Enable non-SNI and HTTP clients

Version 1.4 (unsupported)keyboard_arrow_down

This topic explains how to enable non-SNI clients, HTTP clients, and a combination of both for use with Apigee hybrid.

How to configure a non-SNI client

This section explains how to enable support for non-SNI (Server Name Indication) clients in Apigee hybrid. A non-SNI client uses port 443 and is required if you want to integrate hybrid runtime instances with Google Cloud Load Balancing or for clients that do not support SNI.

Create an ApigeeRoute custom resource definition (CRD). Be sure that enableNonSniClient is set to true:
```
apiVersion: apigee.cloud.google.com/v1alpha1
kind: ApigeeRoute
metadata:
  name: route_name
  namespace: apigee
spec:
  hostnames:
  - "*"
  ports:
  - number: 443
    protocol: HTTPS
    tls:
      credentialName: credential_name
      mode: SIMPLE
      #optional
      minProtocolVersion: TLS_AUTO
  selector:
    app: istio-ingressgateway
  enableNonSniClient: true
```
Where:
- route_name is the name you give to the CRD.
- credential_name is the name of a Kubernetes Secret deployed to the cluster that contains TLS credentials for your virtualhost.
- hostnames must be set to the wildcard "*".
  Note: Do not create two ApigeeRoute objects with a wildcard "*" hostname.
Open your overrides file and make the change described in the next step.

For each environment group, add the ApigeeRoute name to the additionalGateways property. For example:

virtualhosts:
  - name: default
    sslCertPath: ./certs/fullchain.pem
    sslKeyPath: ./certs/privkey.pem
    additionalGateways: ["route_name"]

Save the CRD file. For example: ApigeeRoute.yaml

Apply the CRD to the cluster:

kubectl apply -f ApigeeRoute.yaml -n apigee

Apply the change to virtualhosts:

$APIGEECTL_HOME/apigeectl apply -f overrides.yaml --settings virtualhosts --env $ENVIRONMENT

Usage notes

What happens if the cluster has more than one org?
Since the ingress is at the cluster level for a given port (443), and there can only be one key/cert pair for the ApigeeRoute CRD, all orgs must share the same key/cert pair.
What happens if the cluster has more than one environment group. Will it work if the virtual hosts share the same key/cert pair?
All hostnames across all environment groups must use the same key/cert pair.
Why are we creating an ApigeeRoute instead of Gateway?
ApigeeRoutes can be validated by Apigee; however, Gateway (the Istio CRD) cannot be. Technically, even Gateway can work, but we can prevent potential configuration mistakes (through a validation webhook).

Enable HTTP clients

This section explains support for HTTP clients for use with Apigee hybrid.

Create an ApigeeRoute custom resource definition (CRD). For example:

apiVersion: apigee.cloud.google.com/v1alpha1
kind: ApigeeRoute
metadata:
  name: route_name
  namespace: apigee
spec:
  hostnames:
  - "*"
  ports:
  - number: 80
    protocol: HTTP
  selector:
    app: istio-ingressgateway
  enableNonSniClient: true

Where:

route_name is the name you give to the CRD.
hostnames must be set to the wildcard "*".
Note: Do not create two ApigeeRoute objects with a wildcard "*" hostname.

Open your overrides file and make the change described in the next step.

For each environment group, add the ApigeeRoute name to the additionalGateways property. For example:

virtualhosts:
  - name: default
    sslCertPath: ./certs/fullchain.pem
    sslKeyPath: ./certs/privkey.pem
    additionalGateways: ["route_name"]

Save the CRD file. For example: ApigeeRoute.yaml

Apply the CRD to the cluster:

kubectl apply -f ApigeeRoute.yaml -n apigee

Apply the change to virtualhosts:

$APIGEECTL_HOME/apigeectl apply -f overrides.yaml --settings virtualhosts --env $ENVIRONMENT

Enable support for both non-SNI and HTTP clients

This section explains how to enable both non-SNI (port 443) and HTTP (port 80) clients for use with Apigee hybrid.

Create an ApigeeRoute custom resource definition (CRD). For example:

apiVersion: apigee.cloud.google.com/v1alpha1
kind: ApigeeRoute
metadata:
  name: route_name
  namespace: apigee
spec:
  hostnames:
  - "*"
  ports:
  - number: 443
    protocol: HTTPS
    tls:
      credentialName: credential_name
      mode: SIMPLE
      #optional
      minProtocolVersion: TLS_AUTO
  - number: 80
    protocol: HTTP
  selector:
    app: istio-ingressgateway
  enableNonSniClient: true

Where:

route_name is the name you give to the CRD.
hostname must be set to the wildcard "*".
Note: Do not create two ApigeeRoute objects with a wildcard "*" hostname.
credential_name is the name of a Kubernetes Secret deployed to the cluster that contains TLS credentials for your virtualhost.

Open your overrides file and make the change described in the next step.

For each environment group, add the ApigeeRoute name to the additionalGateways property. For example:

virtualhosts:
  - name: default
    sslCertPath: ./certs/fullchain.pem
    sslKeyPath: ./certs/privkey.pem
    additionalGateways: ["route_name"]

Save the CRD file. For example: ApigeeRoute.yaml

Apply the CRD to the cluster:

kubectl apply -f ApigeeRoute.yaml -n apigee

Apply the change to virtualhosts:

$APIGEECTL_HOME/apigeectl apply -f overrides.yaml --settings virtualhosts --env $ENVIRONMENT

Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-06-11 UTC.

Enable non-SNI and HTTP clients Stay organized with collections Save and categorize content based on your preferences.

How to configure a non-SNI client

Usage notes

Enable HTTP clients

Enable support for both non-SNI and HTTP clients

Enable non-SNI and HTTP clients