The gcp:networkservices/tlsRoute:TlsRoute resource, part of the Pulumi GCP provider, defines TLS routing rules that direct encrypted traffic to backend services based on SNI hostname and protocol matching. This guide focuses on three capabilities: SNI-based traffic routing, mesh attachment for sidecar proxies, and gateway attachment for edge routing.
TLS routes reference backend services and attach to either mesh or gateway infrastructure. The examples are intentionally small. Combine them with your own backend services and network infrastructure.
Route TLS traffic by SNI hostname
Applications exposing TLS services need to route incoming connections based on the Server Name Indication (SNI) hostname that clients request, allowing multiple services to share the same IP address.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const defaultHttpHealthCheck = new gcp.compute.HttpHealthCheck("default", {
name: "backend-service-health-check",
requestPath: "/",
checkIntervalSec: 1,
timeoutSec: 1,
});
const _default = new gcp.compute.BackendService("default", {
name: "my-backend-service",
healthChecks: defaultHttpHealthCheck.id,
});
const defaultTlsRoute = new gcp.networkservices.TlsRoute("default", {
name: "my-tls-route",
description: "my description",
rules: [{
matches: [{
sniHosts: ["example.com"],
alpns: ["http/1.1"],
}],
action: {
destinations: [{
serviceName: _default.id,
weight: 1,
}],
},
}],
});
import pulumi
import pulumi_gcp as gcp
default_http_health_check = gcp.compute.HttpHealthCheck("default",
name="backend-service-health-check",
request_path="/",
check_interval_sec=1,
timeout_sec=1)
default = gcp.compute.BackendService("default",
name="my-backend-service",
health_checks=default_http_health_check.id)
default_tls_route = gcp.networkservices.TlsRoute("default",
name="my-tls-route",
description="my description",
rules=[{
"matches": [{
"sni_hosts": ["example.com"],
"alpns": ["http/1.1"],
}],
"action": {
"destinations": [{
"service_name": default.id,
"weight": 1,
}],
},
}])
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/compute"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/networkservices"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
defaultHttpHealthCheck, err := compute.NewHttpHealthCheck(ctx, "default", &compute.HttpHealthCheckArgs{
Name: pulumi.String("backend-service-health-check"),
RequestPath: pulumi.String("/"),
CheckIntervalSec: pulumi.Int(1),
TimeoutSec: pulumi.Int(1),
})
if err != nil {
return err
}
_default, err := compute.NewBackendService(ctx, "default", &compute.BackendServiceArgs{
Name: pulumi.String("my-backend-service"),
HealthChecks: defaultHttpHealthCheck.ID(),
})
if err != nil {
return err
}
_, err = networkservices.NewTlsRoute(ctx, "default", &networkservices.TlsRouteArgs{
Name: pulumi.String("my-tls-route"),
Description: pulumi.String("my description"),
Rules: networkservices.TlsRouteRuleArray{
&networkservices.TlsRouteRuleArgs{
Matches: networkservices.TlsRouteRuleMatchArray{
&networkservices.TlsRouteRuleMatchArgs{
SniHosts: pulumi.StringArray{
pulumi.String("example.com"),
},
Alpns: pulumi.StringArray{
pulumi.String("http/1.1"),
},
},
},
Action: &networkservices.TlsRouteRuleActionArgs{
Destinations: networkservices.TlsRouteRuleActionDestinationArray{
&networkservices.TlsRouteRuleActionDestinationArgs{
ServiceName: _default.ID(),
Weight: pulumi.Int(1),
},
},
},
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var defaultHttpHealthCheck = new Gcp.Compute.HttpHealthCheck("default", new()
{
Name = "backend-service-health-check",
RequestPath = "/",
CheckIntervalSec = 1,
TimeoutSec = 1,
});
var @default = new Gcp.Compute.BackendService("default", new()
{
Name = "my-backend-service",
HealthChecks = defaultHttpHealthCheck.Id,
});
var defaultTlsRoute = new Gcp.NetworkServices.TlsRoute("default", new()
{
Name = "my-tls-route",
Description = "my description",
Rules = new[]
{
new Gcp.NetworkServices.Inputs.TlsRouteRuleArgs
{
