Manage egress rules

This topic tells you how to manage egress rules in a Space by using the egress.tanzu.vmware.com Capability and the EgressPoint resource on Tanzu Platform for Kubernetes. For more information about the Capability and the resource, see About Egress.

You can manage EgressPoint resources in Tanzu Platform hub using the Egress tab in your Space. From the Egress tab, you can create new egress points and view, edit, or delete existing egress points.

Before you begin

Before defining an EgressPoint resource:

  • Create a Space that includes the egress.tanzu.vmware.com Capability. For an example Space, see Create an application environment using Spaces.

  • Deploy an application to the Space that is configured to make HTTP or HTTPS requests to an endpoint outside the Space.

Create an EgressPoint

You can create an EgressPoint in Tanzu Platform hub or you can manually create EgressPoint resources to use by creating a YAML file.

Tanzu Platform hub
To create an EgressPoint:

  1. Navigate to Application Spaces > Spaces.

  2. Click the Space for which you want to define egress rules.

  3. On the Space details page, click the Egress tab.

  4. Click Create Egress Point.

  5. In the Name text box, enter the name you want for the EgressPoint. For example, example-egress.

  6. If you want the source to default to the entire Space, deactivate the SourceRef toggle. Otherwise, activate the SourceRef toggle and then fill in the following text boxes:

    Text box Example value
    api Group apps
    Kind Deployment
    Name account-service

    The SourceRef points to a Kubernetes resource within the Space. The only supported resources are ContainerApp (apps.tanzu.vmware.com) and Deployment (apps).

  7. Configure the Target Info section with the target you want to access. The target is an array. The EgressPoint can contain multiple targets. Fill in the following text boxes:

    Text box Example value
    Host api.openai.com
    Port 443
    Protocol HTTPS

    When configuring your EgressPoint, you can also Allow egress to an IP address Allow all egress traffic, or Allow egress to a service.

    For more information about the fields you can configure for the EgressPoint resource, see EgressPoint API reference.

  8. (Optional) To add another target, click Add Target.

  9. Click Create Egress Point.

Traffic from the Space can now contact the intended target destination.

YAML file
To create EgressPoint resources manually by using a YAML file:

  1. Create a file named egresspoint.yaml. For example, to enable applications in your Space to access www.example.com, add the following content:

    apiVersion: networking.tanzu.vmware.com/v1alpha1
kind: EgressPoint
metadata:
  name: example
spec:
  targets:
  - hosts:
    - www.example.com
    port:
      number: 443
      protocol: HTTPS

    When configuring your EgressPoint, you can also Allow egress to an IP address Allow all egress traffic, or Allow egress to a service.

    For more information about the fields you can configure for the EgressPoint resource, see EgressPoint API reference.

  2. Target your Space in your terminal by running:

    tanzu space use SPACE-NAME

    Where SPACE-NAME is the name of the Space for which you want to define egress rules.

  3. Get the path to the kubeconfig for your Space by running:

    tanzu context current

    From the output, record the value of Kube Config.

    Example output:

    Name:            my-context
Type:            tanzu
Organization:    my-org (ORG-ID)
Project:         my-project (PROJECT-ID)
Space:           my-space
Kube Config:     /path/to/kube/config
Kube Context:    tanzu-cli-my-context:my-project:my-space

  4. Apply the egresspoint.yaml file by running:

    kubectl --kubeconfig=PATH-TO-KUBE-CONFIG apply -f egresspoint.yaml

    Where PATH-TO-KUBE-CONFIG is the value of Kube Config that you recorded earlier.

Allow egress to an IP address

You can create egress targets for IPv4 addresses. The protocol must be TCP. For example:

Field Example value
Host 11.22.33.44
Port 3306
Protocol TCP

Example YAML file:

apiVersion: networking.tanzu.vmware.com/v1alpha1
kind: EgressPoint
metadata:
   name: example
spec:
   targets:
   - hosts:
     - "11.22.33.44"
     port:
      number: 3306
      protocol: TCP

For information about valid configuration for the EgressPoint resource, see the EgressPoint reference.

Allow all egress traffic

To allow egress to all hosts on any port and protocol, create a special allow-any egress target with the following values:

Field Value
Host *
Port 0
Protocol ANY

The YAML file looks as follows:

apiVersion: networking.tanzu.vmware.com/v1alpha1
kind: EgressPoint
metadata:
  name: example
spec:
  targets:
  - hosts:
    - "*"
    port:
      number: 0
      protocol: ANY
Note

Using port 0, protocol ANY, or host * in any other combination or in any other target creates an invalid EgressPoint.

Allow egress to a service

You can create egress targets for non-HTTP endpoints such as databases. In your EgressPoint resource, use the TCP, and if the endpoint supports it, TLS protocols.

For example:

Field Example value
Host my.db.service
Port 3306
Protocol TCP

Example YAML file:

apiVersion: networking.tanzu.vmware.com/v1alpha1
kind: EgressPoint
metadata:
   name: example
spec:
   targets:
   - hosts:
     - "my.db.service"
     port:
      number: 3306
      protocol: TCP
Important

Some services, such as mysql, use a server first protocol. Although these protocols might support TLS, you must configure the EgressPoint to use TCP. For information about valid configuration for the EgressPoint resource, see Supported configurations for EgressPoint.

Delete an EgressPoint

To delete an EgressPoint:

  1. Navigate to Application Spaces > Spaces.

  2. Click the Space that has the EgressPoint you want to delete.

  3. On the Space details page, click the Egress tab.

  4. On the card for the EgressPoint that you want to delete, click Delete.

check-circle-line exclamation-circle-line close-line
Scroll to top icon