Enable non-SNI clients

Version 1.14 keyboard_arrow_down

This topic explains how to enable non-SNI clients for use with Apigee hybrid.

How to configure a non-SNI client

This section explains how to enable support for non-SNI (Server Name Indication) clients in Apigee hybrid. A non-SNI client uses port 443 and is required if you want to integrate hybrid runtime instances with Google Cloud Load Balancing or for clients that do not support SNI.

Create an ApigeeRoute custom resource definition (CRD). Be sure that enableNonSniClient is set to true:
```
apiVersion: apigee.cloud.google.com/v1alpha1
kind: ApigeeRoute
metadata:
  name: ROUTE_NAME
  namespace: APIGEE_NAMESPACE
spec:
  hostnames:
  - "*"
  ports:
  - number: 443
    protocol: HTTPS
    tls:
      credentialName: CREDENTIAL_NAME
      mode: SIMPLE
      #optional
      minProtocolVersion: TLS_AUTO
  selector:
    app: apigee-ingressgateway
  enableNonSniClient: true
```
Where:
- ROUTE_NAME is the name you give to the custom resource (CR).
- CREDENTIAL_NAME is the name of a Kubernetes Secret deployed to the cluster that contains TLS credentials for your virtualhost. You can find the credential name with the following kubectl Command:
```
kubectl -n APIGEE_NAMESPACE get ApigeeRoutes -o=yaml | grep credentialName
```
- hostnames must be set to the wildcard "*".
  Note: Do not create two ApigeeRoute objects with a wildcard "*" hostname.
Open your overrides file and make the change described in the next step.

For each environment group, add the ApigeeRoute name to the additionalGateways property. For example:

virtualhosts:
  - name: default
    sslCertPath: ./certs/fullchain.pem
    sslKeyPath: ./certs/privkey.pem
    additionalGateways: ["ROUTE_NAME"]

Save the CRD file. For example: ApigeeRoute.yaml

Apply the CRD to the cluster:

kubectl apply -f ApigeeRoute.yaml -n APIGEE_NAMESPACE

Apply the change to virtualhosts. If you have set the $ENV_GROUP environment variable in your shell, you can use that in the following commands:
```
helm upgrade $ENV_GROUP apigee-virtualhost/ \
  --namespace APIGEE_NAMESPACE \
  --atomic \
  --set envgroup=$ENV_GROUP \
  -f OVERRIDES_FILE.yaml
```
Note: If you see an error saying Error: UPGRADE FAILED: "ENV_GROUP" has no deployed releases, replace upgrade with install and try the command again.

Usage notes

What happens if the cluster has more than one org?
Since the ingress is at the cluster level for a given port (443), and there can only be one key/cert pair for the ApigeeRoute CRD, all orgs must share the same key/cert pair.
What happens if the cluster has more than one environment group? Will it work if the virtual hosts share the same key/cert pair?
All hostnames across all environment groups must use the same key/cert pair.
Why are we creating an ApigeeRoute instead of Gateway?
ApigeeRoutes can be validated by Apigee; however, Gateway (the Istio CRD) cannot be. Technically, even Gateway can work, but we can prevent potential configuration mistakes (through a validation webhook).
How can I configure non-SNI clients for Apigee?
If your Apigee instance is exposed through a Google Load Balancer, then the Load Balancer supports non-SNI clients as explained in the Load Balancing documentation. Otherwise, if you have exposed an Apigee instance through an internal Private Service Connect endpoint or VPC, by default the Apigee instance supports non-SNI clients.

Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-06-11 UTC.

Enable non-SNI clients Stay organized with collections Save and categorize content based on your preferences.

How to configure a non-SNI client

Usage notes

Enable non-SNI clients