Tanzu Kubernetes clusters are by default only reachable from IP subnets of networks within the same organization virtual data center in which a cluster is created. If necessary, you can manually configure external access to specific services in a Tanzu Kubernetes cluster.

When a VDC Kubernetes policy is published to an organization VDC, a firewall policy is automatically provisioned on the cluster edge gateway to allow access to the cluster from authorized sources within the VDC. Additionally, a system SNAT rule is automatically added to the NSX edge gateways within the organization VDC to ensure that the cluster edge gateway is reachable by the workloads within the organization VDC.

Both the firewall policy that is provisioned on the cluster edge gateway and the SNAT rule on the NSX edge gateway cannot be removed unless a system administrator deletes the Kubernetes policy from the VDC.

If necessary, you can manually configure access from an external network to a specific service in a Tanzu Kubernetes cluster. To do that, you must create a DNAT rule on the NSX edge gateway which ensures that the traffic coming from external locations is forwarded to the cluster edge gateway.

Tanzu Kubernetes clusters support NSX group networking. If the organization VDC in which a cluster is created is part of an NSX group that has an edge gateway which is shared across the VDCs in the group, the Tanzu Kubernetes cluster can be reached by VMs residing in the other VDCs in this group. To provide network access from the cluster to VMs in other VDCs in the data center group, you manually configure DNAT rules on the NSX edge gateway of the data center group.

Prerequisites

  • Verify that your cloud infrastructure is backed by vSphere 7.0 Update 1C, 7.0 Update 2, or later. Contact your system administrator.
  • Verify that you are an organization administrator.
  • Verify that your system administrator has created an NSX edge gateway within the organization virtual data center in which the Tanzu Kubernetes cluster is located.
  • Verify that the public IP address that you want to use for the service was allocated to the edge gateway interface on which you want to add a DNAT rule.
  • Use the get services my-service command of the kubectl command-line tool to retrieve the external IP for the service that you want to expose.

Procedure

  1. In the top navigation bar, click Networking and click the Edge Gateways tab.
  2. Click the edge gateway and, under Services, click NAT.
  3. To add a rule, click New.
  4. Configure a DNAT rule for the service that you want to connect to an external network.
    Option Description
    Name Enter a meaningful name for the rule.
    Description (Optional) Enter a description for the rule.
    State To enable the rule upon creation, turn on the State toggle.
    Interface type From the drop-down menu, select DNAT.
    External IP Enter the public IP address of the service.

    The IP address that you enter must belong to the suballocated IP range of the NSX edge gateway.
    Application Leave the box empty.
    Internal IP Enter the service IP address that was allocated from the Kubernetes ingress pool.
    Internal Port (Optional) Enter a port number to which inbound traffic is directed.
    Logging (Optional) To have the address translation performed by this rule logged, toggle on the Logging option.
  5. Click Save.

What to do next

If you want to provide access to other applications published as Kubernetes services from external networks, you must configure additional DNAT rules for each one of them.