Stay organized with collections
Save and categorize content based on your preferences.
Set up TCP traffic routing
This guide demonstrates how you can use Cloud Service Mesh to route traffic to services
that handle TCP traffic. These services include databases, VOIP services, and
management platforms, which expect to receive TCP traffic on specific ports or
port ranges.
Set up a service that represents a collection of identical backends or
endpoints that accept TCP requests from clients.
Set up a routing rule map so that Envoy proxies that Cloud Service Mesh
configures can send TCP requests.
The following diagrams show how TCP routing works for virtual machine (VM)
instances and network endpoint groups (NEGs), respectively.
Setting up Cloud Service Mesh for TCP, Compute Engine backends (click to enlarge)
Setting up Cloud Service Mesh for TCP, NEG backends (click to enlarge)
Preparation
This guide builds on the
Envoy for service mesh
preparation guide, and assumes that you already have a basic understanding of how
Cloud Service Mesh works.
The guide focuses on aspects of Cloud Service Mesh setup that are different
when you configure your services and routing for TCP traffic.
The guide assumes that you have already set up a managed instance group (MIG) or
NEG.
Configure load-balancing resources
Use the following steps to configure the load-balancing resources.
Create a TCP health check
Setup with VMs
If you are configuring MIGs, use the following command to create a global
health check; replace PORT with the TCP port
number that this health check monitors:
The final step for setting up your backend service is to add your backends.
Because this step is standard Cloud Service Mesh setup (in other
words, nothing specific for TCP-based services), it is not shown here.
For more information, see
Create the backend service
in the setup guide for Compute Engine VMs with automatic Envoy
deployment.
Setup with NEGs
If you are configuring NEGs, use the following commands to create a
backend service and associate the health check with the backend service:
The final step for setting up your backend service is to add your backend
group. Because this step is standard Cloud Service Mesh setup (in other
words, nothing specific for TCP-based services), it is not shown here.
For more information, see
Create the backend service
in the setup guide for GKE Pods with automatic Envoy injection.
Set up routing for your TCP-based backend service
In this section, you create a global
target TCP proxy
and a global forwarding rule.
These resources enable your applications to send traffic to the backends with
your newly created backend services.
Consider the following:
Your forwarding rule must have the load-balancing scheme
INTERNAL_SELF_MANAGED.
The virtual IP address (VIP) and port that you configure in the forwarding
rule are the VIP and port that your applications use when sending traffic to
your TCP services. You can choose the VIP from one of your subnets.
Cloud Service Mesh uses this VIP and port to match client requests to a
particular backend service.
For information about how client requests are matched to backend services, see
Service discovery.
gcloud
Use the following command to create the target TCP proxy; replace
BACKEND_SERVICE with the name of the backend service
created in the previous step. In the following example, we use
td-tcp-proxy as the name for the target TCP proxy, but you can choose
a name that suits your needs.
