Skip to main content
Transport Layer Security (TLS) routing enables your API Gateway to handle encrypted traffic based on the Server Name Indication (SNI) without needing to terminate the connection. By default, TLS traffic is routed without termination, preserving full end-to-end encryption. However, TLS termination can be enabled if your use case requires it. Proper TLS routing enables: πŸ”’ End-to-end encryption by default, with optional termination.
🌐 SNI-based routing to differentiate between secure services.
πŸ— Support for multi-tenant architectures using a single IP and port.

​
πŸ” What are the Benefits of TLS Routing?

TLS routing is ideal for environments where secure communication must be preserved from client to backend. With SNI-based routing, the gateway can route requests without accessing the payload, maintaining user privacy and compliance. A well-configured API Gateway can route TLS traffic using:
  • SNI-based rules (e.g., api.example.com β†’ API service, auth.example.com β†’ Auth service).
  • TLS passthrough (default): Maintain end-to-end encryption without terminating TLS at the gateway.
  • TLS termination (optional): Handle TLS termination at the gateway if you don’t want your upstream services to terminate TLS.

​
TLS Routing Examples

The following examples showcase how you can route TLS traffic to your upstream services. See the TLS Endpoints page for more details on how ngrok handles TLS endpoints.
  • AgentEndpoint
  • CloudEndpoint with AgentEndpoint
  • Gateway API
apiVersion: ngrok.k8s.ngrok.com/v1alpha1
kind: AgentEndpoint
metadata:
name: example-service
namespace: default
spec:
url: tls://example-hostname.ngrok.io:8443
upstream:
  url: tls://example-service.example-namespace:8443