Matches = new[]
{
new Gcp.NetworkServices.Inputs.TlsRouteRuleMatchArgs
{
SniHosts = new[]
{
"example.com",
},
Alpns = new[]
{
"http/1.1",
},
},
},
Action = new Gcp.NetworkServices.Inputs.TlsRouteRuleActionArgs
{
Destinations = new[]
{
new Gcp.NetworkServices.Inputs.TlsRouteRuleActionDestinationArgs
{
ServiceName = @default.Id,
Weight = 1,
},
},
},
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.compute.HttpHealthCheck;
import com.pulumi.gcp.compute.HttpHealthCheckArgs;
import com.pulumi.gcp.compute.BackendService;
import com.pulumi.gcp.compute.BackendServiceArgs;
import com.pulumi.gcp.networkservices.TlsRoute;
import com.pulumi.gcp.networkservices.TlsRouteArgs;
import com.pulumi.gcp.networkservices.inputs.TlsRouteRuleArgs;
import com.pulumi.gcp.networkservices.inputs.TlsRouteRuleActionArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var defaultHttpHealthCheck = new HttpHealthCheck("defaultHttpHealthCheck", HttpHealthCheckArgs.builder()
.name("backend-service-health-check")
.requestPath("/")
.checkIntervalSec(1)
.timeoutSec(1)
.build());
var default_ = new BackendService("default", BackendServiceArgs.builder()
.name("my-backend-service")
.healthChecks(defaultHttpHealthCheck.id())
.build());
var defaultTlsRoute = new TlsRoute("defaultTlsRoute", TlsRouteArgs.builder()
.name("my-tls-route")
.description("my description")
.rules(TlsRouteRuleArgs.builder()
.matches(TlsRouteRuleMatchArgs.builder()
.sniHosts("example.com")
.alpns("http/1.1")
.build())
.action(TlsRouteRuleActionArgs.builder()
.destinations(TlsRouteRuleActionDestinationArgs.builder()
.serviceName(default_.id())
.weight(1)
.build())
.build())
.build())
.build());
}
}
resources:
default:
type: gcp:compute:BackendService
properties:
name: my-backend-service
healthChecks: ${defaultHttpHealthCheck.id}
defaultHttpHealthCheck:
type: gcp:compute:HttpHealthCheck
name: default
properties:
name: backend-service-health-check
requestPath: /
checkIntervalSec: 1
timeoutSec: 1
defaultTlsRoute:
type: gcp:networkservices:TlsRoute
name: default
properties:
name: my-tls-route
description: my description
rules:
- matches:
- sniHosts:
- example.com
alpns:
- http/1.1
action:
destinations:
- serviceName: ${default.id}
weight: 1
When a client initiates a TLS connection, the route examines the SNI hostname in the ClientHello message. The matches block defines which sniHosts trigger this rule. The action block specifies the backend service destination by serviceName. This configuration directs all connections requesting “example.com” to the specified backend service.
Attach routes to service mesh infrastructure
Service mesh deployments use TLS routes to control how sidecar proxies route encrypted traffic between services.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const defaultHttpHealthCheck = new gcp.compute.HttpHealthCheck("default", {
name: "backend-service-health-check",
requestPath: "/",
checkIntervalSec: 1,
timeoutSec: 1,
});
const _default = new gcp.compute.BackendService("default", {
name: "my-backend-service",
healthChecks: defaultHttpHealthCheck.id,
});
const defaultMesh = new gcp.networkservices.Mesh("default", {
name: "my-tls-route",
labels: {
foo: "bar",
},
description: "my description",
});
const defaultTlsRoute = new gcp.networkservices.TlsRoute("default", {
name: "my-tls-route",
description: "my description",
meshes: [defaultMesh.id],
rules: [{
matches: [{
sniHosts: ["example.com"],
alpns: ["http/1.1"],
}],
action: {
destinations: [{
serviceName: _default.id,
weight: 1,
}],
},
}],
});
import pulumi
import pulumi_gcp as gcp
default_http_health_check = gcp.compute.HttpHealthCheck("default",
name="backend-service-health-check",
request_path="/",
check_interval_sec=1,
timeout_sec=1)
default = gcp.compute.BackendService("default",
name="my-backend-service",
health_checks=default_http_health_check.id)
default_mesh = gcp.networkservices.Mesh("default",
name="my-tls-route",
labels={
"foo": "bar",
},
description="my description")
