To enable access from the public Internet to a Kubernetes service running in a Tanzu Kubernetes Grid cluster, publish the service internally, then give it a public IP address and create a DNAT rule that exposes the published service at an IP address in the ingress CIDR.

Internet access to cluster services is managed by a load balancer through a DNATted public IP address in the Ingress CIDR block you specified when you activated Tanzu Kubernetes Grid. In VMware Cloud on AWS, the load balancer service is implemented by the NSX Container Plug-in, which is automatically configured for each SDDC cluster on which you activate Tanzu Kubernetes Grid. See Overview of NSX Container Plug-in for more information.

The following steps outline a typical workflow that you can use to make a Kubernetes service accessible from the public Internet. The VMware Cloud Tech Zone article Set Up Public Access to Tanzu Kubernetes Clusters in VMware Cloud on AWS explains this workflow in more detail.


  1. Log in to VMware Cloud Services at
  2. Use the VMware Cloud on AWS API to publish the service internally.
    Deploy it as a service of type LoadBalancer, specifying the namespace and node ports, as shown here.
    apiversion: v1
    kind: service
        name: example-svc
        namespace: ns1
            app: hardtop-example
            targetPort: 8080
        type: LoadBalancer
            app: example-app
    Deploying a Kubernetes service of type: LoadBalancer publishes it and makes it accessible within the cluster at the specified port ( port: 80 in this example) and maps a node port for the service to a random port above 30000.
  3. Create a VMware Cloud on AWS Compute Gateway firewall rule allowing access to the VM on the its external IP and mapped node port (we're using 31552 in this example).
    Use a kubectl command like this one to return the service properties you need for the firewall rule.
    kubectl get service  example-svc -n ns1
    NAME            TYPE             CLUSTER-IP       EXTERNAL-IP    PORT(S)
    example-svc     LoadBalancer     80:31552/TCP
    Follow the procedure in Add or Modify Management Gateway Firewall Rules in the VMware Cloud on AWS Networking and Security guide to create a rule with parameters like these:
    Option Description
    Sources Any
    Destinations The EXTERNAL-IP of the service ( in this example)
    Services HTTP
    Action Allow
  4. Request a public IP address for the VM providing the service.
    Follow the procedure in Request or Release a Public IP Address in the VMware Cloud on AWS Networking and Security guide:
  5. Create a DNAT rule for this public IP.
    Follow the procedure in Create or Modify NAT Rules in the VMware Cloud on AWS Networking and Security guide to create a DNAT rule matching the public IP to the internal IP. If your rule specifies Match Internal Address, you'll also need to create a firewall rule allowing access to the Public IP address on the Internet interface.