Neste tópico, explicamos como ativar clientes não SNI, clientes HTTP e uma combinação de ambos
para uso com o Apigee híbrido.
Como configurar um cliente não SNI
Nesta seção, explicamos como ativar o suporte para clientes que não são SNI
(Indicação do nome do servidor)
na Apigee híbrida. Um cliente não SNI usa a porta 443 e é necessário se você quiser integrar
instâncias de ambiente de execução híbrida com o Cloud Load Balancing do Google
ou para clientes que não aceitam SNI.
Crie uma definição de recurso personalizada (CRD, na sigla em inglês) do ApigeeRoute. Verifique se enableNonSniClient está definido como true:
route_name é o nome que você atribui ao recurso personalizado (CR).
credential_name é o nome de um secret do Kubernetes implantado no cluster
que contém as credenciais TLS do seu host virtual. Para encontrar o
nome da credencial, use o seguinte comando kubectl:
kubectl -n apigee get ApigeeRoutes -o=yaml | grep credentialName
hostnames precisa ser definido como o caractere curinga "*".
Abra o arquivo de substituição e faça a alteração descrita na próxima etapa.
Para cada grupo de ambiente, adicione o nome do ApigeeRoute à propriedade additionalGateways. Exemplo:
O que acontece se o cluster tiver mais de uma organização?
Como a entrada está no nível do cluster para uma determinada porta (443) e só pode haver um par de chaves/certificados para o CRD do ApigeeRoute, todas as organizações precisam compartilhar o mesmo par de chaves/certificados.
O que acontece quando o cluster tem mais de um grupo de ambientes? Ele funcionará se os hosts virtuais compartilharem o mesmo par de chave/certificado?
Todos os nomes de host em todos os grupos de ambiente precisam usar o mesmo par de chave/certificado.
Por que estamos criando um ApigeeRoute em vez do Gateway?
O ApigeeRoutes pode ser validado pela Apigee. No entanto, o Gateway (CRD do Istio) não pode.
Tecnicamente, até mesmo o Gateway pode funcionar, mas podemos evitar possíveis erros de configuração (por meio de um webhook de validação).
Ativar clientes HTTP
Nesta seção, explicamos o suporte aos clientes HTTP para uso com a Apigee híbrida.
Crie uma definição de recurso personalizada (CRD, na sigla em inglês) do ApigeeRoute. Exemplo:
hostname precisa ser definido como o caractere curinga "*".
credential_name é o nome de um secret do Kubernetes implantado no cluster
que contém as credenciais TLS do seu host virtual. Para encontrar o
nome da credencial, use o seguinte comando kubectl:
kubectl -n apigee get ApigeeRoutes -o=yaml | grep credentialName
Abra o arquivo de substituição e faça a alteração descrita na próxima etapa.
Para cada grupo de ambiente, adicione o nome do ApigeeRoute à propriedade additionalGateways. Exemplo:
[[["Fácil de entender","easyToUnderstand","thumb-up"],["Meu problema foi resolvido","solvedMyProblem","thumb-up"],["Outro","otherUp","thumb-up"]],[["Difícil de entender","hardToUnderstand","thumb-down"],["Informações incorretas ou exemplo de código","incorrectInformationOrSampleCode","thumb-down"],["Não contém as informações/amostras de que eu preciso","missingTheInformationSamplesINeed","thumb-down"],["Problema na tradução","translationIssue","thumb-down"],["Outro","otherDown","thumb-down"]],["Última atualização 2025-08-28 UTC."],[[["\u003cp\u003eThis document provides instructions on enabling non-SNI clients, HTTP clients, or a combination of both for Apigee hybrid.\u003c/p\u003e\n"],["\u003cp\u003eTo enable non-SNI clients, configure an \u003ccode\u003eApigeeRoute\u003c/code\u003e CRD with \u003ccode\u003eenableNonSniClient\u003c/code\u003e set to \u003ccode\u003etrue\u003c/code\u003e, use port 443, and add the route name to the \u003ccode\u003eadditionalGateways\u003c/code\u003e property in the virtual host.\u003c/p\u003e\n"],["\u003cp\u003eEnabling HTTP clients requires creating an \u003ccode\u003eApigeeRoute\u003c/code\u003e CRD specifying port 80 and adding its name to the \u003ccode\u003eadditionalGateways\u003c/code\u003e in the virtual host, although it is not recommended due to security concerns.\u003c/p\u003e\n"],["\u003cp\u003eSupporting both non-SNI and HTTP clients involves a combined configuration within the \u003ccode\u003eApigeeRoute\u003c/code\u003e CRD, including port 443 and 80, and updating the \u003ccode\u003eadditionalGateways\u003c/code\u003e property accordingly.