This topic explains how to enable non-SNI clients, HTTP clients, and a combination of both
for use with Apigee hybrid.
This configuration works for both Apigee ingress gateway and Anthos Service Mesh.
How to configure a non-SNI client
This section explains how to enable support for non-SNI
(Server Name Indication)
clients in Apigee hybrid. A non-SNI client uses port 443 and is required if you want to integrate
hybrid runtime instances with Google Cloud Load Balancing
or for clients that do not support SNI.
Create an ApigeeRoute custom resource definition (CRD). Be sure that enableNonSniClient
is set to true:
CREDENTIAL_NAME is the name of a Kubernetes Secret deployed to the cluster
that contains TLS credentials for your virtualhost. You can find the credential name with
the following kubectl Command:
kubectl -n apigee get ApigeeRoutes -o=yaml | grep credentialName
APP_NAME Identifies the type of ingress gateway:
apigee-ingressgateway for Apigee ingress gateway.
istio-ingressgateway for Anthos Service Mesh.
hostnames must be set to the wildcard "*".
Open your overrides file and make the change described in the next step.
For each environment group, add the ApigeeRoute name to the additionalGateways
property. For example:
What happens if the cluster has more than one org?
Since the ingress is at the cluster level for a given port (443), and there can only
be one key/cert pair for the ApigeeRoute CRD, all orgs must share the same key/cert pair.
What happens if the cluster has more than one environment group. Will it work
if the virtual hosts share the same key/cert pair?
All hostnames across all environment groups must use the same key/cert pair.
Why are we creating an ApigeeRoute instead of Gateway?
ApigeeRoutes can be validated by Apigee; however,
Gateway (the Istio CRD) cannot be.
Technically, even Gateway can work, but we can prevent potential configuration mistakes
(through a validation webhook).
Enable HTTP clients
This section explains support for HTTP clients for use with Apigee hybrid.
Create an ApigeeRoute custom resource definition (CRD). For example:
credential_name is the name of a Kubernetes Secret deployed to the cluster
that contains TLS credentials for your virtualhost. You can find the credential name with
the following kubectl Command:
kubectl -n apigee get ApigeeRoutes -o=yaml | grep credentialName
Open your overrides file and make the change described in the next step.
For each environment group, add the ApigeeRoute name to the additionalGateways
property. For example:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-26 UTC."],[[["\u003cp\u003eThis document guides users on enabling non-SNI clients, HTTP clients, or a combination of both for use with Apigee hybrid and supports both Apigee ingress gateway and Anthos Service Mesh.\u003c/p\u003e\n"],["\u003cp\u003eTo enable non-SNI clients, you must create an ApigeeRoute CRD with \u003ccode\u003eenableNonSniClient\u003c/code\u003e set to \u003ccode\u003etrue\u003c/code\u003e, using port 443 and a wildcard hostname "*", and it is necessary when integrating with Google Cloud Load Balancing or for clients not supporting SNI.\u003c/p\u003e\n"],["\u003cp\u003eEnabling HTTP clients requires creating an ApigeeRoute CRD with port 80 and a wildcard hostname "*", but the document advises against using port 80 and recommends TLS 1.2 or higher for all transmissions.\u003c/p\u003e\n"],["\u003cp\u003eWhen enabling both non-SNI and HTTP clients, create a single ApigeeRoute CRD that includes configurations for both port 443 (HTTPS) and port 80 (HTTP), using a single wildcard hostname "*".