Networking Considerations for TSE

Inter-Cluster Communications

If your deployment spans several VPCs or you apply security rules, you need to ensure that each TSE workload cluster can communicate with the central TSE Management Cluster.

Communication is performed to the front-envoy component in the tse namespace, which is served by the envoy service:

kubectl describe svc -n tse envoy

The management plane exposes port 443 for external and workload-cluster traffic. Remote workload clusters connect to the management plane on this port, to send telemetry and establish a persistent control (gRPC) channel.

For the purposes of firewall and security group configuration, you should ensure that workload clusters can reach the management plane using port 443 on the external IP of the tse envoy service.