\u003c/p\u003e\n"],["\u003cp\u003eWhen using multiple orgs or environment groups, it's essential that all share the same key/cert pair for the \u003ccode\u003eApigeeRoute\u003c/code\u003e CRD, with hostnames set to the wildcard "*".\u003c/p\u003e\n"]]],[],null,["# Enable non-SNI and HTTP clients\n\n| You are currently viewing version 1.11 of the Apigee hybrid documentation. **This version is end of life.** You should upgrade to a newer version. For more information, see [Supported versions](/apigee/docs/hybrid/supported-platforms#supported-versions).\n\n\nThis topic explains how to enable non-SNI clients, HTTP clients, and a combination of both\nfor use with Apigee hybrid.\n\nHow to configure a non-SNI client\n---------------------------------\n\nThis section explains how to enable support for non-SNI ([Server Name Indication](https://en.wikipedia.org/wiki/Server_Name_Indication)) clients in Apigee hybrid. A non-SNI client uses port 443 and is required if you want to integrate hybrid runtime instances with Google [Cloud Load Balancing](https://cloud.google.com/load-balancing/docs) or for clients that do not support SNI.\n\n1. Create an ApigeeRoute custom resource definition (CRD). Be sure that `enableNonSniClient` is set to `true`: \n\n ```actionscript-3\n apiVersion: apigee.cloud.google.com/v1alpha1\n kind: ApigeeRoute\n metadata:\n name: route_name\n namespace: apigee\n spec:\n hostnames:\n - \"*\"\n ports:\n - number: 443\n protocol: HTTPS\n tls:\n credentialName: credential_name\n mode: SIMPLE\n #optional\n minProtocolVersion: TLS_AUTO\n selector:\n app: apigee-ingressgateway\n enableNonSniClient: true\n ```\n\n\n Where:\n - \u003cvar translate=\"no\"\u003eroute_name\u003c/var\u003e is the name you give to the custom resource (CR).\n - \u003cvar translate=\"no\"\u003ecredential_name\u003c/var\u003e is the name of a Kubernetes Secret deployed to the cluster that contains TLS credentials for your virtualhost. You can find the credential name with the following `kubectl` Command: \n\n ```\n kubectl -n apigee get ApigeeRoutes -o=yaml | grep credentialName\n ```\n - `hostnames` must be set to the wildcard \"\\*\". **Note:**Do not create two ApigeeRoute objects with a wildcard \"\\*\" hostname.\n2. Open your overrides file and make the change described in the next step.\n3. For each environment group, add the ApigeeRoute name to the `additionalGateways` property. For example: \n\n ```scdoc\n virtualhosts:\n - name: default\n sslCertPath: ./certs/fullchain.pem\n sslKeyPath: ./certs/privkey.pem\n additionalGateways: [\"route_name\"]\n ```\n4. Save the CRD file. For example: `ApigeeRoute.yaml`\n5. Apply the CRD to the cluster: \n\n ```\n kubectl apply -f ApigeeRoute.yaml -n apigee\n ```\n6. Apply the change to `virtualhosts`:\n\n ### Helm\n\n ```\n helm upgrade ENV_GROUP apigee-virtualhost/ \\\n --namespace apigee \\\n --atomic \\\n --set envgroup=ENV_GROUP_NAME \\\n -f OVERRIDES_FILE.yaml\n ```\n | **Note:** If you see an error saying `Error: UPGRADE FAILED: \"`*ENV_GROUP*`\" has no deployed releases`, replace `upgrade` with `install` and try the command again.\n\n ### `apigeectl`\n\n ```\n $APIGEECTL_HOME/apigeectl apply -f OVERRIDES_FILE.yaml --settings virtualhosts --env $ENVIRONMENT\n ```\n\nUsage notes\n-----------\n\n- **What happens if the cluster has more than one org?**\n\n\n Since the ingress is at the cluster level for a given port (443), and there can only\n be one key/cert pair for the ApigeeRoute CRD, all orgs must share the same key/cert pair.\n- **What happens if the cluster has more than one environment group? Will it work\n if the virtual hosts share the same key/cert pair?**\n\n\n All hostnames across all environment groups must use the same key/cert pair.\n- **Why are we creating an ApigeeRoute instead of Gateway?**\n\n\n ApigeeRoutes can be validated by Apigee; however,\n [Gateway](https://istio.io/latest/docs/reference/config/networking/gateway/) (the Istio CRD) cannot be.\n Technically, even Gateway can work, but we can prevent potential configuration mistakes\n (through a validation webhook).\n- **How can I configure non-SNI clients for Apigee?