announces the Preview release of standard and extensible API proxies, available for use with preview organizations using Pay-as-you-go (updated attributes) pricing.

For more information about standard and extensible API proxies, see API proxy types.

Preview release of new HTTPModifier and ReadPropertySet policies and templating support for message <URL> elements

Apigee announces the Preview release of the HTTPModifier and ReadPropertySet policies.

The HTTPModifier policy can change an existing request or response message and provides a subset of the functionality already available in the AssignMessage policy. See HTTPModifier policy.

The ReadPropertySet policy reads property sets and populates flow variables with the results. See ReadPropertySet policy.

HTTPModifier and ReadPropertySet are standard policies. Proxies built exclusively with standard policies are called standard proxies and can be deployed to any environment type. See Pay-as-you-go (updated attributes) pricing overview.

This release also includes template support for message <URL> elements. See URL templating.

June 27, 2023

On June 27, 2023 we released an updated version of Apigee X.

Public preview of AppGroups

Introduces the concept of AppGroups, which represent a relationship between one or more apps that are managed by the same set of people. For information, see Using AppGroups to organize app ownership.

Note that the purpose of this release is to support upgrades from Apigee Edge customers who used company-apps without monetization; however, it is available to any Apigee X/hybrid customer during the public preview stage.

June 20, 2023

On June 20, 2023, we released an updated version of Apigee X (1-10-0-apigee-4).

Bug ID Description
284114575 Implemented fix to prevent the execution of untrusted code in Apigee policies.
279092925 Modified Cloud Logging policy to improve runtime performance.
186885918 Disabled access to external entities in XML parsing.
270764083 Default expiration for refresh tokens set to 30 days if not explicitly set in the OAuth policy.
N/A Upgraded infrastructure and libraries.
Bug ID Description
273801301 Security fix for apigee-diagnostics-collector, apigee-mart-server, apigee-runtime, and apigee-synchronizer.
This addresses the following vulnerabilities:
281561243 Security fix for apigee-diagnostics-collector, apigee-mart-server, apigee-runtime, and apigee-synchronizer.
This addresses the following vulnerabilities:

May 17, 2023

On May 17, 2023, we released an updated version of Apigee X (1-10-0-apigee-1).

Bug ID Description
N/A Upgraded infrastructure and libraries.
280695936 Fixed issue with incomplete removal of form parameters when using the <Remove> element in the Assign Message policy to delete headers and form parameters simultaneously.
271217050 Fixed issue resulting in missing execution records in debug sessions for the JavaCallout policy.
271894110, 273568673, 273571029 Fix enables support for TLS 1.3 for southbound targets.
271539836 Fixed intermittent Cloud Logging failures.
277090269 Fixed encryption of internal proxy chaining headers to avoid proxy invocation misuse.
273561434 Fixed issue with incomplete debug session information for proxies deployed in the same environment.
158132963 Improved capture of relevant target flow variables in trace and analytics in the event of target timeouts.
271093461 Fixed issue with heap exhaustion when using OASValidation policy.
269514256 Fixed issue causing GoogleTokenGeneration failure.
261924658 Optimization to reduce latency in Quota policy.
252864240 Fixed issue to support bot detection with Analytics obfuscation enabled.
222024484 CORS policy now returns Access-Control-Allow-Credentials header in preflight response when <AllowCredentials> is set to true.
261205290 Optimization to reduce resource usage on Cassandra connections.
266814873 Fixed issue with retrieval of environment-scoped KVM entries containing encryption keys with non-UTF-8 characters.
260342163 Fixed issue causing 100% CPU usage by runtime pod threads under specific circumstances.
273800523, 273800717 Security fixes for Apigee.

The fixes address the following vulnerabilities:

Fixed issue with incomplete removal of form parameters when using the <Remove> element in the Assign Message policy to delete headers and form parameters simultaneously.

This fix may result in a breaking change for any customer employing an antipattern that attempts to access a form parameter after using the <Remove> element to delete the same form parameter and headers simultaneously in the policy flow.

For more information on the recommended steps for setting and removing form parameters and headers using the Assign Message policy, see the updated documentation for the Assign Message policy examples.

