Hi,
We are doing migration of API from CA Layer7 to Apigee. There are lots of API which running on mutual TLS for inbound request . As per migration plan we are going with approach of first brining apigee layer in front of CA Layer7 and route all traffic from apigee to Layer7 .
Since apigee breaks TLS in proxy endpoint before routing the request to target there is additional effort required to bind the certificate to target endpoint . Is this possible to make TLS pass through from apigee to Backend system (CA Layer7 here)
Thanks,
Patty
No, if I understand your question correctly: it is not possible to configure the Apigee proxy to act as a layer-4 proxy, which is necessary to "passthrough" the encrypted packets to the backend system, without terminating the inbound TLS connection and initiating a new TLS connection southbound.
Apigee acts as a layer-7 (Not Layer7 (tm)) proxy. It terminates inbound TLS connections, and initiates new TLS connections outbound.
To follow the process you are imagining, I think you will need to
Since you are planning for migration why don't you lift mTLS to Apigee (at some point you will move away from other api gateway).
1. Request from client with mTLS reaches apigee and offloads the mTLS
2. With in apigee you can propagate the ssl variables so you can enable it and propagate the required certificate information to backend
https://docs.apigee.com/api-platform/system-administration/tls-vars
3. On the CA api gateway you need to disable the mTLS offload since the apigee has taken care but just read the ssl variables and pass thru to backend.