On this page

TCP passthrough

Set up a TCP listener on the gateway that serves one or more hosts and passes TCP traffic through to a destination.

Because TCP traffic is directly forwarded to the destination, the destination must be capable of handling incoming TLS traffic.

Figure: TCP listener setup

Before you begin

Set up Gloo Mesh Gateway in a single cluster. You do not need to deploy sample apps or set up routing, as you create the TCP helloworld sample app as part of this example.

Open the TCP port on the ingress gateway

When you followed the get started guide, the ingress gateway is set up without a TCP port. To configure a TCP listener on your gateway, you must first open up a TCP port on the ingress gateway.

Get the details of the ingress gateway service and check if port 9000 with the name tcp is open on your ingress gateway.

  kubectl get service istio-ingressgateway -n gloo-mesh-gateways -o yaml

Example output if the TCP port is open on the gateway:

  ...
spec:
  ports:
  - name: tcp
    nodePort: 30358
    port: 9000
    protocol: TCP
    targetPort: 9000

If the port is not yet open on your ingress gateway, perform an upgrade of your Istio ingress gateway to open up the TCP port. The upgrade steps vary based on your gateway installation method.

Follow the steps to update your gateway proxies by using the Gloo Helm chart.

Add the following section to your Helm values file, and use these updated values during the upgrade.

  
istioInstallations:
  controlPlane:
    enabled: true
    installations:
    - clusters: null
      istioOperatorSpec: {}
      revision: auto
  eastWestGateways: null
  enabled: true
  northSouthGateways:
  - enabled: true
    installations:
    - clusters: null
      gatewayRevision: auto
      istioOperatorSpec:
        components:
          ingressGateways:
          - enabled: true
            name: istio-ingressgateway
            namespace: gloo-mesh-gateways
            k8s:
              service:
                type: LoadBalancer 
                ports:
                - name: status-port
                  port: 15021
                  targetPort: 15021
                - name: http2
                  port: 80
                  targetPort: 8080
                - name: https
                  port: 443
                  targetPort: 8443
                - name: tls
                  port: 15443
                  targetPort: 15443
                - name: tcp
                  port: 9000
                  targetPort: 9000
    name: istio-ingressgateway
    namespace: gloo-mesh-gateways

Follow the steps to update your gateway proxies by using lifecycle manager CRs or the community Istio Helm chart.

Add the TCP port to the loadbalancer settings for the ingress gateway.

  ...
istioOperatorSpec:
  components:
    ingressGateways:
    - enabled: true
      ...
      k8s:
        service:
          type: LoadBalancer 
          ports:
          - name: status-port
            port: 15021
            targetPort: 15021
          - name: http2
            port: 80
            targetPort: 8080
          - name: https
            port: 443
            targetPort: 8443
          - name: tls
            port: 15443
            targetPort: 15443
          - name: tcp
            port: 9000
            targetPort: 9000

After the upgrade, verify that the TCP port is now open on your ingress gateway.

  kubectl get service istio-ingressgateway -n gloo-mesh-gateways -o yaml

Deploy the helloworld TCP sample app

The helloworld sample app is a simple way to test responses for different app versions. The following examples install four versions of helloworld in your cluster.

Create a helloworld namespace.
```
  kubectl create ns helloworld
  
```

Deploy helloworld v1, v2, v3, and v4 to your cluster.

  kubectl -n helloworld apply -f https://raw.githubusercontent.com/solo-io/gloo-mesh-use-cases/main/policy-demo/helloworld.yaml

Verify that the helloworld apps are running.
```
  kubectl -n helloworld get pods
  
```

Set up a TCP listener on your gateway

To route TCP traffic to the TCP app directly without originating a TLS connection at the gateway, you create a virtual gateway and configure a TCP listener.

info

When you apply the Gloo custom resources in this guide to your cluster, Gloo Mesh Gateway automatically checks the configuration against validation rules and value constraints. You can also run a pre-admission validation check by using the meshctl x validate resources command. For more information, see the resource validation overview and the CLI command reference.

Create the virtual gateway and configure your TCP listener. Note that the tcp section of your virtual gateway config must remain empty so that the gateway is instructed to directly forward the traffic to the TCP workload in the cluster.

  kubectl apply -f- <<EOF
apiVersion: networking.gloo.solo.io/v2
kind: VirtualGateway
metadata:
  annotations:
    cluster.solo.io/cluster: ""
  name: istio-ingressgateway-tcp
  namespace: helloworld
spec:
  listeners:
  - port:
      number: 9000
    tcp: {}
  workloads:
  - selector:
      labels:
        istio: ingressgateway
EOF

Create a route table to route incoming requests on any host to the helloworld TCP app that you created.

  kubectl apply -f- <<EOF
apiVersion: networking.gloo.solo.io/v2
kind: RouteTable
metadata:
  annotations:
    cluster.solo.io/cluster: ""
  name: tcp-route
  namespace: helloworld
spec:
  hosts:
  - '*'
  tcp:
  - forwardTo:
      destinations:
      - port:
          number: 9000
        ref:
          cluster: $CLUSTER_NAME
          name: helloworld
          namespace: helloworld
    matchers:
    - port: 9000
  virtualGateways:
  - name: istio-ingressgateway-tcp
EOF

Get the IP address of your ingress gateway.

  export INGRESS_GW_ADDRESS=$(kubectl get svc -n gloo-mesh-gateways istio-ingressgateway -o jsonpath="{.status.loadBalancer.ingress[0]['hostname','ip']}")
echo $INGRESS_GW_ADDRESS

Send a request to the nginx.example.com domain.

  echo "Hello" | nc -v $INGRESS_GW_ADDRESS 9000

Example output:

  Connection to 35.241.2.123 port 9000 [tcp/cslistener] succeeded!
hello-v1 Hello

Next steps

Now that you have the virtual gateway configured, you can add other Gloo Mesh Gateway resources to control traffic that is routed through the gateway.

Process and route traffic through the virtual gateway with route tables, such as by using header matching, redirects, or direct responses.
Explore traffic management, security, and resiliency policies that you can apply to your routes and upstream services. For example, you might apply the proxy protocol policy to your API Gateway so that it preserves connection information such as the originating client IP address.

Cleanup

You can optionally remove the resources that you set up as part of this guide.

  kubectl delete routetable tcp-route -n helloworld
kubectl delete virtualgateway istio-ingressgateway-tcp -n helloworld
kubectl delete deployment helloworld-v1 -n helloworld
kubectl delete deployment helloworld-v2 -n helloworld
kubectl delete deployment helloworld-v3 -n helloworld
kubectl delete deployment helloworld-v4 -n helloworld
kubectl delete service helloworld -n helloworld
kubectl delete namespace helloworld

TCP passthrough

Before you begin link

Open the TCP port on the ingress gateway link

Deploy the helloworld TCP sample app link

Set up a TCP listener on your gateway link

Next steps link

Cleanup link