April 26, 2023

Effective May 31, 2023, the default value for the OAuthv2 policy RefreshTokenExpiresIn element has new behavior. Starting May 31, RefreshTokenExpiresIn defaults to 2592000000 ms (30 days) for all policies where this element is not set.

For information on this element, see RefreshTokenExpiresIn.

April 20, 2023

On April 20, 2023 we released an updated version of Apigee.

This release contains a new Advanced API Security Detected Traffic view, which displays information about API traffic originating from detected bots. This information was previously displayed in the Abuse metrics section of the Security scores view.

April 17, 2023

On April 17, 2023, we released an updated version of Apigee X (1-9-0-apigee-25).

Bug ID Description
N/A Upgraded infrastructure and libraries.

April 13, 2023

On April 13, 2023, we released an updated version of Apigee.

New features now supported in Apigee in VS Code for local development

The following features are now supported with Apigee in VS Code for local development as part of the Insiders build (as of v1.22.1-insiders.3):

  • Create multi-repository workspaces - Choose individual storage locations for artifacts, such as API proxies that are stored as individual SCMs, but develop them together using a single workspace. You no longer have to create a single repository that contains all of your API proxies. See Understanding the structure of an Apigee multi-repository workspace.
  • Use keystore - Introduces a new environment-level setting for creating the required keystores in the Apigee Emulator by using locally available keys. See Configuring the keystrokes (keystores.json).
  • Test API proxies that require service accounts (for example, calling a cloud logging process as part of an API proxy flow) - Set up your Apigee Emulators with a service account key to enable service accounts, add policies and targets that rely on service accounts, and deploy the API proxies to the Apigee Emulator to test them. See Customizing the Apigee Emulator to support service account-based authentication.

March 23, 2023

On March 23, 2023, we released an updated version of Apigee.

Public preview release of Advanced API Security abuse detection

Advanced API Security's new abuse detection feature lets you view security incidents involving your APIs. Abuse detection uses Google's machine learning algorithms to detect API traffic patterns that are a sign of malicious activity targeting your APIs.

Abuse detection includes two new types of detection rules powered by machine learning models:

  • Advanced Anomaly Detection: Detects unusual patterns of API traffic.
  • Advanced API scraper: Detects attempts to extract information from APIs for malicious purposes.

The two new detection rules, Advanced Anomaly Detection and Advanced API Scraper, are not available for organizations with VPC Service Controls. We are actively working to resolve this issue.

March 22, 2023

On March 22, we released an updated version of Apigee X.

Customize SSL certs for access routing when provisioning Apigee Pay-as-you-go organizations.

Users can now select existing self-managed SSL certs when customizing access routing during Apigee Pay-as-you-go provisioning. For more information, see Step 4: Customize access routing .

Receive Cloud console notifications when Pay-as-you-go provisioning completes.

While provisioning is in progress, users can navigate away from the Apigee provisioning page and monitor notifications in the Cloud console for updates when provisioning completes.

March 17, 2023

On March 17, we released an updated version of Apigee X (1-9-0-apigee-23).

With this release we removed certain insecure TLS ciphers for northbound traffic. You can find the full list of supported ciphers in the FIPS build of Envoy.

Note: Apigee only supports the RSA ciphers listed. ECDSA ciphers are not supported.

Bug ID Description
N/A Upgraded infrastructure and libraries.

February 08, 2023

On February 8, we released an updated version of Apigee X (1-9-0-apigee-21).

The VerifyAPIKey policy and the VerifyAccessToken action of the OAuth2 policy now support CacheExpiryInSeconds. Setting this variable enforces TTL on the cache and enables customization of the time period for cached token expiry.

Bug ID Description
181569522 Fixed the environment recreate scenario without manual cleanup.
217173784 The HMAC.policy-name.error variable is populated for HMAC failing policies.
257268790 Fixed bug where invalid proxy configuration halted Message Processor boot up.
250638658 Fixed the SetIntegrationRequest policy that fails if the JSON payload contains {foo}.
265204739 Set externalTrafficPolicy:local as default for Apigee X instances to mitigate 502 errors.
N/A Upgraded infrastructure and libraries.

