Objective: I want to set up MTLS for our API proxies so API consumers can connect via our APIs on Apigee X.
From my research in different forums and docs, we understand that MTLS Northbound for Apigee X must be handled at the Load balancer (strict or lenient mode).
To restrict certain partners and validate we must manage their certificates on our platform, also I do not want to allow any self-sign certificate and only allow public CAs' certs
Questions:
This is a POC project for my knowledge of how apigeeX works with MTLS client authentication
Solved! Go to Solution.
Hello,
As you mentioned, most of the mTLS orchestration is typically handled via Load Balancer before the inbound service reaches Apigee. The following documentation (noted here: https://medium.com/google-cloud/configuring-mtls-for-apigee-x-northbound-traffic-using-global-https-...) explains how to set up the differing layers of the orchestration incredibly well. As per your questions/concerns:
1. Managing certificates would be performed at the Load Balancer layer via TrustConfig (as noted in the above documentation). The only scenario I have seen where Apigee could be utilized is in a passthrough scenario where you require added validation for the given certificate (serial number, etc). In the above, you could pass through the certificate to Apigee, and Apigee could check the inbound information via KVM (extract key/value pair from KVM and compare/contrast incoming versus trusted). This is not incredibly common, but could be supported given the following: https://cloud.google.com/load-balancing/docs/https/setting-up-mtls-ccm#add-custom-header
2. This would be dependent on your implementation/validation via mTLS, both are supported at the Load Balancer layer
3. This would still be evaluated at the LB as well
4. If anything needs to be evaluated at the proxy level (more uncommon) it would be something along the lines of what was noted above (evaluating the pass through headers with "trusted" certificates stored via KVM)
Thanks!