\u003c/p\u003e\n"],["\u003cp\u003eAfter creating the ApigeeRoute CRD, you must add the route name to the \u003ccode\u003eadditionalGateways\u003c/code\u003e property in the \u003ccode\u003evirtualhosts\u003c/code\u003e section of your overrides file and apply these configurations.\u003c/p\u003e\n"]]],[],null,["# Enable non-SNI and HTTP clients\n\n| You are currently viewing version 1.8 of the Apigee hybrid documentation. **This version is end of life.** You should upgrade to a newer version. For more information, see [Supported versions](/apigee/docs/hybrid/supported-platforms#supported-versions).\n\n\nThis topic explains how to enable non-SNI clients, HTTP clients, and a combination of both\nfor use with Apigee hybrid.\n\n\nThis configuration works for both Apigee ingress gateway and Anthos Service Mesh.\n\nHow to configure a non-SNI client\n---------------------------------\n\nThis section explains how to enable support for non-SNI ([Server Name Indication](https://en.wikipedia.org/wiki/Server_Name_Indication)) clients in Apigee hybrid. A non-SNI client uses port 443 and is required if you want to integrate hybrid runtime instances with Google [Cloud Load Balancing](https://cloud.google.com/load-balancing/docs) or for clients that do not support SNI.\n\n1. Create an ApigeeRoute custom resource definition (CRD). Be sure that `enableNonSniClient` is set to `true`: \n\n ```actionscript-3\n apiVersion: apigee.cloud.google.com/v1alpha1\n kind: ApigeeRoute\n metadata:\n name: ROUTE_NAME\n namespace: apigee\n spec:\n hostnames:\n - \"*\"\n ports:\n - number: 443\n protocol: HTTPS\n tls:\n credentialName: CREDENTIAL_NAME\n mode: SIMPLE\n #optional\n minProtocolVersion: TLS_AUTO\n selector:\n app: APP_NAME\n enableNonSniClient: true\n ```\n\n\n Where:\n - \u003cvar translate=\"no\"\u003eROUTE_NAME\u003c/var\u003e is the name you give to the CRD.\n - \u003cvar translate=\"no\"\u003eCREDENTIAL_NAME\u003c/var\u003e is the name of a Kubernetes Secret deployed to the cluster that contains TLS credentials for your virtualhost. You can find the credential name with the following `kubectl` Command: \n\n ```\n kubectl -n apigee get ApigeeRoutes -o=yaml | grep credentialName\n ```\n - \u003cvar translate=\"no\"\u003eAPP_NAME\u003c/var\u003e Identifies the type of ingress gateway:\n - `apigee-ingressgateway` for Apigee ingress gateway.\n - `istio-ingressgateway` for Anthos Service Mesh.\n - `hostnames` must be set to the wildcard `\"*\"`. **Note:** Do not create two ApigeeRoute objects with a wildcard `\"*\"` hostname.\n2. Open your overrides file and make the change described in the next step.\n3. For each environment group, add the ApigeeRoute name to the `additionalGateways` property. For example: \n\n ```scdoc\n virtualhosts:\n - name: default\n sslCertPath: ./certs/fullchain.pem\n sslKeyPath: ./certs/privkey.pem\n additionalGateways: [\"route_name\"]\n ```\n4. Save the CRD file. For example: `ApigeeRoute.yaml`\n5. Apply the CRD to the cluster: \n\n ```\n kubectl apply -f ApigeeRoute.yaml -n apigee\n ```\n6. Apply the change to `virtualhosts`: \n\n ```\n $APIGEECTL_HOME/apigeectl apply -f overrides.yaml --settings virtualhosts --env $ENVIRONMENT\n ```\n\nUsage notes\n-----------\n\n- **What happens if the cluster has more than one org?**\n\n\n Since the ingress is at the cluster level for a given port (443), and there can only\n be one key/cert pair for the ApigeeRoute CRD, all orgs must share the same key/cert pair.\n- **What happens if the cluster has more than one environment group. Will it work\n if the virtual hosts share the same key/cert pair?**\n\n\n All hostnames across all environment groups must use the same key/cert pair.\n- **Why are we creating an ApigeeRoute instead of Gateway?**\n\n\n ApigeeRoutes can be validated by Apigee; however,\n [Gateway](https://istio.io/latest/docs/reference/config/networking/gateway/) (the Istio CRD) cannot be.