December 08, 2022

On December 8, we released an updated version of Apigee X.

GA release of Simplified Onboarding for Apigee X (Pay-as-you-go) in the Google Cloud console.

With this release, new Apigee customers using Pay-as-you-go pricing can quickly configure Apigee using a simplified onboarding flow accessible from the Google Cloud console.

  • The new onboarding UI provides stepped navigation consistent with other products available in the console.
  • Apigee X (Pay-as-you-go) provisioning is simplified but remains flexible. Default settings are provided, with the option to customize as needed.
  • Improved contextual help streamlines decision-making during onboarding.

See Before you begin and Get started in the Cloud Console for more details on provisioning Apigee X with Pay-as-you-go pricing from the Google Cloud console.

November 18, 2022

On November 18, 2022, we released an updated version of Apigee X (1-9-0-apigee-16).

Bug ID Description
257268790 There is an edge case scenario where an invalid resource or bundle configuration resulting in unhandled exception will result in failure that leads to restart of runtime pods or bootup of new runtime pods.

November 04, 2022

On November 4, 2022 we released an updated version of Apigee X.

Apigee support for using Private Service Connect (PSC) for client-to-Apigee (northbound) traffic is now GA. In addition, we now support using PSC for northbound routing in multi-region configurations. For details, see Expanding Apigee to multiple regions. See also Northbound networking with Private Service Connect and Migrate northbound routing to Private Service Connect.

October 27, 2022

On October 27, 2022 we released an updated version of Apigee X.

This release contains the General Acceptance (GA) release of Advanced API Security, which:

  • Detects unwanted requests sent to your APIs, including attacks by bots or other malicious agents.
  • Evaluates the security of your API configurations and provides recommendations for improvements.

Advanced API Security is a paid add-on to Apigee. You can try out Advanced API Security for free in any trial org—follow the procedure described in Enable Advanced API Security. Contact Apigee to learn more.

October 24, 2022

On October 24, 2022, we released an updated version of Apigee X (1-9-0-apigee-5).

Some runtime error messages have been improved with a reason code. To display only the error codes with a reason code, scroll down to Search and type reason. The error catalog filters the view.

See: Runtime error catalog

Bug ID Description
252818300 Fixed issue with failing web socket connections.
249580739 This feature introduces a new filter-based mechanism to display API products.
249521773 Endpoint attachment ID naming convention change. The ID must start with a lowercase letter followed by up to 31 lowercase letters, numbers, or hyphens, and cannot end with a hyphen. The minimum length is 2. See Create an endpoint attachment.
249069616 Fixed issue where error in DebugSession could interrupt runtime flow.
248631925 The Developer List API has been enhanced to support pagination in a Google-wide consistent pattern.
247540503 Race condition with encryption key lookup causing KVM lookup failures.
246774745 io.timeout.millis not honored, causing 504 Gateway timeout for dynamic targets.
246193561 Disabling/Destroying of customer cloud KMS key impacted the runtime after 5 minutes and data that was encrypted with the key could not be accessed by Apigee data plane.
241786534 MART is able to send logs to UDCA successfully now.
240618523 Dynamically setting target.url now supports websocket protocols (ws and wss)
218567150 X-request-id headers modified at 14th character.
206879901 Fixed issue where Response headers were not visible from debug screen.
173566787 Message Processors behavior is changed. Message Processors will now reuse existing target IP addresses once if DNS resolution fails during DNS cache refresh
159599332 The flow variable servicecallout.requesturi reflects appropriately if the URI is constructed using multiple variables.
N/A Upgraded infrastructure and libraries
Bug ID Description
204965286 Security fix for CVE-2022-25647
193613381 Security fix for CVE-2021-21290 in netty-transport

October 06, 2022

On October 6, 2022, Apigee announced the GA launch of Cloud Monitoring for Apigee gateway node usage for Pay-as-you-go customers.

The availability of Apigee gateway node usage metrics in Cloud Monitoring enables Pay-as-you-go customers to view node usage, create dashboards, and configure alerting policies using Cloud Monitoring interfaces. For more information, see View usage and estimate your bill.

