Application routing add on Gateway API implementation Limitation Query

Laha, Prithwish 25 Reputation points
2026-06-29T13:24:42.36+00:00

I am exploring Application routing add on Gateway API implementation for AKS ingress solution. I want to implement end to end TLS on traffic (Client <-> Gateway API <-> k8s backend service/Application Pods). The documentation states below limitation. I want to understand what does it exactly mean. Does it not support TLS between Gateway API/Ingress and k8s backend service/Application Pods ?

"Configuring HTTPS ingress access to HTTPS services – i.e., Server Name Indication (SNI) Passthrough – via the TLSRoute resource is not currently supported. Support for the TLSRoute resource will be available once AKS adds support for Istio 1.30, at which point your application routing Istio control plane will be automatically upgraded to that version."

Azure Kubernetes Service
Azure Kubernetes Service

An Azure service that provides serverless Kubernetes, an integrated continuous integration and continuous delivery experience, and enterprise-grade security and governance.


1 answer

Sort by: Most helpful
  1. Alex Burlachenko 23,575 Reputation points MVP Volunteer Moderator
    2026-06-30T11:28:46.8966667+00:00

    Hi Laha Prithwish, thx for sharing urs issue here at Q&A portal.

    That limitation is about SNI passthrough using TLSRoute, not all backend TLS. It means AKS application routing currently doesn’t support passing the original client TLS session straight through the Gateway to an HTTPS backend using Gateway API TLSRoute. So this is not supported right now Client TLS > Gateway just passes SNI/TLS through > backend pod terminates TLS

    But u can still usually do TLS termination at the Gateway and then connect to backend services depending on what the addon supports for the HTTPRoute/backend config.

    So the difference is Client > HTTPS > Gateway terminates TLS > HTTP/HTTPS to backend

    vs

    Client > HTTPS passthrough > backend terminates TLS

    The doc is saying the second one, SNI passthrough with TLSRoute, isn’t supported until AKS supports the needed Istio version. https://learn.microsoft.com/en-us/azure/aks/app-routing-gateway-api & https://gateway-api.sigs.k8s.io/api-types/tlsroute/ & https://istio.io/latest/docs/tasks/traffic-management/ingress/secure-ingress/

    If u need strict end-to-end TLS where the pod owns the cert and decrypts traffic itself, this addon may not fit yet. U may need Istio ingress directly, NGINX ingress with SSL passthrough, or another ingress/gateway option that supports TLS passthrough today.

    Rgds,

    Alex

    &

    If my answer was helpful pls mark it and additional thx if u follow me at Q&A portal

    and at my blog https://ctrlaltdel.blog/

    Was this answer helpful?


Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.