This topic explains how to enable non-SNI clients, HTTP clients, and a combination of both
for use with Apigee hybrid.
How to configure a non-SNI client
This section explains how to enable support for non-SNI
(Server Name Indication)
clients in Apigee hybrid. A non-SNI client uses port 443 and is required if you want to integrate
hybrid runtime instances with Google Cloud Load Balancing
or for clients that do not support SNI.
Create an ApigeeRoute custom resource definition (CRD). Be sure that enableNonSniClient
is set to true:
What happens if the cluster has more than one org?
Since the ingress is at the cluster level for a given port (443), and there can only
be one key/cert pair for the ApigeeRoute CRD, all orgs must share the same key/cert pair.
What happens if the cluster has more than one environment group. Will it work
if the virtual hosts share the same key/cert pair?
All hostnames across all environment groups must use the same key/cert pair.
Why are we creating an ApigeeRoute instead of Gateway?
ApigeeRoutes can be validated by Apigee; however,
Gateway (the Istio CRD) cannot be.
Technically, even Gateway can work, but we can prevent potential configuration mistakes
(through a validation webhook).
Enable HTTP clients
This section explains support for HTTP clients for use with Apigee hybrid.
Create an ApigeeRoute custom resource definition (CRD). For example:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-26 UTC."],[[["\u003cp\u003eThis document details how to configure Apigee hybrid to support non-SNI clients, which use port 443 and are needed for integration with Google Cloud Load Balancing or clients that lack SNI support.\u003c/p\u003e\n"],["\u003cp\u003eThe guide also explains how to enable HTTP clients for Apigee hybrid, although it advises against using port 80 and instead recommends using TLS 1.2 or higher for all transmissions.\u003c/p\u003e\n"],["\u003cp\u003eInstructions are provided for enabling both non-SNI and HTTP clients simultaneously, allowing for flexibility in client connections, yet still the note against port 80 is provided.\u003c/p\u003e\n"],["\u003cp\u003eConfiguration involves creating an ApigeeRoute custom resource definition (CRD), setting specific properties like \u003ccode\u003eenableNonSniClient\u003c/code\u003e, \u003ccode\u003ehostnames\u003c/code\u003e, and \u003ccode\u003eports\u003c/code\u003e, and then updating the \u003ccode\u003eadditionalGateways\u003c/code\u003e property in the overrides file.\u003c/p\u003e\n"],["\u003cp\u003eThe document emphasizes that all organizations within a cluster must share the same key/certificate pair due to the ingress being at the cluster level for port 443, and that using ApigeeRoute is preferred over Istio's Gateway for better validation and error prevention.\u003c/p\u003e\n"]]],[],null,["# Enable non-SNI and HTTP clients\n\n| You are currently viewing version 1.5 of the Apigee hybrid documentation. **This version is end of life.** You should upgrade to a newer version. For more information, see [Supported versions](/apigee/docs/hybrid/supported-platforms#supported-versions).\n\n\nThis topic explains how to enable non-SNI clients, HTTP clients, and a combination of both\nfor use with Apigee hybrid.\n\nHow to configure a non-SNI client\n---------------------------------\n\nThis section explains how to enable support for non-SNI ([Server Name Indication](https://en.wikipedia.org/wiki/Server_Name_Indication)) clients in Apigee hybrid. A non-SNI client uses port 443 and is required if you want to integrate hybrid runtime instances with Google [Cloud Load Balancing](https://cloud.google.com/load-balancing/docs) or for clients that do not support SNI.\n\n1. Create an ApigeeRoute custom resource definition (CRD). Be sure that `enableNonSniClient` is set to `true`: \n\n ```\n apiVersion: apigee.cloud.google.com/v1alpha1\n kind: ApigeeRoute\n metadata:\n name: route_name\n namespace: apigee\n spec:\n hostnames:\n - \"*\"\n ports:\n - number: 443\n protocol: HTTPS\n tls:\n credentialName: credential_name\n mode: SIMPLE\n #optional\n minProtocolVersion: TLS_AUTO\n selector:\n app: istio-ingressgateway\n enableNonSniClient: true\n ```\n\n\n Where:\n - \u003cvar translate=\"no\"\u003eroute_name\u003c/var\u003e is the name you give to the CRD.\n - \u003cvar translate=\"no\"\u003ecredential_name\u003c/var\u003e is the name of a Kubernetes Secret deployed to the cluster that contains TLS credentials for your virtualhost.\n - `hostnames` must be set to the wildcard \"\\*\". **Note:**Do not create two ApigeeRoute objects with a wildcard \"\\*\" hostname.\n2. Open your overrides file and make the change described in the next step.