\n Technically, even Gateway can work, but we can prevent potential configuration mistakes\n (through a validation webhook).\n\nEnable HTTP clients\n-------------------\n\n\nThis section explains support for HTTP clients for use with Apigee hybrid.\n| **Note:** We do not recommend enabling port 80. All transmission, especially API traffic, should be over TLS (1.2 or higher).\n\n1. Create an ApigeeRoute custom resource definition (CRD). For example: \n\n ```actionscript-3\n apiVersion: apigee.cloud.google.com/v1alpha1\n kind: ApigeeRoute\n metadata:\n name: route_name\n namespace: apigee\n spec:\n hostnames:\n - \"*\"\n ports:\n - number: 80\n protocol: HTTP\n selector:\n app: istio-ingressgateway\n enableNonSniClient: true\n ```\n\n\n Where:\n - \u003cvar translate=\"no\"\u003eroute_name\u003c/var\u003e is the name you give to the CRD.\n - `hostnames` must be set to the wildcard \"\\*\". **Note:**Do not create two ApigeeRoute objects with a wildcard \"\\*\" hostname.\n2. Open your overrides file and make the change described in the next step.\n3. For each environment group, add the ApigeeRoute name to the `additionalGateways` property. For example: \n\n ```scdoc\n virtualhosts:\n - name: default\n sslCertPath: ./certs/fullchain.pem\n sslKeyPath: ./certs/privkey.pem\n additionalGateways: [\"route_name\"]\n ```\n4. Save the CRD file. For example: `ApigeeRoute.yaml`\n5. Apply the CRD to the cluster: \n\n ```\n kubectl apply -f ApigeeRoute.yaml -n apigee\n ```\n6. Apply the change to `virtualhosts`: \n\n ```\n $APIGEECTL_HOME/apigeectl apply -f overrides.yaml --settings virtualhosts --env $ENVIRONMENT\n ```\n\nEnable support for both non-SNI and HTTP clients\n------------------------------------------------\n\n\nThis section explains how to enable **both** non-SNI (port 443) and HTTP (port 80) clients\nfor use with Apigee hybrid.\n| **Note:** We do not recommend enabling port 80. All transmission, especially API traffic, should be over TLS (1.2 or higher).\n\n1. Create an ApigeeRoute custom resource definition (CRD). For example: \n\n ```actionscript-3\n apiVersion: apigee.cloud.google.com/v1alpha1\n kind: ApigeeRoute\n metadata:\n name: route_name\n namespace: apigee\n spec:\n hostnames:\n - \"*\"\n ports:\n - number: 443\n protocol: HTTPS\n tls:\n credentialName: credential_name\n mode: SIMPLE\n #optional\n minProtocolVersion: TLS_AUTO\n - number: 80\n protocol: HTTP\n selector:\n app: istio-ingressgateway\n enableNonSniClient: true\n ```\n\n\n Where:\n - \u003cvar translate=\"no\"\u003eroute_name\u003c/var\u003e is the name you give to the CRD.\n - `hostname` must be set to the wildcard \"\\*\". **Note:**Do not create two ApigeeRoute objects with a wildcard \"\\*\" hostname.\n - \u003cvar translate=\"no\"\u003ecredential_name\u003c/var\u003e is the name of a Kubernetes Secret deployed to the cluster that contains TLS credentials for your virtualhost. You can find the credential name with the following `kubectl` Command: \n\n ```\n kubectl -n apigee get ApigeeRoutes -o=yaml | grep credentialName\n ```\n2. Open your overrides file and make the change described in the next step.\n3. For each environment group, add the ApigeeRoute name to the `additionalGateways` property. For example: \n\n ```scdoc\n virtualhosts:\n - name: default\n sslCertPath: ./certs/fullchain.pem\n sslKeyPath: ./certs/privkey.pem\n additionalGateways: [\"route_name\"]\n ```\n4. Save the CRD file. For example: `ApigeeRoute.yaml`\n5. Apply the CRD to the cluster: \n\n ```\n kubectl apply -f ApigeeRoute.yaml -n apigee\n ```\n6. Apply the change to `virtualhosts`: \n\n ```\n $APIGEECTL_HOME/apigeectl apply -f overrides.yaml --settings virtualhosts --env $ENVIRONMENT\n ```"]]
