Tanzu for MySQL on Cloud Foundry 3.3

3.3 3.2 3.1

Enabling Service-Gateway access

Last Updated February 24, 2025

This topic tells you how to enable service-gateway access in Tanzu for MySQL.

Service-gateway access enables external clients to connect to a MySQL service. The clients are typically apps running external to the foundation, apps on a different foundation, and management tools such as MySQL Workbench.

For a more detailed overview, see About Service-Gateway access.

To enable service-gateway access for an on-demand offering:

  1. Activate TCP routing using the Tanzu Platform for Cloud Foundry tile.

  2. Configure the firewall to allow incoming traffic to the TCP router.

  3. Configure the load balancer in the IaaS to redirect traffic to the TCP router.

  4. Create a DNS record that maps to the load balancer.

  5. Activate service-gateway access.

VMware recommends that you configure Transport Layer Security (TLS) alongside service-gateway access to prevent man-in-the-middle attacks. For instructions for configuring TLS, see Configure security.

Enable TCP Routing using the Tanzu Platform for CF tile

TCP routing is turned off by default. To enable TCP routing:

  1. Go to the Networking pane of the Tanzu Platform for CF tile.

  2. Under Enable TCP requests to apps through specific ports on the TCP router, select Enable TCP routing.

  3. For TCP routing ports, enter one or more ports to which the load balancer forwards requests. For example, 1024 for a single port or 1024–1123 for a range of ports.

  4. Go to Tanzu Ops Manager Installation Dashboard > Review Pending Changes.

  5. Click Apply Changes for the Tanzu Platform for CF tile to create the TCP router.

  6. From the status tab of the Tanzu Platform for CF tile, record the cloud identity (CID) of the TCP router.

Tanzu Operations Manager UI with the Status tab selected.

View a larger version of this image

Configure the firewall to allow incoming traffic to the TCP Router

To allow traffic to the TCP router depend on your IaaS:

For more detailed information, see the documentation for your IaaS.

Configure the Load Balancer in the IaaS to redirect traffic to the TCP Router

To configure the load balancer:

  1. Use the IaaS console and the CID you recorded earlier to find the VM that runs the TCP router.

  2. Create an external TCP load balancer that points to the VM running the TCP router.

  3. Configure a distinct external port range that does not overlap with any of the following:

    For example, if your TCP routing port range is 1024–1123, and ports 1124–1223 are reserved for Tanzu RabbitMQ service instances, then your load balancer port range for service gateway must not overlap 1024-1223.

    Each Tanzu for MySQL service instance using service-gateway access requires a unique port. Ensure that the port range configured has enough capacity to accommodate all the service instances you need. The start port and the end port are both inclusive.

  4. Record this port range.

Create a DNS record that maps to the Load Balancer

To create a DNS record and prepare to map it:

  1. Following the documentation for your IaaS, create a new DNS record of type A that maps to the external IP address of the load balancer created in Configure the Load Balancer in the IaaS to redirect traffic to the TCP Router.

  2. Record the domain used for this DNS record.

Enable Service-Gateway access

When service-gateway access is enabled, all developers have the ability to create a service instance that is available to apps outside the foundation.

For Tanzu for MySQL, service-gateway access is enabled globally. Access is not tied to certain service plans, as in Tanzu RabbitMQ.

To configure service-gateway access for the foundation:

  1. Go to the Settings pane in the Tanzu for MySQL tile.

  2. Under Enable off-platform access of MySQL service instances, click Enabled.

    Example of the Settings pane. Enabled is selected to reveal the External TCP Domain field where the text tcp.turtlegreen.cf-app.com is entered and the External TCP Port Range field where the text 1024-1123 is entered.

    This activates the feature and makes the External TCP Domain, External TCP Port Range, and Enable External Access for All Multi-Site Instances fields visible.

  3. Configure the fields as follows:

    Field Instructions
    External TCP Domain Set to the DNS entry for the external load balancer that you recorded in Create a DNS Record That Maps to the Load Balancer.
    External TCP Port Range Set to the range of ports you configured for the external load balancer for MySQL service instances in Configure the Load Balancer in the IaaS to Redirect Traffic to the TCP Router.

    If service-gateway access is deactivated and then activated again, app developers must create new service keys to obtain a new set of credentials for service-gateway access.

  4. Go back to Tanzu Ops Manager Installation Dashboard > Review Pending Changes.

  5. Click Apply Changes to apply the changes to the Tanzu for MySQL tile.

Turn off Service-Gateway access

If service-gateway access is turned off and then enabled again, app developers must create new service keys to obtain a new set of credentials for service-gateway access.

To turn off service-gateway access:

  1. Go to the Settings pane in the Tanzu for MySQL tile.

  2. For Enable off-platform access of MySQL service instances, click Disabled.

  3. Go back to Tanzu Ops Manager Installation Dashboard > Review Pending Changes.

  4. Click Apply Changes to apply the changes to the Tanzu for MySQL tile.

Developer workflow

For instructions for app developers, see Create a service instance with Service-Gateway access.