default_tls_route = gcp.networkservices.TlsRoute("default",
name="my-tls-route",
description="my description",
meshes=[default_mesh.id],
rules=[{
"matches": [{
"sni_hosts": ["example.com"],
"alpns": ["http/1.1"],
}],
"action": {
"destinations": [{
"service_name": default.id,
"weight": 1,
}],
},
}])
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/compute"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/networkservices"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
defaultHttpHealthCheck, err := compute.NewHttpHealthCheck(ctx, "default", &compute.HttpHealthCheckArgs{
Name: pulumi.String("backend-service-health-check"),
RequestPath: pulumi.String("/"),
CheckIntervalSec: pulumi.Int(1),
TimeoutSec: pulumi.Int(1),
})
if err != nil {
return err
}
_default, err := compute.NewBackendService(ctx, "default", &compute.BackendServiceArgs{
Name: pulumi.String("my-backend-service"),
HealthChecks: defaultHttpHealthCheck.ID(),
})
if err != nil {
return err
}
defaultMesh, err := networkservices.NewMesh(ctx, "default", &networkservices.MeshArgs{
Name: pulumi.String("my-tls-route"),
Labels: pulumi.StringMap{
"foo": pulumi.String("bar"),
},
Description: pulumi.String("my description"),
})
if err != nil {
return err
}
_, err = networkservices.NewTlsRoute(ctx, "default", &networkservices.TlsRouteArgs{
Name: pulumi.String("my-tls-route"),
Description: pulumi.String("my description"),
Meshes: pulumi.StringArray{
defaultMesh.ID(),
},
Rules: networkservices.TlsRouteRuleArray{
&networkservices.TlsRouteRuleArgs{
Matches: networkservices.TlsRouteRuleMatchArray{
&networkservices.TlsRouteRuleMatchArgs{
SniHosts: pulumi.StringArray{
pulumi.String("example.com"),
},
Alpns: pulumi.StringArray{
pulumi.String("http/1.1"),
},
},
},
Action: &networkservices.TlsRouteRuleActionArgs{
Destinations: networkservices.TlsRouteRuleActionDestinationArray{
&networkservices.TlsRouteRuleActionDestinationArgs{
ServiceName: _default.ID(),
Weight: pulumi.Int(1),
},
},
},
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var defaultHttpHealthCheck = new Gcp.Compute.HttpHealthCheck("default", new()
{
Name = "backend-service-health-check",
RequestPath = "/",
CheckIntervalSec = 1,
TimeoutSec = 1,
});
var @default = new Gcp.Compute.BackendService("default", new()
{
Name = "my-backend-service",
HealthChecks = defaultHttpHealthCheck.Id,
});
var defaultMesh = new Gcp.NetworkServices.Mesh("default", new()
{
Name = "my-tls-route",
Labels =
{
{ "foo", "bar" },
},
Description = "my description",
});
var defaultTlsRoute = new Gcp.NetworkServices.TlsRoute("default", new()
{
Name = "my-tls-route",
Description = "my description",
Meshes = new[]
{
defaultMesh.Id,
},
Rules = new[]
{
new Gcp.NetworkServices.Inputs.TlsRouteRuleArgs
{
Matches = new[]
{
new Gcp.NetworkServices.Inputs.TlsRouteRuleMatchArgs
{
SniHosts = new[]
{
"example.com",
},
Alpns = new[]
{
"http/1.1",
},
},
},
Action = new Gcp.NetworkServices.Inputs.TlsRouteRuleActionArgs
{
Destinations = new[]
{
new Gcp.NetworkServices.Inputs.TlsRouteRuleActionDestinationArgs
{
ServiceName = @default.Id,
Weight = 1,
},
},
},
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.compute.HttpHealthCheck;
import com.pulumi.gcp.compute.HttpHealthCheckArgs;
import com.pulumi.gcp.compute.BackendService;
import com.pulumi.gcp.compute.BackendServiceArgs;
import com.pulumi.gcp.networkservices.Mesh;
import com.pulumi.gcp.networkservices.MeshArgs;
import com.pulumi.gcp.networkservices.TlsRoute;
import com.pulumi.gcp.networkservices.TlsRouteArgs;
import com.pulumi.gcp.networkservices.inputs.TlsRouteRuleArgs;
import com.pulumi.gcp.networkservices.inputs.TlsRouteRuleActionArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var defaultHttpHealthCheck = new HttpHealthCheck("defaultHttpHealthCheck", HttpHealthCheckArgs.builder()
.name("backend-service-health-check")
.requestPath("/")
.checkIntervalSec(1)
.timeoutSec(1)
.build());
var default_ = new BackendService("default", BackendServiceArgs.builder()
