Enable non-SNI and HTTP clients
You are currently viewing version 1.3 of the Apigee hybrid documentation.This version is end of life. You should upgrade to a newer version. For more information, seeSupported versions.
This topic explains how to enable non-SNI clients, HTTP clients, and a combination of both for use with Apigee hybrid.
How to configure a non-SNI client
This section explains how to enable support for non-SNI (Server Name Indication) clients in Apigee hybrid. A non-SNI client uses port 443 and is required if you want to integrate hybrid runtime instances with GoogleCloud Load Balancing or for clients that do not support SNI.- Create an ApigeeRoute custom resource definition (CRD). Be sure that
enableNonSniClientis set totrue:apiVersion: apigee.cloud.google.com/v1alpha1kind: ApigeeRoutemetadata: name:route_name namespace: apigeespec: hostnames: - "*" ports: - number: 443 protocol: HTTPS tls: credentialName:credential_name mode: SIMPLE #optional minProtocolVersion: TLS_AUTO selector: app: istio-ingressgatewayenableNonSniClient: true
Where:
- route_name is the name you give to the CRD.
- credential_name is the name of a Kubernetes Secret deployed to the cluster that contains TLS credentials for your virtualhost.
hostnamemust be set to the wildcard "*".Note:Do not create two ApigeeRoute objects with a wildcard "*" hostname.
- Open your overrides file and make the change described in the next step.
- For each environment group, add the ApigeeRoute name to the
additionalGatewaysproperty. For example:virtualhosts: - name: default sslCertPath: ./certs/fullchain.pem sslKeyPath: ./certs/privkey.pem additionalGateways: ["route_name"]
- Save the CRD file. For example:
ApigeeRoute.yaml - Apply the CRD to the cluster:
kubectl apply -f ApigeeRoute.yaml -n apigee
- Apply the change to
virtualhosts:$APIGEECTL_HOME/apigeectl apply -foverrides.yaml --settings virtualhosts --env$ENVIRONMENT
Usage notes
- What happens if the cluster has more than one org?
Since the ingress is at the cluster level for a given port (443), and there can only be one key/cert pair for the ApigeeRoute CRD, all orgs must share the same key/cert pair.
- What happens if the cluster has more than one environment group. Will it work if the virtual hosts share the same key/cert pair?
All hostnames across all environment groups must use the same key/cert pair.
- Why are we creating an ApigeeRoute instead of Gateway?
ApigeeRoutes can be validated by Apigee; however,Gateway (the Istio CRD) cannot be. Technically, even Gateway can work, but we can prevent potential configuration mistakes (through a validation webhook).
Enable HTTP clients
This section explains support for HTTP clients for use with Apigee hybrid.
Note: We do not recommend enabling port 80. All transmission, especially API traffic, should be over TLS (1.2 or higher).- Create an ApigeeRoute custom resource definition (CRD). For example:
apiVersion: apigee.cloud.google.com/v1alpha1kind: ApigeeRoutemetadata: name:route_name namespace: apigeespec: hostnames: - "*" ports: - number: 80 protocol: HTTP selector: app: istio-ingressgateway enableNonSniClient: true
Where:
- route_name is the name you give to the CRD.
hostnamesmust be set to the wildcard "*".Note:Do not create two ApigeeRoute objects with a wildcard "*" hostname.
- Open your overrides file and make the change described in the next step.
- For each environment group, add the ApigeeRoute name to the
additionalGatewaysproperty. For example:virtualhosts: - name: default sslCertPath: ./certs/fullchain.pem sslKeyPath: ./certs/privkey.pem additionalGateways: ["route_name"]
- Save the CRD file. For example:
ApigeeRoute.yaml - Apply the CRD to the cluster:
kubectl apply -f ApigeeRoute.yaml -n apigee
- Apply the change to
virtualhosts:$APIGEECTL_HOME/apigeectl apply -foverrides.yaml --settings virtualhosts --env$ENVIRONMENT
Enable support for both non-SNI and HTTP clients
This section explains how to enableboth non-SNI (port 443) and HTTP (port 80) clients for use with Apigee hybrid.
Note: We do not recommend enabling port 80. All transmission, especially API traffic, should be over TLS (1.2 or higher).- Create an ApigeeRoute custom resource definition (CRD). For example:
apiVersion: apigee.cloud.google.com/v1alpha1kind: ApigeeRoutemetadata: name:route_name namespace: apigeespec: hostnames: - "*" ports: - number: 443 protocol: HTTPS tls: credentialName:credential_name mode: SIMPLE #optional minProtocolVersion: TLS_AUTO - number: 80 protocol: HTTP selector: app: istio-ingressgatewayenableNonSniClient: true
Where:
- route_name is the name you give to the CRD.
hostnamesmust be set to the wildcard "*".Note:Do not create two ApigeeRoute objects with a wildcard "*" hostname.- credential_name is the name of a Kubernetes Secret deployed to the cluster that contains TLS credentials for your virtualhost.
- Open your overrides file and make the change described in the next step.
- For each environment group, add the ApigeeRoute name to the
additionalGatewaysproperty. For example:virtualhosts: - name: default sslCertPath: ./certs/fullchain.pem sslKeyPath: ./certs/privkey.pem additionalGateways: ["route_name"]
- Save the CRD file. For example:
ApigeeRoute.yaml - Apply the CRD to the cluster:
kubectl apply -f ApigeeRoute.yaml -n apigee
- Apply the change to
virtualhosts:$APIGEECTL_HOME/apigeectl apply -foverrides.yaml --settings virtualhosts --env$ENVIRONMENT
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2026-02-19 UTC.