This topic explains how VMware Tanzu Application Service for VMs (TAS for VMs) uses WebSockets, why developers use WebSockets in their apps, and how operators can configure their load balancer to support WebSockets.
Operators who use a load balancer to distribute incoming traffic across TAS for VMs router instances must configure their load balancer for WebSockets. Otherwise, the Loggregator system cannot stream app logs to developers, or app event data and component metrics to third-party aggregation services. Additionally, developers cannot use WebSockets in their apps.
The WebSocket protocol provides full-duplex communication over a single TCP connection. Apps can use WebSockets to perform real-time data exchange between a client and a server more efficiently than HTTP.
TAS for VMs uses WebSockets for the following metrics and logging purposes:
To stream all app event data and component metrics from the Doppler server instances to the Traffic Controller.
To stream app logs from the Traffic Controller to developers using the Cloud Foundry Command Line Interface (cf CLI) or Apps Manager.
To stream all app event data and component metrics from the Traffic Controller over the Firehose endpoint to external apps or services.
For more information about these Loggregator components, see Loggregator Architecture.
To form a WebSocket connection, the client sends an HTTP request that contains an
Upgrade header and other headers required to complete the WebSocket handshake. You must configure your load balancer to not upgrade the HTTP request, but rather to pass the
Upgrade header through to the TAS for VMs router. The procedures required to configure your load balancer depends on your IaaS and load balancer. The following list includes several possible approaches:
Some load balancers can recognize the
Upgrade header and pass these requests through to the TAS for VMs router without returning the WebSocket handshake response. This may or may not be default behavior, and may require additional configuration.
Some load balancers do not support passing WebSocket handshake requests containing the
Upgrade header to the TAS for VMs router. For instance, the Amazon Web Services (AWS) Elastic Load Balancer (ELB) does not support this behavior. In this scenario, you must configure your load balancer to forward TCP traffic to your TAS for VMs router to support WebSockets. If your load balancer does not support TCP pass-through of WebSocket requests on the same port as other HTTP requests, you can do one of the following:
ws.cf.example.com, to be used for WebSockets. This hostname should resolve to the new load balancer interface.
Note: Regardless of your IaaS and configuration, you must configure your load balancer to send the X-Forwarded-For and X-Forwarded-Proto headers for non-WebSocket HTTP requests on ports 80 and 443. For more information, see Securing Traffic into TAS for VMs.
Note: Gorouter rejects WebSockets requests for routes that are bound to route services. These requests return a 503 error and a
X-Cf-Routererror route_service_unsupported header.
Note: Gorouter does not support WebSockets over HTTP/2. For more information, see RFC 8441. Configure your load balancer to always send WebSocket requests to Gorouter over HTTP/1.1. For more information, see Configuring HTTP/2 Support.
By default, TAS for VMs assigns port 443 for TCP/WebSocket communications. If you have configured your load balancer to use a port other than 443 for TCP/WebSocket traffic, you must edit the Loggregator port field in the Networking pane of the TAS for VMs tile.