TLS pass through in apigee proxy

Google Cloud Apigee
1

Hi,

We are doing migration of API from CA Layer7 to Apigee. There are lots of API which running on mutual TLS for inbound request . As per migration plan we are going with approach of first brining apigee layer in front of CA Layer7 and route all traffic from apigee to Layer7 .

Since apigee breaks TLS in proxy endpoint before routing the request to target there is additional effort required to bind the certificate to target endpoint . Is this possible to make TLS pass through from apigee to Backend system (CA Layer7 here)

Thanks,

Patty

2

No, if I understand your question correctly: it is not possible to configure the Apigee proxy to act as a layer-4 proxy, which is necessary to “passthrough” the encrypted packets to the backend system, without terminating the inbound TLS connection and initiating a new TLS connection southbound.

Apigee acts as a layer-7 (Not Layer7 ™) proxy. It terminates inbound TLS connections, and initiates new TLS connections outbound.

To follow the process you are imagining, I think you will need to

  • EITHER configure the Layer7 gateway to accept an additional new set of TLS keys, and provision those new keys in Apigee for southbound connections
  • OR, configure the Apigee to use the existing TLS keys and certs for its southbound connections.
2 Likes
3

Since you are planning for migration why don’t you lift mTLS to Apigee (at some point you will move away from other api gateway).

  1. Request from client with mTLS reaches apigee and offloads the mTLS

  2. With in apigee you can propagate the ssl variables so you can enable it and propagate the required certificate information to backend

https://docs.apigee.com/api-platform/system-administration/tls-vars

  1. On the CA api gateway you need to disable the mTLS offload since the apigee has taken care but just read the ssl variables and pass thru to backend.