Hi Apigee experts,
Quick question: does apigee x supports mTLS (client certificate authentication) when a client calls and API proxy?
If not any workaround?
Regards
V
1 Like
Hi V,
Apigee X relies on Google Cloud Load Balancers for northbound client connectivity, which do not currently support mTLS[1]. You can secure your inbound traffic though IP allowlisting on the Load Balancer, and through Cloud Armor policies which can be used to reject traffic based on a number of parameters [2].
Apigee X does support mTLS southbound between Apigee and the target servers[3].
[1] https://cloud.google.com/load-balancing/docs/ssl-certificates#ssl-certificate-limits
[2] https://cloud.google.com/armor/docs/security-policy-overview#policy-types
[3] https://cloud.google.com/apigee/docs/api-platform/develop/mtls-configurable-proxies
2 Likes
Hi V,
There is a workaround discussed already in the below community post. Note that as @gcpsean mentioned, the alternates might be better for time being till Google Cloud Load Balancers start supporting mTLS.
- Network and Envoy Proxy Configuration to manage mTLS on Apigee X - part1/2
- Network and Envoy Proxy Configuration to manage mTLS on Apigee X - part2/2
Thanks,
Baskar.
1 Like
Hi @VAP ,
With the Preview GA (2023-10-03) release of mTLS for Application Load Balancers, this can now be supported for Apigee X!
See: Apigee X Northbound Mutual TLS using Application Load Balancer article which provides an overview and link to step-by-step guide.
3 Likes