September 26, 2022

Availability of scripts to recreate Apigee instances created before January 25, 2022.

If you have an Apigee instance that was created before January 25, 2022, Apigee recommends that you replace it with a new instance. If you do not recreate the older instance, you may experience scaling issues and the number of environments you can add to an instance will continue to be limited to 10.

For more information and detailed instructions, see Recreating an Apigee instance with zero downtime

September 14, 2022

On September 14, 2022 we released an updated version of the Apigee X software.

When using local development with Apigee in VS Code, the following pre-release features are available as part of the Insiders build (v1.21.0 and higher):

September 09, 2022

On September 09, 2022, we released an updated version of Apigee X.

With this release, Apigee support for Private Service Connect (PSC) is GA. PSC allows you to privately connect Apigee to target services running across VPC networks in addition to the peered network. For more information, see Southbound networking patterns.

August 30, 2022

On August 30, 2022, Apigee announced the GA launch of Pay-as-you-go pricing, a consumption-based model for Google's Apigee Platform.

When you use Pay-as-you-go pricing for Apigee, you are charged for the following:

  • The number of Apigee gateway nodes in the Apigee organization
  • The number of API requests processed by Apigee Analytics services
  • The amount of network usage

For more information, see the Pay-as-you-go overview and the Pay-as-you-go Example pricing.

With this release, the Apigee Pay-as-you-go pricing model includes a maximum Apigee gateway node count of 1,000 across all environments in a region.

August 22, 2022

On August 22, 2022, we released an updated version of Apigee X (1-8-0-apigee-33).

Bug ID Description
N/A Upgraded infrastructure and libraries

Value of io.timeout.millis is not honored when used with multiple dynamic targets.

If a proxy sets two or more io.timeout.millis values in two or more flows using the same target host, only one io.timeout.millis value is honored.

August 11, 2022

On August 11, 2022 we released an updated version of Apigee X.

This release contains the new Abuse page in Advanced API Security, which displays information about bots that have been detected by analysis of your API traffic. The Abuse page displays the IP addresses of detected bots, as well as their locations, the bot rules that led to their detection, and other details.

July 25, 2022

On July 25, 2022, we released an updated version of Apigee X (1-8-0-apigee-23).

Bug ID Description
N/A Upgraded infrastructure and libraries

July 21, 2022

On July 21, 2022 we released an updated version of Apigee X.

The Advanced API Security's target assessment, which evaluates the security of target servers in your API, is now available. See Security scores in the Apigee UI to learn more.

June 30, 2022

On June 30, 2022 we released an updated version of Apigee X.

This release contains the Public Preview of Advanced API Security, which protects your APIs from unwanted requests, including attacks by malicious clients such as bots, and evaluates the security level of your API configurations.

Advanced API Security lets you:

  • Create security reports to detect bots and other threats to your APIs.
  • View security scores, which rate the security of your APIs and provide recommendations for improving security.

June 21, 2022

On June 21, 2022, we released an updated version of Apigee X (1-8-0-apigee-18).

Bug ID Description
234355351 Fixed issue with message processor pods restarting frequently. Added backoff polling task for Cloud KMS key listener. The listener is paused only when the flush policy is met.
N/A Upgraded infrastructure and libraries.

June 02, 2022

On June 2, 2022, we released an updated version of Apigee X.

Apigee X APIs for managing key value entries in a key value map scoped to an organization, environment, or API proxy are now available. For more information, see the Apigee API reference documentation.

May 23, 2022

On May 23, 2022, we released an updated version of Apigee X (1-8-0-apigee-9).

Bug ID Description
N/A Upgraded infrastructure and libraries

May 09, 2022

On May 9, 2022 we released an updated version of the Apigee X software (1-8-0-apigee-5).

The GoogleIDToken.Audience tag now includes the useTargetUrl attribute to simplify audience configuration of Google ID tokens for Apigee policies.

Bug ID Description
221292104 Fix to address failure to capture requests in Debug sessions involving PostClientFlow ServiceCallouts.
228855520 Upgraded ASM to the latest version.
Bug ID Description
217497793 A security issue was addressed.

