GKE Gateway adds support for backend mutual TLS
Google Kubernetes Engine Gateway now supports backend mutual TLS (mTLS), allowing the load balancer to authenticate its identity to backend Pods using a client certificate. This enhancement improves security by enabling stricter authentication between the Gateway and backend services. The feature is available for specific GatewayClasses and configured via the standard Gateway API.
Features (1) ›
- Google Kubernetes Engine
GKE Gateway now supports backend mutual TLS (mTLS). In addition to backend authenticated TLS, backend mTLS allows the GKE Gateway load balancer to authenticate its identity to backend Pods by presenting a client certificate. GKE Gateway configures backend mTLS using the standard Gateway API spec.tls.backend.clientCertificateRef field. This feature is supported for the following GatewayClasses: gke-l7-global-external-managed gke-l7-regional-external-managed gke-l7-rilb For more information, see Configure backend mutual TLS (mTLS) for a Gateway .
https://docs.cloud.google.com/release-notes#July_07_2026