Our environment contains multiple gateway instance behind LBR. We have one #ssl port enabled at LBR and SSL handshake is performed at LBR only. If we want to configure mutual SSL for select API consumers, we may need to enable it at that port only. Will it impact all the API consumers, who are not implementing mutual SSL ? If yes, do we need to assign a different port for each API consumer at load balancer, who is going to have #mutualssl ? or do we have some other mechanism which allows us to use only single port (like 8443) for all and have mutual SSL enabled for select few on same port only?
first a short explanation, how we are using this kind of scenario. We are using different URLs/DNS-names for access with and without mutual SSL. Means we have different VIPs configured on the LB in front of the API GWs, one with mutual SSL enabled and the other without. Using just a single VIP on the LBs depends at least on the manufactor and its provided features of the LB. Assuming it's hopefully a F5 LB you could work with two different SSL-profiles on the same VIP (one with mutual SSL enabled and the other without), which will be identified/choosen based on SNI (assuming all your consumers are supporting SNI). So you still need two different DNS-names, which are both resolving to the same VIP on the LB.
Hope that's clear and helpful for you.