.name("my-backend-service")
.healthChecks(defaultHttpHealthCheck.id())
.build());
var defaultMesh = new Mesh("defaultMesh", MeshArgs.builder()
.name("my-tls-route")
.labels(Map.of("foo", "bar"))
.description("my description")
.build());
var defaultTlsRoute = new TlsRoute("defaultTlsRoute", TlsRouteArgs.builder()
.name("my-tls-route")
.description("my description")
.meshes(defaultMesh.id())
.rules(TlsRouteRuleArgs.builder()
.matches(TlsRouteRuleMatchArgs.builder()
.sniHosts("example.com")
.alpns("http/1.1")
.build())
.action(TlsRouteRuleActionArgs.builder()
.destinations(TlsRouteRuleActionDestinationArgs.builder()
.serviceName(default_.id())
.weight(1)
.build())
.build())
.build())
.build());
}
}
resources:
default:
type: gcp:compute:BackendService
properties:
name: my-backend-service
healthChecks: ${defaultHttpHealthCheck.id}
defaultHttpHealthCheck:
type: gcp:compute:HttpHealthCheck
name: default
properties:
name: backend-service-health-check
requestPath: /
checkIntervalSec: 1
timeoutSec: 1
defaultMesh:
type: gcp:networkservices:Mesh
name: default
properties:
name: my-tls-route
labels:
foo: bar
description: my description
defaultTlsRoute:
type: gcp:networkservices:TlsRoute
name: default
properties:
name: my-tls-route
description: my description
meshes:
- ${defaultMesh.id}
rules:
- matches:
- sniHosts:
- example.com
alpns:
- http/1.1
action:
destinations:
- serviceName: ${default.id}
weight: 1
The meshes property attaches this route to a service mesh, making the routing rules available to all sidecar proxies in that mesh. The mesh must be of type SIDECAR. This configuration extends basic SNI routing by distributing rules across mesh infrastructure rather than standalone routing.
Attach routes to gateway infrastructure
Gateway deployments use TLS routes to control how edge proxies route encrypted traffic from external clients.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const defaultHttpHealthCheck = new gcp.compute.HttpHealthCheck("default", {
name: "backend-service-health-check",
requestPath: "/",
checkIntervalSec: 1,
timeoutSec: 1,
});
const _default = new gcp.compute.BackendService("default", {
name: "my-backend-service",
healthChecks: defaultHttpHealthCheck.id,
});
const defaultGateway = new gcp.networkservices.Gateway("default", {
name: "my-tls-route",
labels: {
foo: "bar",
},
description: "my description",
scope: "my-scope",
type: "OPEN_MESH",
ports: [443],
});
const defaultTlsRoute = new gcp.networkservices.TlsRoute("default", {
name: "my-tls-route",
description: "my description",
gateways: [defaultGateway.id],
rules: [{
matches: [{
sniHosts: ["example.com"],
alpns: ["http/1.1"],
}],
action: {
destinations: [{
serviceName: _default.id,
weight: 1,
}],
},
}],
});
import pulumi
import pulumi_gcp as gcp
default_http_health_check = gcp.compute.HttpHealthCheck("default",
name="backend-service-health-check",
request_path="/",
check_interval_sec=1,
timeout_sec=1)
default = gcp.compute.BackendService("default",
name="my-backend-service",
health_checks=default_http_health_check.id)
default_gateway = gcp.networkservices.Gateway("default",
name="my-tls-route",
labels={
"foo": "bar",
},
description="my description",
scope="my-scope",
type="OPEN_MESH",
ports=[443])
default_tls_route = gcp.networkservices.TlsRoute("default",
name="my-tls-route",
description="my description",
gateways=[default_gateway.id],
rules=[{
"matches": [{
"sni_hosts": ["example.com"],
"alpns": ["http/1.1"],
}],
"action": {
"destinations": [{
"service_name": default.id,
"weight": 1,
}],
},
}])
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/compute"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/networkservices"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
defaultHttpHealthCheck, err := compute.NewHttpHealthCheck(ctx, "default", &compute.HttpHealthCheckArgs{
Name: pulumi.String("backend-service-health-check"),
RequestPath: pulumi.String("/"),
