Configuring TCP Routing in PAS

Page last updated:

This topic describes how to enable the TCP routing feature in a Pivotal Application Service (PAS) deployment.

Breaking Change: If you have mutual TLS app identity verification enabled, Envoy only recognizes communications from the Gorouter. Therefore, TCP no longer works.

Overview

TCP routing enables apps that require inbound requests on non-HTTP protocols to run on Pivotal Platform.

Prerequisite

Before enabling TCP routing, review the pre-deployment steps that describe required networking infrastructure changes. For more information, see Pre-Deployment Steps in Enabling TCP Routing.

Enable TCP Routing

TCP routing is disabled by default.

To enable TCP routing:

  1. Navigate to the Pivotal Operations Manager Installation Dashboard.

  2. Click the PAS tile.

  3. Select Networking.

  4. Under Enable TCP requests to apps through specific ports on the TCP router, select Enable TCP routing.

    Note: If you have mutual TLS app identity verification enabled, app containers accept incoming communication only from the Gorouter. This disables TCP routing.

  5. For TCP routing ports, enter one or more ports to which the load balancer forwards requests. To support multiple TCP routes, Pivotal recommends allocating multiple ports. Do one of the following:

    • To allocate a single port or range of ports, enter a single port or a range of ports.

      Note: If you configured AWS for PAS manually, enter 1024-1123 which corresponds to the rules you created for pcf-tcp-elb.

    • To allocate a list of ports:
      1. Enter a single port in the TCP routing ports field.
      2. After deploying PAS, follow the procedure in Configuring a List of TCP Routing Ports in Pivotal Application Service v2.3 Release Notes to add TCP routing ports using the cf CLI.

  6. (Optional) For TCP request timeout, modify the default value of 300 seconds. This field determines when the TCP router closes idle connections from clients to apps that use TCP routes. You may want to increase this value to enable developers to push apps that require long-running idle connections with clients.

  7. Follow these additional instructions based on your IaaS:

    IaaS Instructions
    GCP Specify the name of a GCP TCP load balancer in the LOAD BALANCER field of the TCP Router job in the Resource Config pane. You configure this later on in PAS. For more information, see Configuring Load Balancing for PAS.
    AWS Specify the name of a TCP ELB in the LOAD BALANCER field of the TCP Router job in the Resource Config pane. You configure this later on in PAS. For more information, see Configuring Load Balancing for PAS.
    Azure Specify the name of a Azure load balancer in the LOAD BALANCER field of the TCP Router job in the Resource Config pane. You configure this later on in PAS. For more information, see Configuring Load Balancing for PAS.
    OpenStack and vSphere
    1. Return to the top of the Networking pane.
    2. In the TCP router IPs field, ensure that you have entered IP addresses that are within your subnet CIDR block. These are the same IP addresses you configured your load balancer with in Pre-Deployment Steps in Enabling TCP Routing, unless you configured DNS to resolve the TCP domain name directly to an IP you have chosen for the TCP router.

Disable TCP Routing

To disable TCP routing:

  1. Navigate to the Ops Manager Installation Dashboard.

  2. Click the PAS tile.

  3. Select Networking.

  4. Under Enable TCP requests to apps through specific ports on the TCP router, select Disable TCP routing.

  5. Manually remove the TCP routing domain.