Hi Members,
We have a requirement where we need to protect the API proxy using client certificate (mutual SSL) validation. The requirement is that consumer invokes APIGEE proxy with a client certificate sent in the request, APIGEE validates the certificate (expiry time, valid root CA, attached to the app allowed to call) and then on successful validation allow the call to API proxy. If unsuccessful then throw 401 error.
I have tried to read documentation and looked into the community, I dont see this implemented .
Is this possible in APIGEE ? If yes, could you please guide me to the relevant document to implement same.
Kind Regards
Arijit
             
            
              
              
              
            
            
           
          
            
            
              Hi Arijit,
Apigee X relies on GCP Load Balancers to manage TSL connections. The L7 GLB (Global Load Balancer) does not currently support mutual TLS, it is expected to be available in H1 2023. In the interim you can support mutual TLS using an external TCP proxy load balancer (TCP GLB) as described in this 2 part article.
https://www.googlecloudcommunity.com/gc/Cloud-Product-Articles/Network-and-Envoy-Proxy-Configuration-to-manage-mTLS-on-Apigee-X/ta-p/175146
             
            
              
              
              1 Like
            
            
           
          
            
            
              Hi kurtkanaskie,
Are you saying that APIGEE out of box doesn’t support inbound TLS to authenticate API. We have to rely on load balancer capability to acheive this ?. Going to the path of load balancer capability will also have issue in applying contract and quota policies, isn’t it ?
Kind Regards
Arijit
             
            
              
              
              
            
            
           
          
            
            
              Hi @Arijit_apigee ,
Apigee X relies on GCP Load Balancers in GCP “customer” project to connect to the GCP “tenant” project that hosts the runtime instances. This can be a Global Load Balancer or an Internal Load Balancer. Using a load balancer has no impact on the execution of the API proxy policies, it is only providing network level access. See: https://cloud.google.com/apigee/docs/api-platform/get-started/what-apigee#high-level-architecture
             
            
              
              
              1 Like
            
            
           
          
            
            
              Update: mTLS is coming to the HTTPS GLB soon, perhaps even end of this month.
In the interim you can use: Network and Envoy Proxy Configuration to manage mTLS on Apigee X
             
            
              
              
              
            
            
           
          
            
            
              Quick update, Mutual TLS for GLBs is currently available in Preview mode.
This Pull Request for Apigee Samples is a step by step guide to configure mTLS on an existing GLB.