forked from jasonkeene/docs-rabbitmq-staging
-
Notifications
You must be signed in to change notification settings - Fork 0
/
enable-service-gateway.html.md.erb
159 lines (117 loc) · 8.38 KB
/
enable-service-gateway.html.md.erb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
---
title: Enabling Service-Gateway Access
owner: RabbitMQ
---
This topic explains how to enable service-gateway access.
## <a id='overview'></a> Overview
Service-gateway access enables a <%= vars.product_full %> on-demand service instance to
connect to external components that are not on the same foundation as the service instance.
For a more detailed overview, see [Service-Gateway Access](./service-gateway-access.html).
To enable service-gateway access for an on-demand offering:
1. [Enable TCP routing using the <%= vars.app_runtime_abbr %> tile](#tcp-routing)
1. [Configure the firewall to allow incoming traffic to the TCP router](#configure-firewall)
1. [Configure the load balancer in the IaaS to redirect traffic to the TCP router](#configure-lb)
1. [Create a DNS record that maps to the load balancer](#create-dns-record)
1. [Configure a service-gateway-enabled plan](#configure-service-gateway-plan)
<p class="note warning">
<strong>Warning:</strong> VMware recommends that you configure Transport Layer Security (TLS) alongside
service-gateway access to prevent man-in-the-middle attacks.
For instructions on how to configure TLS, see <a href="./install-config.html#security">Configure Security</a>.
</p>
## <a id='tcp-routing'></a> Enable TCP Routing Using the <%= vars.app_runtime_abbr %> Tile
TCP routing is deactivated by default. To enable TCP routing:
1. Go to the Networking pane of the <%= vars.app_runtime_abbr %> tile.
1. Under **Enable TCP requests to apps through specific ports on the TCP router**, select
**Enable TCP routing**.
1. For TCP routing ports, enter one or more ports to which the load balancer forwards requests.
For example, `1024` for a single port or `1024–1123` for a range of ports.
1. Apply changes in <%= vars.ops_manager %> for the <%= vars.app_runtime_abbr %> tile to create the TCP router.
1. From the status tab of the <%= vars.app_runtime_abbr %> tile, record the cloud identity (CID) of the
TCP router.
<a href="./images/TCP-router-CID.png" target="_blank" aria-hidden="true">Click here to view a larger version of the image above</a>
## <a id='configure-firewall'></a> Configure the Firewall to Allow Incoming Traffic to the TCP Router
1. Allow incoming traffic to the TCP router VM created in
[Enable TCP Routing Using the <%= vars.app_runtime_abbr %> Tile](#tcp-routing) above.
For information about how to do so, see the documentation for your IaaS.
## <a id='configure-lb'></a> Configure the Load Balancer in the IaaS to Redirect Traffic to the TCP Router
To configure the load balancer:
1. Use the IaaS console and the CID that you recorded earlier to find the VM that runs the TCP router.
1. Create an external TCP load balancer that points to the VM running the TCP router.
1. Configure a distinct external port range that does not overlap with any of the following:
* The port range configured for service-gateway access for other service tiles, such as VMware
Tanzu SQL with MySQL for VMs.
* The TCP networking port or port range that you configured in
[Enable TCP Routing Using the <%= vars.app_runtime_abbr %> Tile](#tcp-routing) above.
For example, if your TCP routing port range is `1024-1123`,
then your load balancer port range for service gateway must not overlap `1024-1123`.
<p class="note">
<strong>Note:</strong> Each <%= vars.product_short %> service instance using service-gateway
access requires a unique port.
Ensure that the port range configured above has enough capacity to accommodate all the service
instances that you need. The start port and the end port are both inclusive.
</p>
<a href="./images/service-gateway-ports.png" target="_blank" aria-hidden="true">Click here to
view a larger version of the image above</a>
1. Record this port range.
## <a id='create-dns-record'></a> Create a DNS Record That Maps to the Load Balancer
To create a DNS record and prepare to map it:
1. Following the documentation for your IaaS, create a new DNS record of type A that maps to the
external IP address of the load balancer created in [Configure the Load Balancer in the IaaS to Redirect Traffic to the TCP Router](#configure-lb) above.
1. Record the domain used for this DNS record.
## <a id='configure-service-gateway-plan'></a> Configure a Service-Gateway-Enabled Plan
To configure a service-gateway-enabled plan:
1. In the **Global Settings for On-Demand Plans** pane in the RMQ tile, fill in the following fields:
- **External TCP domain**: This must correspond to the DNS entry for the external load balancer,
recorded in [Create a DNS Record That Maps to the Load Balancer](#create-dns-record) above.
- **Port Range**: This is the range of ports you configured for the external load balancer for <%= vars.product_short %>
service instances in
[Configure the Load Balancer in the IaaS to Redirect Traffic to the TCP Router](#configure-lb) above.
<img src="images/global-settings-service-gateway.png" alt="Example of the Global Settings for On-Demand Plans pane. The External TCP domain field has tcp.elcajon.cf-app.com. The Port Range field has 1024–2025." width="450">
<p class="note warning">
<strong>Warning:</strong>
If you already have service instances using service-gateway, any modifications to this range
must include ports that are already assigned to these service instances.
If the port range does not contain the ports already assigned to service instances, the
upgrades for the service instances fail.
For example, if service-gateway access has the port range <code>1000-1005</code>,
and there are service instances that correspond to ports <code>1000</code>, <code>1001</code>,
and <code>1002</code>, then the new port range must have ports <code>1000</code>,
<code>1001</code>, and <code>1002</code>.
</p>
1. Navigate to the service plan that you want to use and select the **Service-Gateway Access** checkbox.
<p class="note">
<strong>Note:</strong> VMware recommends that you change the name or the description of the plan to
indicate that service-gateway access is enabled for that plan.
</p>
<p class="note">
<strong>Note:</strong> If service-gateway access is deactivated and then re-activated, app developers must
create new service keys to obtain a new set of credentials for service-gateway access.
</p>
1. Go back to **<%= vars.ops_manager %> Installation Dashboard > Review Pending Changes**.
1. Click **Apply Changes** to apply the changes to the <%= vars.product_short %> tile.
## <a id='deactivate-service-gateway-access'></a> Deactivate Service-Gateway Access
<p class="note">
<strong>Note:</strong> If service-gateway access is deactivated and then re-enabled, app developers must
create new service keys to obtain a new set of credentials for service-gateway access.
</p>
To deactivate service-gateway access:
1. Navigate to the service plan that you want to deactivate service-gateway access for
and clear the **Service-Gateway Access** checkbox.
<p class="note">
<strong>Note:</strong> VMware recommends that you change the name or the
description of the plan to indicate that service-gateway access is deactivated for that plan.
</p>
1. Go back to **<%= vars.ops_manager %> Installation Dashboard > Review Pending Changes**.
1. Click **Apply Changes** to apply the changes to the <%= vars.product_short %> tile.
## <a id='workflow'></a> Developer Workflow
For instructions for app developers, see
[Create a Service Instance with Service-Gateway Access](./create-service-gateway-instance.html).