Anthos Service Mesh and Traffic Director are now Cloud Service Mesh. For more information, see the Cloud Service Mesh overview.

Set up TCP services

This guide tells you how to set up Cloud Service Mesh to use TCP services and TCPRoute resources.

Cloud Service Mesh with TCP services and TCPRoute is similar to the Envoy sidecar proxy configuration with HTTP services. The exceptions are that the backend service provides a TCP service and routing is based on TCP/IP parameters rather than on the HTTP protocol.

Mesh resource with TCPRoute resource — `Mesh` resource with `TCPRoute` resource (click to enlarge)

Before you begin

Make sure that you complete the tasks described in Prepare to set up with Envoy and proxyless workloads.

Configure the `Mesh` resource

In a file called mesh.yaml, create the mesh resource specification.
```
name: sidecar-mesh
```

Use the mesh.yaml file to create the mesh resource.

gcloud network-services meshes import sidecar-mesh \
  --source=mesh.yaml \
  --location=global

Configure the TCP server

This part of the guide is not specific to the new APIs and uses existing backend service, health check, and MIG resources.

For demonstration purposes, you create a backend service with autoscaled VMs using managed instance groups that serve a test TCP service on port 10000.

Create a Compute Engine VM instance template with a test service on port 10000.

gcloud compute instance-templates create tcp-td-vm-template \
  --scopes=https://www.googleapis.com/auth/cloud-platform \
  --tags=allow-health-checks \
  --image-family=debian-10 \
  --image-project=debian-cloud \
  --metadata=startup-script="#! /bin/bash
sudo apt-get update -y
sudo apt-get install netcat -y
while true;
  do echo 'Hello from TCP service' | nc -l -s 0.0.0.0 -p 10000;
done &"

Create a managed instance group based on the template.

gcloud compute instance-groups managed create tcp-td-mig-us-east1 \
  --zone=ZONE \
  --size=1 \
  --template=tcp-td-vm-template

Set the named ports on the created managed instance group to port 10000.

gcloud compute instance-groups set-named-ports tcp-td-mig-us-east1 

  --zone=ZONE 

  --named-ports=tcp:10000

Create a health check.

gcloud compute health-checks create tcp tcp-helloworld-health-check --port 10000

Create a firewall rule to allow incoming health check connections to instances in your network.

gcloud compute firewall-rules create tcp-vm-allow-health-checks \
   --network default \
   --action allow \
   --direction INGRESS \
   --source-ranges=35.191.0.0/16,130.211.0.0/22 \
   --target-tags allow-health-checks \
   --rules tcp:10000

Create a global backend service with a load balancing scheme of INTERNAL_SELF_MANAGED and attach the health check to the backend service. The example uses the managed instance group that runs the sample TCP service that you created earlier.
```
gcloud compute backend-services create tcp-helloworld-service \
    --global \
    --load-balancing-scheme=INTERNAL_SELF_MANAGED \
    --protocol=TCP \
    --health-checks tcp-helloworld-health-check
```

Add the managed instance group to the backend service.

gcloud compute backend-services add-backend tcp-helloworld-service \
  --instance-group tcp-td-mig-us-east1 \
  --instance-group-zone=ZONE \
  --global

Set up routing with `TCPRoute`

In this section, you set up routing.

In a file called tcp_route.yaml, create the TcpRoute specification.

You can use either $PROJECT_ID or $PROJECT_NUMBER.

name: helloworld-tcp-route
meshes:
- projects/$PROJECT_NUMBER/locations/global/meshes/sidecar-mesh
rules:
- action:
    destinations:
    - serviceName: projects/$PROJECT_NUMBER/locations/global/backendServices/tcp-helloworld-service
  matches:
  - address: '10.0.0.1/32'
    port: '10000'

Using the tcp_route.yaml specification, create the TcpRoute resource.

gcloud network-services tcp-routes import helloworld-tcp-route \
  --source=tcp-route.yaml \
  --location=global

Create a TCP client with an Envoy sidecar

Create an instance template and then create a VM with Envoy that is connected to Cloud Service Mesh.

gcloud beta compute instance-templates create td-vm-client-template \
  --image-family=debian-10 \
  --image-project=debian-cloud \
  --service-proxy=enabled,mesh=sidecar-mesh \
  --metadata=startup-script="#! /bin/bash
sudo apt-get update -y
sudo apt-get install netcat -y"

gcloud compute instances create td-vm-client \
  --zone=ZONE \
  --source-instance-template td-vm-client-template

Sign in to the VM that you created.
```
gcloud compute ssh td-vm-client
```
Verify connectivity to the test services that you created using the netcat utility.
```
echo 'Hi TCP Service' | nc 10.0.0.1 10000
```

The test service should return the phrase Hello from TCP service. You should also be able to see any text that you type returned by the netcat service running on the remote VM.

What's next

For information about listing route resources associated with a Mesh or Gateway resource, see List Route resources. This feature is in Preview.