This section describes using Apigee Connect for communication between the hybrid management
plane and the MART service in the runtime plane.
Introduction
Apigee Connect allows the Apigee hybrid management plane to connect securely to the MART service in
the runtime plane without requiring you to expose the MART endpoint on the internet. If you use
Apigee Connect, you do not need to configure the MART ingress gateway with a host alias and an
authorized DNS certificate.
Configuring Apigee connect
Configure Apigee connect in your overrides with the connectAgent configuration property.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-26 UTC."],[[["\u003cp\u003eApigee Connect enables secure communication between the Apigee hybrid management plane and the MART service in the runtime plane without exposing the MART endpoint to the internet.\u003c/p\u003e\n"],["\u003cp\u003eConfiguring Apigee Connect involves using the \u003ccode\u003econnectAgent\u003c/code\u003e property in your overrides file and the \u003ccode\u003eapigee-mart\u003c/code\u003e service account with the \u003ccode\u003eroles/apigeeconnect.Agent\u003c/code\u003e role.\u003c/p\u003e\n"],["\u003cp\u003eThe \u003ccode\u003econnectAgent.serviceAccountPath\u003c/code\u003e or \u003ccode\u003econnectAgent.serviceAccountRef\u003c/code\u003e properties specify the \u003ccode\u003eapigee-mart\u003c/code\u003e service account key, or alternatively, the key can be stored in Hashicorp Vault.\u003c/p\u003e\n"],["\u003cp\u003eEnabling the Apigee Connect API in the Google Cloud API Library is a prerequisite, and applying the configuration changes is done using the \u003ccode\u003ehelm upgrade\u003c/code\u003e command with the \u003ccode\u003eapigee-org\u003c/code\u003e chart.\u003c/p\u003e\n"],["\u003cp\u003eApigee Connect uses the \u003ccode\u003egcr.io/apigee-release/hybrid/apigee-connect-agent:1.3.6\u003c/code\u003e image, and its logs can be checked with \u003ccode\u003ekubectl logs\u003c/code\u003e, offering audit log categories like \u003ccode\u003eDATA_READ\u003c/code\u003e and \u003ccode\u003eDATA_WRITE\u003c/code\u003e.\u003c/p\u003e\n"]]],[],null,["# Apigee Connect\n\n| You are currently viewing version 1.13 of the Apigee hybrid documentation. For more information, see [Supported versions](/apigee/docs/hybrid/supported-platforms#supported-versions).\n\nThis section describes using Apigee Connect for communication between the hybrid management\nplane and the MART service in the runtime plane.\n\nIntroduction\n------------\n\nApigee Connect allows the Apigee hybrid management plane to connect securely to the MART service in\nthe runtime plane without requiring you to expose the MART endpoint on the internet. If you use\nApigee Connect, you do not need to configure the MART ingress gateway with a host alias and an\nauthorized DNS certificate.\n\nConfiguring Apigee connect\n--------------------------\n\n\nConfigure Apigee connect in your overrides with the [`connectAgent`](/apigee/docs/hybrid/v1.13/config-prop-ref#connectagent) configuration property.\n\n### Service account\n\n\nApigee connect uses the [`apigee-mart`](/apigee/docs/hybrid/v1.13/mart-service-account) service account. This service account requires the Apigee Connect Agent `roles/apigeeconnect.Agent` role. See [Service accounts and roles used by hybrid components](/apigee/docs/hybrid/v1.13/sa-about#recommended-sas).\n\n\nUse the [`connectAgent.serviceAccountPath`](/apigee/docs/hybrid/v1.13/config-prop-ref#connectagent-serviceaccountpath) or [`connectAgent.serviceAccountRef`](/apigee/docs/hybrid/v1.13/config-prop-ref#connectagent-serviceaccountref) configuration properties to specify the `apigee-mart` service account key. Alternatively you can [store the service account key in Hashicorp Vault](/apigee/docs/hybrid/v1.13/storing-sa-keys-in-vault).\n\n### API\n\n\nApigee Connect requires the **Apigee Connect API** in the [Google Cloud API Library](/apigee/docs/hybrid/v1.13/cloud.google.com/endpoints/docs/openapi/enable-api). For instructions on enabling APIs in the Google Cloud console, see [Step 3: Enable APIs](/apigee/docs/hybrid/v1.13/precog-enableapi).\n\n### Applying Apigee connect configuration\n\n\nApply changes to the Apigee connect configuration with the `apigee-org` chart with the following command: \n\n```\nhelm upgrade ORG_NAME apigee-org/ \\\n --namespace apigee \\\n --atomic \\\n -f OVERRIDES_FILE.yaml\n```\n| **Note:** If you see an error saying `Error: UPGRADE FAILED: \"`*ORG_NAME*`\" has no deployed releases`, replace `upgrade` with `install` and try the command again.\n\n### Image\n\n\nApigee connect uses the `gcr.io/apigee-release/hybrid/apigee-connect-agent:1.13.4` image. If you want to use a private image repository, see [Use a private image repository with Apigee hybrid](/apigee/docs/hybrid/v1.13/container-images).\n\nChecking Apigee connect logs\n----------------------------\n\n\nCheck the Apigee Connect Agent log. \n\n```\nkubectl logs -n namespace apigee-connect-agent-pod-name\n```\n\nThe Apigee Connect Agent reports the following log categories: \n\nFor help on viewing audit logs in Apigee hybrid see [Audit logging information](/apigee/docs/hybrid/v1.13/audit-logging-info).\n\nYou can set the level of logging with the [`connectAgent.logLevel`](/apigee/docs/hybrid/v1.13/config-prop-ref#connectagent-loglevel) configuration property."]]
