Tanzu Platform SaaS

PDF
self.managed.10.1 10.0 saas

Configure egress rules

Last Updated February 19, 2025

This topic tells you how to manage egress rules in a Kubernetes Space by using the egress.tanzu.vmware.com Capability and the EgressPoint resource in Tanzu Platform. For more information about the Capability and the resource, see About Egress.

You can manage EgressPoint resources in Tanzu Platform using the Egress tab in your Space. From the Egress tab, you can create new egress points and view, edit, or delete existing egress points.

Before you begin

Before defining an EgressPoint resource:

  • Install the Tanzu CLI egress plug-in if not already installed.

  • Create a Space that includes the egress.tanzu.vmware.com Capability. For an example Space, see Create an application environment using Spaces.

  • Deploy an application to the Space that is configured to make HTTP or HTTPS requests to an endpoint outside the Space.

Create an EgressPoint

You can create an EgressPoint in Tanzu Platform or using the Tanzu CLI.

Tanzu Platform UI
To create an EgressPoint using the Tanzu Platform UI:

  1. Go to Spaces > Overview.

  2. Click the Space for which you want to define egress rules.

  3. On the Space details page, click the Egress tab.

  4. Click Create Egress Point.

  5. In the Name text box, enter the name you want for the EgressPoint. For example, example-egress.

  6. If you want the source to default to the entire Space, deactivate the SourceRef toggle. Otherwise, activate the SourceRef toggle and then fill in the following text boxes:

    Text boxExample value
    api Groupapps
    KindDeployment
    Nameaccount-service

    The SourceRef points to a Kubernetes resource within the Space. The only supported resources are ContainerApp (apps.tanzu.vmware.com) and Deployment (apps).

  7. Configure the Target Info section with the target you want to access. The target is an array. The EgressPoint can contain multiple targets. Fill in the following text boxes:

    Text boxExample value
    Hostapi.openai.com
    Port443
    ProtocolHTTPS

    When configuring your EgressPoint, you can also Allow egress to an IP address Allow all egress traffic, or Allow egress to a service.

    For more information about the fields you can configure for the EgressPoint resource, see EgressPoint API reference.

  8. (Optional) To add another target, click Add Target.

  9. Click Create Egress Point.

Traffic from the Space can now contact the intended target destination.

Tanzu CLI: egress plug-in
To create an EgressPoint resource using the Tanzu CLI egress plug-in:

  1. Target your Space in your terminal by running:

    tanzu space use SPACE-NAME

    Where SPACE-NAME is the name of the Space for which you want to define egress rules.

  2. Create the EgressPoint by running:

    tanzu egress create EGRESSPOINT-NAME [FLAGS]

    For example:

    $ tanzu egress create example --host www.example.com --port 443 --protocol HTTPS

    For more information about this command, see the CLI reference for tanzu egress.

Tanzu CLI: tanzu deploy
To create an EgressPoint resource using a YAML file and tanzu deploy:

  1. Create a file named egresspoint.yaml. For example, to enable applications in your Space to access www.example.com, add the following content:

    apiVersion: networking.tanzu.vmware.com/v1alpha1
kind: EgressPoint
metadata:
  name: example
spec:
  targets:
  - hosts:
    - www.example.com
    port:
      number: 443
      protocol: HTTPS

    When configuring your EgressPoint, you can also Allow egress to an IP address Allow all egress traffic, or Allow egress to a service.

    For more information about the fields you can configure for the EgressPoint resource, see EgressPoint API reference.

  2. Target your Space in your terminal by running:

    tanzu space use SPACE-NAME

    Where SPACE-NAME is the name of the Space for which you want to define egress rules.

  3. Apply the egresspoint.yaml file by running:

    tanzu deploy --only egresspoint.yaml

Allow egress to an IP address

You can create egress targets for IPv4 addresses. The protocol must be TCP. For example:

FieldExample value
Host11.22.33.44
Port3306
ProtocolTCP

Example YAML file:

apiVersion: networking.tanzu.vmware.com/v1alpha1
kind: EgressPoint
metadata:
   name: example
spec:
   targets:
   - hosts:
     - "11.22.33.44"
     port:
      number: 3306
      protocol: TCP

For information about valid configuration for the EgressPoint resource, see the EgressPoint reference.

Allow all egress traffic

To allow egress to all hosts on any port and protocol, create a special allow-any egress target with the following values:

FieldValue
Host*
Port0
ProtocolANY

The YAML file looks as follows:

apiVersion: networking.tanzu.vmware.com/v1alpha1
kind: EgressPoint
metadata:
  name: example
spec:
  targets:
  - hosts:
    - "*"
    port:
      number: 0
      protocol: ANY

Using port 0, protocol ANY, or host * in any other combination or in any other target creates an invalid EgressPoint.

Allow egress to a service

You can create egress targets for non-HTTP endpoints such as databases. In your EgressPoint resource, use the TCP, and if the endpoint supports it, TLS protocols.

For example:

FieldExample value
Hostmy.db.service
Port3306
ProtocolTCP

Example YAML file:

apiVersion: networking.tanzu.vmware.com/v1alpha1
kind: EgressPoint
metadata:
   name: example
spec:
   targets:
   - hosts:
     - "my.db.service"
     port:
      number: 3306
      protocol: TCP

Some services, such as mysql, use a server first protocol. Although these protocols might support TLS, you must configure the EgressPoint to use TCP. For information about valid configuration for the EgressPoint resource, see Supported configurations for EgressPoint.

Delete an EgressPoint

To delete an EgressPoint using the Tanzu Platform UI:

  1. Go to Spaces > Overview.
  2. Click the Space that has the EgressPoint you want to delete.
  3. On the Space details page, click the Egress tab.
  4. On the card for the EgressPoint that you want to delete, click Delete.