Create the forwarding rule. The forwarding rule specifies the VIP and
port that are used when matching client requests to a particular backend
service. For more information, see
gcloud compute forwarding-rules create
in the gcloud command reference.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-25 UTC."],[],[],null,["# Set up TCP traffic routing\n==========================\n\nThis guide demonstrates how you can use Cloud Service Mesh to route traffic to services\nthat handle TCP traffic. These services include databases, VOIP services, and\nmanagement platforms, which expect to receive TCP traffic on specific ports or\nport ranges.\n| **Note:** This guide only supports Cloud Service Mesh with Google Cloud APIs and does not support Istio APIs. For more information see, [Cloud Service Mesh overview](/service-mesh/docs/overview).\n\nThis guide applies to deployment with the older APIs. If you are using the new\nservice routing APIs, which are in preview, see\n[Cloud Service Mesh setup for TCP services with a `TCPRoute` resource](/service-mesh/docs/service-routing/set-up-tcp-route).\n\nUse this guide to do the following:\n\n- Set up a service that represents a collection of identical backends or endpoints that accept TCP requests from clients.\n- Set up a routing rule map so that Envoy proxies that Cloud Service Mesh configures can send TCP requests.\n\nThe following diagrams show how TCP routing works for virtual machine (VM)\ninstances and network endpoint groups (NEGs), respectively.\n[](/static/service-mesh/docs/images/td-tcp-gce.svg) Setting up Cloud Service Mesh for TCP, Compute Engine backends (click to enlarge)\n\n\u003cbr /\u003e\n\n\n[](/static/service-mesh/docs/images/td-tcp-neg.svg) Setting up Cloud Service Mesh for TCP, NEG backends (click to enlarge)\n\n\u003cbr /\u003e\n\nPreparation\n-----------\n\n- This guide builds on the [Envoy for service mesh](/service-mesh/docs/service-routing/prepare-for-envoy-setup) preparation guide, and assumes that you already have a basic understanding of how Cloud Service Mesh works.\n- The guide focuses on aspects of Cloud Service Mesh setup that are different when you configure your services and routing for TCP traffic.\n- The guide assumes that you have already set up a managed instance group (MIG) or NEG.\n\nConfigure load-balancing resources\n----------------------------------\n\nUse the following steps to configure the load-balancing resources.\n\n### Create a TCP health check\n\n### Setup with VMs\n\nIf you are configuring MIGs, use the following command to create a global\nhealth check; replace \u003cvar translate=\"no\"\u003ePORT\u003c/var\u003e with the TCP port\nnumber that this health check monitors: \n\n```\ngcloud compute health-checks create tcp td-vm-health-check \\\n --global \\\n --port=PORT\n```\n\n### Setup with NEGs\n\nIf you are configuring NEGs, use the following command to create a health\ncheck: \n\n```\ngcloud compute health-checks create tcp td-gke-health-check \\\n --use-serving-port\n```\n\nFor more information about health checks, see the following:\n\n- [Creating health checks](/load-balancing/docs/health-checks) in the Cloud Load Balancing documentation\n- [`gcloud compute health-checks create tcp`](/sdk/gcloud/reference/compute/health-checks/create/tcp) in the `gcloud` command reference\n\n### Create a firewall rule for your health check\n\nThis rule enables health checks from Google Cloud's health checkers to reach\nyour backends. \n\n### gcloud\n\n```\ngcloud compute firewall-rules create fw-allow-health-checks \\\n --action=ALLOW \\\n --direction=INGRESS \\\n --source-ranges=35.191.0.0/16,130.211.0.0/22 \\\n --target-tags=TAGS \\\n --rules=tcp:80\n```\n\nFor more information about firewall rules for health checks, see the following:\n\n- [Firewall rules for health checks](/load-balancing/docs/health-checks#fw-rule) in the Cloud Load Balancing documentation\n- [`gcloud compute firewall-rules create`](/sdk/gcloud/reference/compute/firewall-rules/create) in the `gcloud` command reference (includes guidance for \u003cvar translate=\"no\"\u003eTAGS\u003c/var\u003e)\n\n### Create a backend service for your TCP backends\n\nThe backend service setup for TCP with Cloud Service Mesh differs slightly\nfrom the setup for HTTP. The following steps capture those differences. \n\n### Setup with VMs\n\nIf you are configuring MIGs, use the following\ncommand to create a backend service and add the health check: \n\n```\n gcloud compute backend-services create td-vm-service \\\n --global \\\n --load-balancing-scheme=INTERNAL_SELF_MANAGED \\\n --health-checks=td-vm-health-check \\\n --protocol=TCP \\\n --global-health-checks\n```\n\nThe final step for setting up your backend service is to add your backends.