CheckIntervalSec: pulumi.Int(1),
TimeoutSec: pulumi.Int(1),
})
if err != nil {
return err
}
_default, err := compute.NewBackendService(ctx, "default", &compute.BackendServiceArgs{
Name: pulumi.String("my-backend-service"),
HealthChecks: defaultHttpHealthCheck.ID(),
})
if err != nil {
return err
}
defaultGateway, err := networkservices.NewGateway(ctx, "default", &networkservices.GatewayArgs{
Name: pulumi.String("my-tls-route"),
Labels: pulumi.StringMap{
"foo": pulumi.String("bar"),
},
Description: pulumi.String("my description"),
Scope: pulumi.String("my-scope"),
Type: pulumi.String("OPEN_MESH"),
Ports: pulumi.IntArray{
pulumi.Int(443),
},
})
if err != nil {
return err
}
_, err = networkservices.NewTlsRoute(ctx, "default", &networkservices.TlsRouteArgs{
Name: pulumi.String("my-tls-route"),
Description: pulumi.String("my description"),
Gateways: pulumi.StringArray{
defaultGateway.ID(),
},
Rules: networkservices.TlsRouteRuleArray{
&networkservices.TlsRouteRuleArgs{
Matches: networkservices.TlsRouteRuleMatchArray{
&networkservices.TlsRouteRuleMatchArgs{
SniHosts: pulumi.StringArray{
pulumi.String("example.com"),
},
Alpns: pulumi.StringArray{
pulumi.String("http/1.1"),
},
},
},
Action: &networkservices.TlsRouteRuleActionArgs{
Destinations: networkservices.TlsRouteRuleActionDestinationArray{
&networkservices.TlsRouteRuleActionDestinationArgs{
ServiceName: _default.ID(),
Weight: pulumi.Int(1),
},
},
},
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var defaultHttpHealthCheck = new Gcp.Compute.HttpHealthCheck("default", new()
{
Name = "backend-service-health-check",
RequestPath = "/",
CheckIntervalSec = 1,
TimeoutSec = 1,
});
var @default = new Gcp.Compute.BackendService("default", new()
{
Name = "my-backend-service",
HealthChecks = defaultHttpHealthCheck.Id,
});
var defaultGateway = new Gcp.NetworkServices.Gateway("default", new()
{
Name = "my-tls-route",
Labels =
{
{ "foo", "bar" },
},
Description = "my description",
Scope = "my-scope",
Type = "OPEN_MESH",
Ports = new[]
{
443,
},
});
var defaultTlsRoute = new Gcp.NetworkServices.TlsRoute("default", new()
{
Name = "my-tls-route",
Description = "my description",
Gateways = new[]
{
defaultGateway.Id,
},
Rules = new[]
{
new Gcp.NetworkServices.Inputs.TlsRouteRuleArgs
{
Matches = new[]
{
new Gcp.NetworkServices.Inputs.TlsRouteRuleMatchArgs
{
SniHosts = new[]
{
"example.com",
},
Alpns = new[]
{
"http/1.1",
},
},
},
Action = new Gcp.NetworkServices.Inputs.TlsRouteRuleActionArgs
{
Destinations = new[]
{
new Gcp.NetworkServices.Inputs.TlsRouteRuleActionDestinationArgs
{
ServiceName = @default.Id,
Weight = 1,
},
},
},
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.compute.HttpHealthCheck;
import com.pulumi.gcp.compute.HttpHealthCheckArgs;
import com.pulumi.gcp.compute.BackendService;
import com.pulumi.gcp.compute.BackendServiceArgs;
import com.pulumi.gcp.networkservices.Gateway;
import com.pulumi.gcp.networkservices.GatewayArgs;
import com.pulumi.gcp.networkservices.TlsRoute;
import com.pulumi.gcp.networkservices.TlsRouteArgs;
import com.pulumi.gcp.networkservices.inputs.TlsRouteRuleArgs;
import com.pulumi.gcp.networkservices.inputs.TlsRouteRuleActionArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var defaultHttpHealthCheck = new HttpHealthCheck("defaultHttpHealthCheck", HttpHealthCheckArgs.builder()
.name("backend-service-health-check")
.requestPath("/")
.checkIntervalSec(1)
.timeoutSec(1)
.build());
var default_ = new BackendService("default", BackendServiceArgs.builder()
.name("my-backend-service")
.healthChecks(defaultHttpHealthCheck.id())
.build());
var defaultGateway = new Gateway("defaultGateway", GatewayArgs.builder()
.name("my-tls-route")
.labels(Map.of("foo", "bar"))
.description("my description")
.scope("my-scope")
.type("OPEN_MESH")
.ports(443)
.build());
var defaultTlsRoute = new TlsRoute("defaultTlsRoute", TlsRouteArgs.builder()
.name("my-tls-route")
.description("my description")
.gateways(defaultGateway.id())