April 22, 2022

On April 22, 2022 we released an updated version of the Apigee X software (1-7-0-apigee-34).

Bug ID Description
N/A Upgraded infrastructure and libraries

March 31, 2022

On March 31, 2022, we released an updated version of Apigee X.

You can now use Private Service Connect (PSC) to connect to Apigee. This architectural pattern eliminates the need to create managed instance groups to forward requests from the global load balancer to Apigee. For details, see Using Private Service Connect.

March 29, 2022

On March 29, 2022, we released an updated version of Apigee X (1-7-0-apigee-28).

Bug ID Description
N/A Upgraded infrastructure and libraries

March 28, 2022

On March 28, 2022 we released an updated version of Apigee X.

You can now use Private Service Connect (PSC) to connect Apigee with backend target services running in VPC networks other than the one that is peered with your Apigee organization. For details, see Southbound networking patterns.

March 22, 2022

On March 22, 2022, we released an updated version of the Apigee X software.

Support for conditions in IAM policies

You can add resource conditions in your IAM policies. A resource condition lets you have granular control over your Apigee resources. For more information, see Adding resource conditions in IAM policies.

March 15, 2022

On March15, we released version 1.7x of Apigee X (1-7-0-apigee-22).

GraphQL policy now supports JSON-encoded payloads.

KVM pagination support now available (via the API only).

Note: When using the GraphQL policy, you can only provide one graphQL schema for verification in an environment.

Bug ID Description
209622008 Dynamic updates to rate in spike arrest are now reflected immediately.
219523719 Fix to address CPU and memory consumption when debug-session is enabled with response-status as the filtering criteria.

March 03, 2022

On March 3, 2022, we released new features for the Public Preview of configurable API proxies. To learn more, see Introduction to configurable API proxies.

HTTP request transforms are now available for use with configurable API proxies.

With HTTP request transforms, configurable API proxy developers can quickly rewrite HTTP request paths, header, and query parameters using HTTP Request Transforms. Rewriting is enabled using a simple configuration that can reference incoming path template segments, header values, or query parameter values.

For more information, see HTTP request transforms for configurable proxies.

Google authentication for securing targets is now supported when using configurable API proxies.

With this feature, configurable API proxy developers can secure their Google backend services using Google OAuth and automatically grant access to authorized API consumers. This offers the advantage of seamless integration with other Google services, without requiring API producers to manage private keys.

For more information, see Securing targets for configurable proxies.

Southbound mTLS can be enabled for use with configurable API proxies .

By adding south bound mTLS functionality to configurable proxies, Apigee customers can seamlessly maintain their current usage of mTLS when transitioning to the use of configurable proxies, or increase security for communications between existing configurable proxies and their backends.

For more information, see Enable south bound mTLS for configurable proxies.

Configurable API proxies now support the use of template variables.

Apigee property sets can be used to specify template variables for configurable API proxies in archive deployments. This feature enables customers to use string templates in their proxy configuration YAML files.

For more information, see Template variables for configurable proxies.

February 15, 2022

On February 15, 2022 we released an updated version of the Apigee X software.

Backend target routing with Private Service Connect

You can now use Private Service Connect (PSC) to connect Apigee with backend target services running in VPC networks other than the one that is peered with your Apigee organization. For details, see Southbound networking patterns.

February 08, 2022

On February 8, 2022 we released an updated version of the Apigee X software.

Bug ID Description
N/A Upgraded infrastructure and libraries

January 28, 2022

On January 28, 2022 we released an updated version of the Apigee X software.

UI updates for service networking and instance creation

UI updates were made to support changes to network IP CIDR range requirements for service networking and instance creation. These changes simplify Apigee provisioning.

January 24, 2022

On January 24, 2022 we released an updated version of the Apigee X software.

Reduce the IP range required to peer your VPC network

The required IP range needed to peer your VPC network to the Apigee network is now limited to a non-overlapping CIDR range of /22. This change simplifies Apigee provisioning. Note that the provisioning step for service network configuration has been updated to reflect this change. For more information, see Understanding peering ranges.