\n3. For each environment group, add the ApigeeRoute name to the `additionalGateways` property. For example: \n\n ```\n virtualhosts:\n - name: default\n sslCertPath: ./certs/fullchain.pem\n sslKeyPath: ./certs/privkey.pem\n additionalGateways: [\"route_name\"]\n ```\n4. Save the CRD file. For example: `ApigeeRoute.yaml`\n5. Apply the CRD to the cluster: \n\n ```\n kubectl apply -f ApigeeRoute.yaml -n apigee\n ```\n6. Apply the change to `virtualhosts`: \n\n ```\n $APIGEECTL_HOME/apigeectl apply -f overrides.yaml --settings virtualhosts --env $ENVIRONMENT\n ```\n\nUsage notes\n-----------\n\n- **What happens if the cluster has more than one org?**\n\n\n Since the ingress is at the cluster level for a given port (443), and there can only\n be one key/cert pair for the ApigeeRoute CRD, all orgs must share the same key/cert pair.\n- **What happens if the cluster has more than one environment group. Will it work\n if the virtual hosts share the same key/cert pair?**\n\n\n All hostnames across all environment groups must use the same key/cert pair.\n- **Why are we creating an ApigeeRoute instead of Gateway?**\n\n\n ApigeeRoutes can be validated by Apigee; however,\n [Gateway](https://istio.io/latest/docs/reference/config/networking/gateway/) (the Istio CRD) cannot be.\n Technically, even Gateway can work, but we can prevent potential configuration mistakes\n (through a validation webhook).\n\nEnable HTTP clients\n-------------------\n\n\nThis section explains support for HTTP clients for use with Apigee hybrid.\n| **Note:** We do not recommend enabling port 80. All transmission, especially API traffic, should be over TLS (1.2 or higher).\n\n1. Create an ApigeeRoute custom resource definition (CRD). For example: \n\n ```\n apiVersion: apigee.cloud.google.com/v1alpha1\n kind: ApigeeRoute\n metadata:\n name: route_name\n namespace: apigee\n spec:\n hostnames:\n - \"*\"\n ports:\n - number: 80\n protocol: HTTP\n selector:\n app: istio-ingressgateway\n enableNonSniClient: true\n ```\n\n\n Where:\n - \u003cvar translate=\"no\"\u003eroute_name\u003c/var\u003e is the name you give to the CRD.\n - `hostnames` must be set to the wildcard \"\\*\". **Note:**Do not create two ApigeeRoute objects with a wildcard \"\\*\" hostname.\n2. Open your overrides file and make the change described in the next step.\n3. For each environment group, add the ApigeeRoute name to the `additionalGateways` property. For example: \n\n ```\n virtualhosts:\n - name: default\n sslCertPath: ./certs/fullchain.pem\n sslKeyPath: ./certs/privkey.pem\n additionalGateways: [\"route_name\"]\n ```\n4. Save the CRD file. For example: `ApigeeRoute.yaml`\n5. Apply the CRD to the cluster: \n\n ```\n kubectl apply -f ApigeeRoute.yaml -n apigee\n ```\n6. Apply the change to `virtualhosts`: \n\n ```\n $APIGEECTL_HOME/apigeectl apply -f overrides.yaml --settings virtualhosts --env $ENVIRONMENT\n ```\n\nEnable support for both non-SNI and HTTP clients\n------------------------------------------------\n\n\nThis section explains how to enable **both** non-SNI (port 443) and HTTP (port 80) clients\nfor use with Apigee hybrid.\n| **Note:** We do not recommend enabling port 80. All transmission, especially API traffic, should be over TLS (1.2 or higher).\n\n1. Create an ApigeeRoute custom resource definition (CRD). For example: \n\n ```\n apiVersion: apigee.cloud.google.com/v1alpha1\n kind: ApigeeRoute\n metadata:\n name: route_name\n namespace: apigee\n spec:\n hostnames:\n - \"*\"\n ports:\n - number: 443\n protocol: HTTPS\n tls:\n credentialName: credential_name\n mode: SIMPLE\n #optional\n minProtocolVersion: TLS_AUTO\n - number: 80\n protocol: HTTP\n selector:\n app: istio-ingressgateway\n enableNonSniClient: true\n ```\n\n\n Where:\n - \u003cvar translate=\"no\"\u003eroute_name\u003c/var\u003e is the name you give to the CRD.\n - `hostname` must be set to the wildcard \"\\*\". **Note:**Do not create two ApigeeRoute objects with a wildcard \"\\*\" hostname.\n - \u003cvar translate=\"no\"\u003ecredential_name\u003c/var\u003e is the name of a Kubernetes Secret deployed to the cluster that contains TLS credentials for your virtualhost.\n2. Open your overrides file and make the change described in the next step.\n3. For each environment group, add the ApigeeRoute name to the `additionalGateways` property. For example: \n\n ```\n virtualhosts:\n - name: default\n sslCertPath: ./certs/fullchain.pem\n sslKeyPath: ./certs/privkey.pem\n additionalGateways: [\"route_name\"]\n ```\n4. Save the CRD file. For example: `ApigeeRoute.yaml`\n5. Apply the CRD to the cluster: \n\n ```\n kubectl apply -f ApigeeRoute.yaml -n apigee\n ```\n6. Apply the change to `virtualhosts`: \n\n ```\n $APIGEECTL_HOME/apigeectl apply -f overrides.yaml --settings virtualhosts --env $ENVIRONMENT\n ```"]]