\nBecause this step is standard Cloud Service Mesh setup (in other\nwords, nothing specific for TCP-based services), it is not shown here.\nFor more information, see\n[Create the backend service](/service-mesh/docs/service-routing/set-up-gce-vms-auto#creating_the_backend_service)\nin the setup guide for Compute Engine VMs with automatic Envoy\ndeployment.\n\n### Setup with NEGs\n\nIf you are configuring NEGs, use the following commands to create a\nbackend service and associate the health check with the backend service: \n\n```\ngcloud compute backend-services create td-gke-service \\\n --global \\\n --health-checks=td-gke-health-check \\\n --protocol=TCP \\\n --load-balancing-scheme=INTERNAL_SELF_MANAGED\n```\n\nThe final step for setting up your backend service is to add your backend\ngroup. Because this step is standard Cloud Service Mesh setup (in other\nwords, nothing specific for TCP-based services), it is not shown here.\nFor more information, see\n[Create the backend service](/service-mesh/legacy/load-balancing-apis/set-up-gke-pods-auto#creating_the_backend_service)\nin the setup guide for GKE Pods with automatic Envoy injection.\n\n### Set up routing for your TCP-based backend service\n\nIn this section, you create a global\n[target TCP proxy](/load-balancing/docs/tcp)\nand a global [forwarding rule](/load-balancing/docs/forwarding-rule-concepts).\nThese resources enable your applications to send traffic to the backends with\nyour newly created backend services.\n\nConsider the following:\n\n- Your forwarding rule must have the load-balancing scheme `INTERNAL_SELF_MANAGED`.\n- The virtual IP address (VIP) and port that you configure in the forwarding\n rule are the VIP and port that your applications use when sending traffic to\n your TCP services. You can choose the VIP from one of your subnets.\n Cloud Service Mesh uses this VIP and port to match client requests to a\n particular backend service.\n\n For information about how client requests are matched to backend services, see\n [Service discovery](/service-mesh/docs/traffic-management/service-discovery#service_discovery).\n\n### gcloud\n\n1. Use the following command to create the target TCP proxy; replace\n \u003cvar translate=\"no\"\u003eBACKEND_SERVICE\u003c/var\u003e with the name of the backend service\n created in the previous step. In the following example, we use\n `td-tcp-proxy` as the name for the target TCP proxy, but you can choose\n a name that suits your needs.\n\n ```\n gcloud compute target-tcp-proxies create td-tcp-proxy \\\n --backend-service=BACKEND_SERVICE\n ```\n | **Note:** Each service that requires a different VIP address must use a different forwarding rule.\n2. Create the forwarding rule. The forwarding rule specifies the VIP and\n port that are used when matching client requests to a particular backend\n service. For more information, see\n [`gcloud compute forwarding-rules create`](/sdk/gcloud/reference/compute/forwarding-rules/create)\n in the `gcloud` command reference.\n\n ```\n gcloud compute forwarding-rules create td-tcp-forwarding-rule \\\n --global \\\n --load-balancing-scheme=INTERNAL_SELF_MANAGED \\\n --address=VIP\\\n --target-tcp-proxy=td-tcp-proxy \\\n --ports=PORT \\\n --network=default\n ```\n\nAt this point, Cloud Service Mesh is configured to load balance traffic for\nthe VIP specified in the forwarding rule across your backends.\n\nLimitations\n-----------\n\nYou cannot configure a Google Cloud Armor security policy if you are using\nTCP traffic routing.\n\nTroubleshooting\n---------------\n\nIf your applications are attempting to send requests to your TCP-based services,\ndo the following:\n\n- Confirm that the TCP health check port matches the port on which the TCP application expects to receive health check traffic.\n- Confirm that the port name of the backend service matches what is specified in the instance group.\n\nWhat's next\n-----------\n\n- [Prepare to set up Cloud Service Mesh with Envoy](/service-mesh/docs/service-routing/prepare-for-envoy-setup)\n- [Troubleshoot Envoy deployments](/service-mesh/docs/service-routing/troubleshooting)"]]
