Deploying Service Mesh (Beta)

Page last updated:

This topic describes how to deploy service mesh for Pivotal Application Service (PAS).

For more information about service mesh, see Service Mesh (Beta).

Breaking Change: The Service Mesh feature was removed in Tanzu Application Service (TAS) v2.11. You must disable the Service Mesh feature before upgrading to TAS v2.11.

Deploy Service Mesh in PAS

To deploy service mesh:

  1. Navigate to the Ops Manager Installation Dashboard.

  2. Click the PAS tile.

  3. Select Networking - Service Mesh.

  4. Under Service mesh (beta), select Enable.

  5. For IP addresses for Istio router, depending on your IaaS:

    • vSphere: Enter a comma-separated string of static IPs for the Istio routers. You must also configure your load balancer with these IPs.
    • Other: Leave this field blank.
  6. For External domain, enter the domain for Istio routers. The default domain is

  7. For Istio router TLS keypairs, complete these fields:

    • Name: Enter a name for the keypair.
    • Certificate and private key for Istio router: Enter the private key and certificate for TLS handshakes with clients. These must be in PEM block format.

      To add multiple keypairs, click Add.
  8. Click Save.

Configure Load Balancer

To configure a load balancer for service mesh:

  1. Create a load balancer with:

    • A static IP
    • Health check port 8002 and path /healthcheck
    • Firewall rules to allow:
      • HTTP on port 80
      • HTTP on port 8002
      • TLS on port 443
  2. Navigate to your DNS provider and create a DNS name that resolves to the IP of the load balancer:

    • If you did not configure the External domain field in the Networking - Service Mesh (Beta) pane of the PAS tile, create the DNS name using the default value of *.mesh.APPS-DOMAIN, where APPS-DOMAIN is the name of the external domain.
    • If you configured the External domain field in the Networking - Service Mesh (Beta) pane of the PAS tile, create the DNS name using the value you configured.

Add Load Balancer to Resource Config

If your deployment is on an IaaS other than vSphere, you must add the load balancer you created to your Istio router in the Resource Config pane of the PAS tile. To add your load balancer:

  1. Select Resource Config.

  2. In the Load Balancer column of the istio-router row, enter the name of the load balancer you created.

  3. Click Apply Changes.