.rules(TlsRouteRuleArgs.builder()
.matches(TlsRouteRuleMatchArgs.builder()
.sniHosts("example.com")
.alpns("http/1.1")
.build())
.action(TlsRouteRuleActionArgs.builder()
.destinations(TlsRouteRuleActionDestinationArgs.builder()
.serviceName(default_.id())
.weight(1)
.build())
.build())
.build())
.build());
}
}
resources:
default:
type: gcp:compute:BackendService
properties:
name: my-backend-service
healthChecks: ${defaultHttpHealthCheck.id}
defaultHttpHealthCheck:
type: gcp:compute:HttpHealthCheck
name: default
properties:
name: backend-service-health-check
requestPath: /
checkIntervalSec: 1
timeoutSec: 1
defaultGateway:
type: gcp:networkservices:Gateway
name: default
properties:
name: my-tls-route
labels:
foo: bar
description: my description
scope: my-scope
type: OPEN_MESH
ports:
- 443
defaultTlsRoute:
type: gcp:networkservices:TlsRoute
name: default
properties:
name: my-tls-route
description: my description
gateways:
- ${defaultGateway.id}
rules:
- matches:
- sniHosts:
- example.com
alpns:
- http/1.1
action:
destinations:
- serviceName: ${default.id}
weight: 1
The gateways property attaches this route to a gateway resource, making the routing rules available at the gateway’s listening ports. This provides an alternative to mesh attachment, focusing on edge routing rather than service-to-service communication. The gateway must be configured with appropriate ports (typically 443 for TLS).
Beyond these examples
These snippets focus on specific TLS route features: SNI-based routing, mesh and gateway attachment, and backend service destinations. They’re intentionally minimal rather than full traffic management solutions.
The examples reference pre-existing infrastructure such as backend services with health checks, and mesh or gateway resources for attachment examples. They focus on configuring the route rather than provisioning the complete network infrastructure.
To keep things focused, common TLS route patterns are omitted, including:
- Multiple routing rules per route
- ALPN protocol matching beyond http/1.1
- Traffic weighting across multiple destinations
- Route labels and metadata
These omissions are intentional: the goal is to illustrate how each TLS route feature is wired, not provide drop-in traffic management modules. See the TlsRoute resource reference for all available configuration options.
Let's configure GCP TLS Routes
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Configuration & Attachment
What's the difference between attaching to gateways and meshes?
Gateways and meshes are different attachment points for TlsRoute. Use
gateways to attach to gateway resources, or meshes to attach to mesh resources. The examples show separate configurations for each approach.How do I attach a TlsRoute to a gateway?
Set the
gateways property with gateway IDs following the pattern projects/*/locations/global/gateways/<gateway_name>.How do I attach a TlsRoute to a mesh?
Set the
meshes property with mesh IDs following the pattern projects/*/locations/global/meshes/<mesh_name>. The mesh must be type SIDECAR.Routing & Traffic Matching
How do I configure traffic matching rules?
Configure
rules[].matches with sniHosts for SNI hostname matching (e.g., ["example.com"]) and alpns for protocol matching (e.g., ["http/1.1"]).What backend services can I route traffic to?
Route to
compute.BackendService resources by setting rules[].action.destinations[].serviceName to the backend service ID.How do I distribute traffic across multiple backends?
Add multiple destinations in
rules[].action.destinations, each with a serviceName and weight to control traffic distribution.Constraints & Immutability
What properties can't I change after creation?
The
name and project properties are immutable. Changing either forces resource replacement.What type of mesh can I attach a TlsRoute to?
The attached mesh must be of type SIDECAR.
Using a different cloud?
Explore networking guides for other cloud providers: