This topic explains how to enable non-SNI clients
for use with Apigee hybrid.
How to configure a non-SNI client
This section explains how to enable support for non-SNI
(Server Name Indication)
clients in Apigee hybrid. A non-SNI client uses port 443 and is required if you want to integrate
hybrid runtime instances with Google Cloud Load Balancing
or for clients that do not support SNI.
Create an ApigeeRoute custom resource definition (CRD). Be sure that enableNonSniClient
is set to true:
ROUTE_NAME is the name you give to the custom resource (CR).
CREDENTIAL_NAME is the name of a Kubernetes Secret deployed to the cluster
that contains TLS credentials for your virtualhost. You can find the credential name with
the following kubectl Command:
kubectl -n APIGEE_NAMESPACE get ApigeeRoutes -o=yaml | grep credentialName
hostnames must be set to the wildcard "*".
Open your overrides file and make the change described in the next step.
For each environment group, add the ApigeeRoute name to the additionalGateways
property. For example:
What happens if the cluster has more than one org?
Since the ingress is at the cluster level for a given port (443), and there can only
be one key/cert pair for the ApigeeRoute CRD, all orgs must share the same key/cert pair.
What happens if the cluster has more than one environment group? Will it work
if the virtual hosts share the same key/cert pair?
All hostnames across all environment groups must use the same key/cert pair.
Why are we creating an ApigeeRoute instead of Gateway?
ApigeeRoutes can be validated by Apigee; however,
Gateway (the Istio CRD) cannot be.
Technically, even Gateway can work, but we can prevent potential configuration mistakes
(through a validation webhook).
How can I configure non-SNI clients for Apigee?
If your Apigee instance is exposed through a Google Load Balancer, then the Load Balancer supports non-SNI clients
as explained
in the Load Balancing documentation.
Otherwise, if you have exposed an Apigee instance through an internal PSC endpoint or VPC, by default the Apigee instance supports non-SNI clients.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-26 UTC."],[],[],null,["# Enable non-SNI clients\n\nThis topic explains how to enable non-SNI clients\nfor use with Apigee hybrid.\n\nHow to configure a non-SNI client\n---------------------------------\n\nThis section explains how to enable support for non-SNI ([Server Name Indication](https://en.wikipedia.org/wiki/Server_Name_Indication)) clients in Apigee hybrid. A non-SNI client uses port 443 and is required if you want to integrate hybrid runtime instances with Google [Cloud Load Balancing](https://cloud.google.com/load-balancing/docs) or for clients that do not support SNI.\n\n1. Create an ApigeeRoute custom resource definition (CRD). Be sure that `enableNonSniClient` is set to `true`: \n\n ```actionscript-3\n apiVersion: apigee.cloud.google.com/v1alpha1\n kind: ApigeeRoute\n metadata:\n name: ROUTE_NAME\n namespace: APIGEE_NAMESPACE\n spec:\n hostnames:\n - \"*\"\n ports:\n - number: 443\n protocol: HTTPS\n tls:\n credentialName: CREDENTIAL_NAME\n mode: SIMPLE\n #optional\n minProtocolVersion: TLS_AUTO\n selector:\n app: apigee-ingressgateway\n enableNonSniClient: true\n ```\n\n\n Where:\n - \u003cvar translate=\"no\"\u003eROUTE_NAME\u003c/var\u003e is the name you give to the custom resource (CR).\n - \u003cvar translate=\"no\"\u003eCREDENTIAL_NAME\u003c/var\u003e is the name of a Kubernetes Secret deployed to the cluster that contains TLS credentials for your virtualhost. You can find the credential name with the following `kubectl` Command: \n\n ```\n kubectl -n APIGEE_NAMESPACE get ApigeeRoutes -o=yaml | grep credentialName\n ```\n - `hostnames` must be set to the wildcard \"\\*\". **Note:**Do not create two ApigeeRoute objects with a wildcard \"\\*\" hostname.\n2. Open your overrides file and make the change described in the next step.\n3. For each environment group, add the ApigeeRoute name to the `additionalGateways` property. For example: \n\n ```scdoc\n virtualhosts:\n - name: default\n sslCertPath: ./certs/fullchain.pem\n sslKeyPath: ./certs/privkey.pem\n additionalGateways: [\"ROUTE_NAME\"]\n ```\n4. Save the CRD file. For example: `ApigeeRoute.yaml`\n5. Apply the CRD to the cluster: \n\n ```\n kubectl apply -f ApigeeRoute.yaml -n APIGEE_NAMESPACE\n ```\n6. Apply the change to `virtualhosts`. If you have set the \u003cvar translate=\"no\"\u003e$ENV_GROUP\u003c/var\u003e environment variable in your shell, you can use that in the following commands: \n\n ```\n helm upgrade $ENV_GROUP apigee-virtualhost/ \\\n --namespace APIGEE_NAMESPACE \\\n --atomic \\\n --set envgroup=$ENV_GROUP \\\n -f OVERRIDES_FILE.yaml\n ```\n | **Note:** If you see an error saying `Error: UPGRADE FAILED: \"`*ENV_GROUP*`\" has no deployed releases`, replace `upgrade` with `install` and try the command again.\n\nUsage notes\n-----------\n\n- **What happens if the cluster has more than one org?**\n\n\n Since the ingress is at the cluster level for a given port (443), and there can only\n be one key/cert pair for the ApigeeRoute CRD, all orgs must share the same key/cert pair.\n- **What happens if the cluster has more than one environment group? Will it work\n if the virtual hosts share the same key/cert pair?**\n\n\n All hostnames across all environment groups must use the same key/cert pair.\n- **Why are we creating an ApigeeRoute instead of Gateway?**\n\n\n ApigeeRoutes can be validated by Apigee; however,\n [Gateway](https://istio.io/latest/docs/reference/config/networking/gateway/) (the Istio CRD) cannot be.\n Technically, even Gateway can work, but we can prevent potential configuration mistakes\n (through a validation webhook).\n- **How can I configure non-SNI clients for Apigee?**\n\n\n If your Apigee instance is exposed through a Google Load Balancer, then the Load Balancer supports non-SNI clients\n as explained\n [in the Load Balancing documentation.](https://cloud.google.com/load-balancing/docs/ssl-certificates#multiplessl-selection)\n Otherwise, if you have exposed an Apigee instance through an internal PSC endpoint or VPC, by default the Apigee instance supports non-SNI clients."]]
