This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Apigee X mTLS on Northbound Interface

Posted on 08-05-2022 01:29 PM
VAP
Bronze 4
Bronze 4
Reply posted on --/--/---- --:-- AM

Hi Apigee experts,

Quick question: does apigee x  supports mTLS (client certificate authentication) when a client calls and API proxy?

If not any workaround? 

Regards

V

Solved Solved
1 3 1,729
Topic Labels
Jump to Solution
2 ACCEPTED SOLUTIONS

Posted on --/--/---- --:-- AM
gcpsean
Staff
Reply posted on --/--/---- --:-- AM

Hi V,

Apigee X relies on Google Cloud Load Balancers for northbound client connectivity, which do not currently support mTLS[1]. You can secure your inbound traffic though IP allowlisting on the Load Balancer, and through Cloud Armor policies which can be used to reject traffic based on a number of parameters [2].

Apigee X does support mTLS southbound between Apigee and the target servers[3].

[1] https://cloud.google.com/load-balancing/docs/ssl-certificates#ssl-certificate-limits

[2] https://cloud.google.com/armor/docs/security-policy-overview#policy-types

[3] https://cloud.google.com/apigee/docs/api-platform/develop/mtls-configurable-proxies

View solution in original post

Jump to Solution

Posted on --/--/---- --:-- AM
kurtkanaskie
Staff
Reply posted on --/--/---- --:-- AM

Hi @VAP , 

With the Preview GA (2023-10-03) release of mTLS for Application Load Balancers, this can now be supported for Apigee X!

See: Apigee X Northbound Mutual TLS using Application Load Balancer article which provides an overview and link to step-by-step guide.

View solution in original post

Jump to Solution
3 REPLIES 3

Posted on --/--/---- --:-- AM
gcpsean
Staff
Reply posted on --/--/---- --:-- AM

Hi V,

Apigee X relies on Google Cloud Load Balancers for northbound client connectivity, which do not currently support mTLS[1]. You can secure your inbound traffic though IP allowlisting on the Load Balancer, and through Cloud Armor policies which can be used to reject traffic based on a number of parameters [2].

Apigee X does support mTLS southbound between Apigee and the target servers[3].

[1] https://cloud.google.com/load-balancing/docs/ssl-certificates#ssl-certificate-limits

[2] https://cloud.google.com/armor/docs/security-policy-overview#policy-types

[3] https://cloud.google.com/apigee/docs/api-platform/develop/mtls-configurable-proxies

Jump to Solution

Posted on --/--/---- --:-- AM
iambaskar
Staff
Reply posted on --/--/---- --:-- AM

Hi V,

There is a workaround discussed already in the below community post. Note that as @gcpsean mentioned, the alternates might be better for time being till Google Cloud Load Balancers start supporting mTLS. 

Thanks,
Baskar.

Jump to Solution

Posted on --/--/---- --:-- AM
kurtkanaskie
Staff
Reply posted on --/--/---- --:-- AM

Hi @VAP , 

With the Preview GA (2023-10-03) release of mTLS for Application Load Balancers, this can now be supported for Apigee X!

See: Apigee X Northbound Mutual TLS using Application Load Balancer article which provides an overview and link to step-by-step guide.

Jump to Solution