Skip to main content

Securing Upstream Connections with TLS & Mutual TLS (mTLS)

If your upstream service requires encrypted TLS connections, you need to ensure that requests forwarded from the API Gateway are properly secured using TLS. Additionally, if your upstream service requires mutual TLS (mTLS), you can configure client certificates to authenticate both the API Gateway and the upstream service.

By configuring Upstream TLS and mTLS, you can:

🔐 Ensure end-to-end encryption between ngrok and your backend services.
⚡ Authenticate API Gateway requests using client certificates.
🚀 Enforce stricter security policies for upstream service communication.

🔍 What are the Benefits of Upstream TLS & mTLS?

Securing upstream connections is essential for protecting sensitive data in transit, ensuring that API requests remain confidential and tamper-proof as they move between services.

Key Benefits:

  • End-to-End Encryption: Protect sensitive data from client to backend using strong encryption.
  • Client Certificate Authentication: Ensure only trusted API gateways can connect to your backend.
  • Prevent Unauthorized Access: Block unauthorized requests by requiring valid client certificates.
  • Ensure Regulatory Compliance: Meet security standards like HIPAA, PCI DSS, and SOC 2.
  • Enhance Service-to-Service Security: Secure Kubernetes microservices using mTLS authentication.

Upstream TLS Examples

The following examples showcase how you can configure client certificates to be used by the ngrok Kubernetes operator when it connects to upstream services.

1. Generate Certificates

Loading…

These commands will generate the following files:

  • CA Files:
    • ca.key: CA private key
    • ca.crt: CA certificate
  • Server Files:
    • server.key: Server private key
    • server.csr: Server certificate signing request
    • server.crt: Server certificate
  • Client Files:
  • client.key: Client private key
  • client.csr: Client certificate signing request
  • client.crt: Client certificate (with proper clientAuth extension for mTLS)

2. Configure your Upstream

If you're testing this with an upstream service that you have. It will need to make use of the following files that were generated.

  • server.crt: Used to terminate TLS
  • server.key: Used to terminate TLS
  • ca.crt: Used to validate client certificates

3. Create a Kubernetes Secret for the Client Certificate

Loading…

The following examples showcase using the client certificate when connecting to the upstream.

4. Create an AgentEndpoint that uses the Client Certificate

Loading…