Enabling Service-Gateway Access

Note: Pivotal Platform is now part of VMware Tanzu. In v1.20 and later, VMware Tanzu RabbitMQ [VMs] is named VMware Tanzu RabbitMQ for VMs.

This topic explains how to enable service-gateway access.

Overview

Service-gateway access enables a VMware Tanzu RabbitMQ for VMs on-demand service instance to connect to external components that are not on the same foundation as the service instance.

For a more detailed overview, see Service-Gateway Access.

To enable service-gateway access for an on-demand offering:

  1. Enable TCP routing using the TAS for VMs tile
  2. Configure the firewall to allow incoming traffic to the TCP router
  3. Configure the load balancer in the IaaS to redirect traffic to the TCP router
  4. Create a DNS record that maps to the load balancer
  5. Configure a service-gateway-enabled plan

Warning: VMware recommends that you configure Transport Layer Security (TLS) alongside service-gateway access to prevent man-in-the-middle attacks. For instructions on how to configure TLS, see Configure Security.

Enable TCP Routing Using the TAS for VMs Tile

TCP routing is disabled by default. To enable TCP routing:

  1. Go to the Networking pane of the TAS for VMs tile.
  2. Under Enable TCP requests to apps through specific ports on the TCP router, select Enable TCP routing.
  3. For TCP routing ports, enter one or more ports to which the load balancer forwards requests. For example, 1024 for a single port or 1024–1123 for a range of ports.
  4. Apply changes in Ops Manager for the TAS for VMs tile to create the TCP router.
  5. From the status tab of the TAS for VMs tile, record the cloud identity (CID) of the TCP router.

    Screenshot showing Ops Manager UI with the 'Status' tab selected. In the tab contents, there is a table with several columns labeled 'Job', 'Index,' 'IPS', 'AZ', and 'CID'. The screenshot highlights with a red outline the last row in the table for the job 'TCP Router'.

Configure the Firewall to Allow Incoming Traffic to the TCP Router

  1. Allow incoming traffic to the TCP router VM created in Enable TCP Routing Using the TAS for VMs Tile above. For information about how to do so, see the documentation for your IaaS.

Configure the Load Balancer in the IaaS to Redirect Traffic to the TCP Router

To configure the load balancer:

  1. Use the IaaS console and the CID that you recorded earlier to find the VM that runs the TCP router.
  2. Create an external TCP load balancer that points to the VM running the TCP router.
  3. Configure a distinct external port range that does not overlap with the TCP networking port or port range that you configured in Enable TCP Routing Using the TAS for VMs Tile above.

    For example, if your TCP routing port range is 1024-1123, then your load balancer port range for service gateway must not overlap 1024-1123.

    Note: Each Tanzu RabbitMQ service instance using service-gateway access requires a unique port. Ensure that the port range configured above has enough capacity to accommodate all the service instances that you need. The start port and the end port are both inclusive.

    Diagram showing Service Gateway port ranges: Traffic flows to the apps from the Load Balancer
using ports in the TAS LB port range through the TCP Router using ports in the TAS TCP port range.
Traffic flows to the RabbitMQ for VMs service instances from the Load Balancer using ports
in the Service Gateway LB port range through the TPC Router using ports in the Service Gateway
TCP port range.

  4. Record this port range.

Create a DNS Record That Maps to the Load Balancer

To create a DNS record and prepare to map it:

  1. Following the documentation for your IaaS, create a new DNS record of type A that maps to the external IP address of the load balancer created in Configure the Load Balancer in the IaaS to Redirect Traffic to the TCP Router above.
  2. Record the domain used for this DNS record.

Configure a Service-Gateway-Enabled Plan

To configure a service-gateway-enabled plan:

  1. In the Global Settings for On-Demand Plans pane in the RMQ tile, fill in the following fields:

    Example of the Global Settings for On-Demand Plans pane.
The External TCP domain field has tcp.elcajon.cf-app.com. The Port Range field has 1024–2025.

    Warning: If you already have service instances using service-gateway, any modifications to this range must include ports that are already assigned to these service instances. If the port range does not contain the ports already assigned to service instances, the upgrades for the service instances fail. For example, if service-gateway access has the port range 1000-1005, and there are service instances that correspond to ports 1000, 1001, and 1002, then the new port range must have ports 1000, 1001, and 1002.

  2. Navigate to the service plan that you want to use and select the Service-Gateway Access checkbox.

    Note: VMware recommends that you change the name or the description of the plan to indicate that service-gateway access is enabled for that plan.

    Screenshot of the service plan pane with the service-gateway access checkbox selected.

    Note: If service-gateway access is disabled and then re-enabled, app developers must create new service keys to obtain a new set of credentials for service-gateway access.

  3. Go back to Ops Manager Installation Dashboard > Review Pending Changes.

  4. Click Apply Changes to apply the changes to the Tanzu RabbitMQ tile.

Disable Service-Gateway Access

Note: If service-gateway access is disabled and then re-enabled, app developers must create new service keys to obtain a new set of credentials for service-gateway access.

To disable service-gateway access:

  1. Navigate to the service plan that you want to disable service-gateway access for and clear the Service-Gateway Access checkbox.

    Note: VMware recommends that you change the name or the description of the plan to indicate that service-gateway access is disabled for that plan.

  2. Go back to Ops Manager Installation Dashboard > Review Pending Changes.

  3. Click Apply Changes to apply the changes to the Tanzu RabbitMQ tile.

Developer Workflow

For instructions for app developers, see Create a Service Instance with Service-Gateway Access.

Was this helpful?
What can we do to improve?