**\n\n\n If your Apigee instance is exposed through a Google Load Balancer, then the Load Balancer supports non-SNI clients\n as explained\n [in the Load Balancing documentation.](https://cloud.google.com/load-balancing/docs/ssl-certificates#multiplessl-selection)\n Otherwise, if you have exposed an Apigee instance through an internal PSC endpoint or VPC, by default\n the Apigee instance supports non-SNI clients.\n\nEnable HTTP clients\n-------------------\n\n\nThis section explains support for HTTP clients for use with Apigee hybrid.\n| **Note:** We do not recommend enabling port 80. All transmission, especially API traffic, should be over TLS (1.2 or higher).\n\n1. Create an ApigeeRoute custom resource definition (CRD). For example: \n\n ```actionscript-3\n apiVersion: apigee.cloud.google.com/v1alpha1\n kind: ApigeeRoute\n metadata:\n name: route_name\n namespace: apigee\n spec:\n hostnames:\n - \"*\"\n ports:\n - number: 80\n protocol: HTTP\n selector:\n app: istio-ingressgateway\n enableNonSniClient: true\n ```\n\n\n Where:\n - \u003cvar translate=\"no\"\u003eroute_name\u003c/var\u003e is the name you give to the CRD.\n - `hostnames` must be set to the wildcard \"\\*\". **Note:**Do not create two ApigeeRoute objects with a wildcard \"\\*\" hostname.\n2. Open your overrides file and make the change described in the next step.\n3. For each environment group, add the ApigeeRoute name to the `additionalGateways` property. For example: \n\n ```scdoc\n virtualhosts:\n - name: default\n sslCertPath: ./certs/fullchain.pem\n sslKeyPath: ./certs/privkey.pem\n additionalGateways: [\"route_name\"]\n ```\n4. Save the CRD file. For example: `ApigeeRoute.yaml`\n5. Apply the CRD to the cluster: \n\n ```\n kubectl apply -f ApigeeRoute.yaml -n apigee\n ```\n6. Apply the change to `virtualhosts`:\n\n ### Helm\n\n ```\n helm upgrade ENV_GROUP apigee-virtualhost/ \\\n --namespace apigee \\\n --atomic \\\n --set envgroup=ENV_GROUP_NAME \\\n -f OVERRIDES_FILE.yaml\n ```\n\n ### `apigeectl`\n\n ```\n $APIGEECTL_HOME/apigeectl apply -f OVERRIDES_FILE.yaml --settings virtualhosts --env $ENVIRONMENT\n ```\n\nEnable support for both non-SNI and HTTP clients\n------------------------------------------------\n\n\nThis section explains how to enable **both** non-SNI (port 443) and HTTP (port 80) clients\nfor use with Apigee hybrid.\n| **Note:** We do not recommend enabling port 80. All transmission, especially API traffic, should be over TLS (1.2 or higher).\n\n1. Create an ApigeeRoute custom resource definition (CRD). For example: \n\n ```actionscript-3\n apiVersion: apigee.cloud.google.com/v1alpha1\n kind: ApigeeRoute\n metadata:\n name: route_name\n namespace: apigee\n spec:\n hostnames:\n - \"*\"\n ports:\n - number: 443\n protocol: HTTPS\n tls:\n credentialName: credential_name\n mode: SIMPLE\n #optional\n minProtocolVersion: TLS_AUTO\n - number: 80\n protocol: HTTP\n selector:\n app: istio-ingressgateway\n enableNonSniClient: true\n ```\n\n\n Where:\n - \u003cvar translate=\"no\"\u003eroute_name\u003c/var\u003e is the name you give to the CRD.\n - `hostname` must be set to the wildcard \"\\*\". **Note:**Do not create two ApigeeRoute objects with a wildcard \"\\*\" hostname.\n - \u003cvar translate=\"no\"\u003ecredential_name\u003c/var\u003e is the name of a Kubernetes Secret deployed to the cluster that contains TLS credentials for your virtualhost. You can find the credential name with the following `kubectl` Command: \n\n ```\n kubectl -n apigee get ApigeeRoutes -o=yaml | grep credentialName\n ```\n2. Open your overrides file and make the change described in the next step.\n3. For each environment group, add the ApigeeRoute name to the `additionalGateways` property. For example: \n\n ```scdoc\n virtualhosts:\n - name: default\n sslCertPath: ./certs/fullchain.pem\n sslKeyPath: ./certs/privkey.pem\n additionalGateways: [\"route_name\"]\n ```\n4. Save the CRD file. For example: `ApigeeRoute.yaml`\n5. Apply the CRD to the cluster: \n\n ```\n kubectl apply -f ApigeeRoute.yaml -n apigee\n ```\n6. Apply the change to `virtualhosts`:\n\n ### Helm\n\n ```\n helm upgrade ENV_GROUP apigee-virtualhost/ \\\n --namespace apigee \\\n --atomic \\\n --set envgroup=ENV_GROUP_NAME \\\n -f OVERRIDES_FILE.yaml\n ```\n\n ### `apigeectl`\n\n ```\n $APIGEECTL_HOME/apigeectl apply -f OVERRIDES_FILE.yaml --settings virtualhosts --env $ENVIRONMENT\n ```"]]