Securing Upstream Connections with TLS & Mutual TLS (mTLS)
If your upstream service requires encrypted TLS connections, you need to ensure that requests forwarded from the API Gateway are properly secured using TLS. Additionally, if your upstream service requires mutual TLS (mTLS), you can configure client certificates to authenticate both the API Gateway and the upstream service.
By configuring Upstream TLS and mTLS, you can:
🔐 Ensure end-to-end encryption between ngrok and your backend services.
⚡ Authenticate API Gateway requests using client certificates.
🚀 Enforce stricter security policies for upstream service communication.
🔍 What are the Benefits of Upstream TLS & mTLS?
Securing upstream connections is essential for protecting sensitive data in transit, ensuring that API requests remain confidential and tamper-proof as they move between services.
Key Benefits:
- End-to-End Encryption: Protect sensitive data from client to backend using strong encryption.
- Client Certificate Authentication: Ensure only trusted API gateways can connect to your backend.
- Prevent Unauthorized Access: Block unauthorized requests by requiring valid client certificates.
- Ensure Regulatory Compliance: Meet security standards like HIPAA, PCI DSS, and SOC 2.
- Enhance Service-to-Service Security: Secure Kubernetes microservices using mTLS authentication.
Upstream TLS Examples
The following examples showcase how you can configure client certificates to be used by the ngrok Kubernetes operator when it connects to upstream services.
1. Generate Certificates
Loading…
These commands will generate the following files:
- CA Files:
ca.key: CA private keyca.crt: CA certificate
- Server Files:
server.key: Server private keyserver.csr: Server certificate signing requestserver.crt: Server certificate
- Client Files:
client.key: Client private keyclient.csr: Client certificate signing requestclient.crt: Client certificate (with proper clientAuth extension for mTLS)
2. Configure your Upstream
If you're testing this with an upstream service that you have. It will need to make use of the following files that were generated.
server.crt: Used to terminate TLSserver.key: Used to terminate TLSca.crt: Used to validate client certificates
3. Create a Kubernetes Secret for the Client Certificate
Loading…
The following examples showcase using the client certificate when connecting to the upstream.
- AgentEndpoint
- Ingress
- Gateway API
4. Create an AgentEndpoint that uses the Client Certificate
Loading…
❌ Ingress resources do not natively support advanced upstream TLS options, so this option requires using Gateway API or the AgentEndpoint resources directly.
You can still use TLS upstream services with Ingress resources although you will not be able to configure mutual TLS between the operator and the upstream service.
If your service expects HTTPS instead of HTTP, then you can annotate the Service like the following example to let the ngrok Kubernetes operator know which ports are HTTPS and which are HTTP
Loading…
✅ Gateway API natively supports upstream TLS configuration, and this feature is fully supported by the ngrok Kubernetes operator.
4. Create a Gateway that uses the client certificate Secret
Loading…
5. Create an HTTPRoute that routes to the upstream
Loading…
6. Annotate the Service
In order for the operator to understand what protocol each port of the Service expects, add the following annotation to your upstream Service.
Loading…