Skip to main content

Configuring TCP Connections

You can configure the domain AtScale uses for TCP connections (JDBC, TDS, pgwire) in the values file. When setting this up, you have two configuration options:

  1. Use a single L4 load balancer for both HTTP and TCP traffic.
  2. Use two load balancers: An L7 for HTTP traffic, and a separate L4 for TCP traffic.

The following sections describe how to set up both configurations.

Configure your domains in AtScale

First, you must specify the domains you want to use in the AtScale values file.

In your values.yaml or override file, set ingressDomain to the domain you want to use for HTTP traffic, and ingressTCPDomain to the one you want to use for TCP traffic.

Note

If you do not set ingressTCPDomain, all traffic uses ingressDomain.

For example:

global:
  # (Required) This will do all routing if ingressTCPDomain is not defined
  ingressDomain: "atscale.example.com"         # For L7, L4 loadbalancers - All routes
  # (OPTIONAL) This value allows you to setup
  # a second loadbalancer to expose for TCP only connections
  ingressTCPDomain: "tcp.atscale.example.com"  # L4 — JDBC, TDS, pgwire

Define your load balancers in the AtScale proxy service

You next need to add your load balancer(s) to the AtScale proxy service. The following examples illustrate how to do this for both single- and double-load balancer configurations.

Note

The examples below use AWS- and GCE-specific annotations. Substitute the appropriate annotations for your cloud provider or ingress controller.

L4 load balancer configuration

The following example uses a single L4 load balancer to route both TCP and HTTP traffic to your service.

atscale-proxy:
  service:
    type: LoadBalancer
    annotations:
      service.beta.kubernetes.io/aws-load-balancer-scheme: internal # Must be set for 'internet-facing' for public LB
    service.beta.kubernetes.io/aws-load-balancer-internal: "true" # remove this annotation for a public LB
    service.beta.kubernetes.io/aws-load-balancer-type: nlb
    service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: instance
    service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true" # This setting should be enabled if you have 1 instance and more than 1 subnet

L4 and L7 load balancer configuration

The following example uses two load balancers: An L7 for HTTP traffic, and an L4 for TCP traffic.

To configure the L7 load balancer, you can use a backend configuration:

apiVersion: cloud.google.com/v1
kind: BackendConfig
metadata:
  name: atscale-backend-config
  namespace: atscale
spec:
  healthCheck:
    type: HTTP
    port: 8888
    requestPath: /
    checkIntervalSec: 30
    timeoutSec: 10
    healthyThreshold: 2
    unhealthyThreshold: 2
  securityPolicy:
    name: <Your cloud armour security policy>

And then add the following to your values.yaml or override file:

atscale-proxy:
  tls:
    enabled: false
  ingress:
    enabled: true
    ingressClassName: "gce"
    annotations:
      kubernetes.io/ingress.class: "gce"
      kubernetes.io/ingress.global-static-ip-name: "<your reserved global ip>"
      networking.gke.io/v1beta1.FrontendConfig: "<your frontend config>" # OPTIONAL
      kubernetes.io/ingress.allow-http: "false"   # OPTIONAL Enforce HTTPS-only

    extraRules:
      - host: <your ingress domain>
        http:
          paths:
            - path: /
              pathType: Prefix
              backend:
                service:
                  name: atscale-ingress-gateway
                  port:
                    name: http
                      

    # TLS configuration for HTTPS listener
    extraTls: |
      - secretName: <your TLS secret>
        hosts:
          - <your ingress domain>
  service:
    type: NodePort
    annotations:
      cloud.google.com/neg: '{"ingress": true}'
      cloud.google.com/backend-config: '{"default":"atscale-backend-config"}' # Backend config to enable cloud armour

    extraPorts:
      - name: health
        port: 8888
        targetPort: 8888
        protocol: TCP

      - name: atscale-engine-sql-15432
        port: 15432
        protocol: TCP

To configure the L4 load balancer, create a new Kubernetes service for it:

apiVersion: v1
kind: Service
metadata:
  annotations:
      networking.gke.io/load-balancer-ip-addresses: "<name of your reserved global ip>"
      cloud.google.com/l4-rbs: "enabled"
  name: atscale-ingress-gateway-external
  namespace: atscale
spec:
  # Optionally allow only specific ips to the ingress gateway
  loadBalancerSourceRanges:
      # Example IP Range for Tableau Cloud
      - "155.226.144.0/22"
      # Example Claude Inbound
      - "160.79.104.0/23"
      # Example Claude Outbound
      - "160.79.104.0/21"
  loadBalancerIP: "<your reserved global ip>"
  ports:
  - name: atscale-pgwire-15432
    port: 15432
    protocol: TCP
    targetPort: 15432
  selector:
    app.kubernetes.io/instance: atscale
    app.kubernetes.io/name: ingress-gateway
  sessionAffinity: None
  type: LoadBalancer

Result

After deployment, .tds files downloaded from Design Center should show the ingressTCPDomain as the connection host. JDBC and pgwire connections will resolve through the L4 load balancer.