Networking Considerations for TSE
If your deployment spans several VPCs or you apply security rules, you need to ensure that each TSE workload cluster can communicate with the central TSE Management Cluster.
Communication is performed to the front-envoy component in the tse namespace, which is served by the envoy service:
kubectl describe svc -n tse envoy
The management plane exposes port 443 for external and workload-cluster traffic. Remote workload clusters connect to the management plane on this port, to send telemetry and establish a persistent control (gRPC) channel.
For the purposes of firewall and security group configuration, you should ensure that workload clusters can reach the management plane using port 443 on the external IP of the tse envoy service.