Limit active connections
You can configure the options.ConnectionLimit parameters in the gateway resource. These parameters let you restrict the number of active TCP connections for the gateway. You can also optionally make the gateway wait before closing a connection. Similar to the rate limit filter that limits requests based on connection rate, the connection limit filter limits traffic based on active connections. This connection limit reduces the risk of malicious attacks. In turn, the limit helps ensure that each gateway has enough compute resources to process incoming requests.
The TCP connection filter is a Layer 4 filter and is executed before the HTTP Connection Manager plug-in and related filters.
For more information about the connection limit settings, see the Envoy documentation.
Before you begin
Install the telnet client on your local machine. You use this client to establish TCP connections to the gateway. For example, on macOS you can run brew install telnet to install the client.
Configure connection limits
-
Deploy the TCP echo service in your cluster.
kubectl apply -f- <<EOF apiVersion: v1 kind: Pod metadata: labels: gloo: tcp-echo name: tcp-echo spec: containers: - image: soloio/tcp-echo:latest imagePullPolicy: IfNotPresent name: tcp-echo restartPolicy: Always --- apiVersion: v1 kind: Service metadata: labels: app: gloo name: tcp-echo spec: ports: - name: http port: 1025 protocol: TCP targetPort: 1025 selector: gloo: tcp-echo EOFExample output:
pod/tcp-echo created service/tcp-echo created -
Verify that an upstream was automatically created for the echo service.
kubectl get upstreams default-tcp-echo-1025 -n gloo-system -
Create a TCP gateway with connection limit settings. The following gateway accepts only one active connection at any given time. Before closing a new connection, the gateway waits 2 seconds.
kubectl apply -n gloo-system -f - <<EOF apiVersion: gateway.solo.io/v1 kind: Gateway metadata: name: tcp namespace: gloo-system spec: bindAddress: '::' bindPort: 8000 tcpGateway: options: connectionLimit: maxActiveConnections: 1 delayBeforeClose: 2s tcpHosts: - name: one destination: single: upstream: name: default-tcp-echo-1025 namespace: gloo-system useProxyProto: false EOF -
Open a TCP port on the
gateway-proxyservice in your cluster and bind it to the gateway port 8000.-
Edit the
gateway-proxyservice.kubectl edit service gateway-proxy -n gloo-system -
In the
spec.portssection, add the TCP port.... - name: tcp nodePort: 30197 port: 8000 protocol: TCP targetPort: 8000Your
spec.portssection looks similar to the following:ports: - name: http nodePort: 32653 port: 80 protocol: TCP targetPort: 8080 - name: https nodePort: 30550 port: 443 protocol: TCP targetPort: 8443 - name: tcp nodePort: 30197 port: 8000 protocol: TCP
-
-
Get the public IP address of your gateway proxy. Note that the following command returns the IP address and the default port.
glooctl proxy address -
Open a telnet session to the public IP address of the gateway and port 8000.
telnet <public-gateway-IP> 8000Example output:
Connected to 113.21.184.35.bc.googleusercontent.com. Escape character is '^]'. -
Enter any string and verify that the echo service returns the same string. For example, you can enter
hello.helloExample output:
hello hello -
Open another terminal window and try to establish another connection to the gateway on port 8000. Because the gateway is configured to allow only one connection at a time, the connection is terminated after the 2 second delay.
telnet <public-gateway-IP> 8000Example output:
Connected to 113.21.184.35.bc.googleusercontent.com. Escape character is '^]'. Connection closed by foreign host.
Cleanup
You can optionally clean up the resources that you created as part of this guide.
-
Remove the TCP gateway.
kubectl delete gateway tcp -n gloo-system -
Remove the echo pod and service.
kubectl delete service tcp-echo kubectl delete pod tcp-echo -
Edit the
gateway-proxyservice and remove the TCP port settings.kubectl edit service gateway-proxy -n gloo-system