Cloud FunctionsThis guide explains how NVCF self-hosted deployments route traffic through the Kubernetes Gateway API, and how to configure DNS and HTTPS for production environments.
The NVCF self-hosted deployment uses the Kubernetes Gateway API for ingress traffic management. This provides:
The Gateway API is a Kubernetes standard with multiple implementations. The examples on this page use Envoy Gateway, but you can use any Gateway API-compliant controller that supports the requirements below.
Use this quickstart before any remote deployment path that needs NVCF services reachable through Gateway API, including one-click CLI, Helmfile, and standalone Helm chart installation.
Skip this section for local k3d flows that already create the local Gateway and route hostnames.
Install the Kubernetes Gateway API CRDs v1.2.0:
If you replace v1.2.0 with another version, verify compatibility with the GatewayClass and Gateway resources that you create.
Create the namespaces used by the Gateway and NVCF services, then label the route-owning namespaces so the Gateway can accept cross-namespace routes:
Install Envoy Gateway as the Gateway API controller:
Verify the controller pod is running:
Create the GatewayClass resource:
Create the Gateway resource with an HTTP listener on port 80 and a TCP listener on port 10081 for gRPC.
The annotations section is cloud-provider specific and controls how the
external load balancer is provisioned. Keep the AWS annotations for EKS. Replace
them with equivalent annotations for GKE, AKS, or on-prem load balancer
integrations.
Wait for the Gateway to be programmed and export the values used by the install guides:
Use GATEWAY_ADDR as the route hostname suffix for test environments without
production DNS. Use your production domain instead when you configure DNS and
HTTPS.
For one-click installs on remote clusters, configure the CLI before running
nvcf-cli self-hosted up. The command installs the control plane and then
immediately calls API, API Keys, invocation, and gRPC endpoints during health
and cluster registration phases.
Do not leave literal shell variables in the YAML. If you use production DNS and
HTTPS, set STACK_DOMAIN to your production domain and update the URL schemes
and ports accordingly.
The nvcf-gateway-routes chart creates standard Kubernetes Gateway API resources (HTTPRoute, TCPRoute) that work with any Gateway API-compliant controller. You are not locked into a specific implementation.
Popular implementations include Envoy Gateway (used in our examples), Istio, Traefik, Kong, Contour, and cloud-native options like GKE Gateway Controller.
There is no service mesh requirement. Envoy Gateway is not a service mesh. It is a Gateway API controller. You don’t need service mesh features like mTLS between pods for NVCF to function. If you already have Istio or another service mesh, you can use its Gateway API support instead.
Any Gateway API implementation you choose must support:
HTTPRoute for HTTP/HTTPS routing with hostname matchingTCPRoute for gRPC routing (requires experimental Gateway API CRDs)TCPRoute is experimental. Some Gateway API implementations may have limited or no TCPRoute support. Verify your chosen implementation supports TCPRoute before deploying. If it doesn’t, gRPC invocations won’t work through the gateway.
To use a different Gateway API implementation instead of Envoy Gateway:
Install your chosen controller following its documentation
Create namespaces with nvcf/platform=true labels as shown in Gateway quickstart
Create a GatewayClass for your controller
Create a Gateway with http (port 80) and tcp (port 10081) listeners
Update your install configuration to reference your Gateway:
The nvcf-gateway-routes chart will create HTTPRoutes and TCPRoutes that attach to your specified Gateway.
While technically possible to bypass the Gateway API entirely, this is not recommended:
nvcf-gateway-routes chart specifically creates Gateway API resourcesIf you have a specific requirement that prevents using Gateway API, you would need to:
nvcf-gateway-routes in your helmfileThe gateway architecture consists of two layers:
These resources must be created manually before deploying the control plane:
nvcf/platform=true labelsGatewayClass resourceGateway resource with http (port 80) and tcp (port 10081) listenersWhen you deploy the control plane via helmfile, the nvcf-gateway-routes chart automatically creates:
HTTPRoutes for API Keys, NVCF API, and Invocation servicesllmInvocation route is enabledvanityGateway route is enabledTCPRoute for gRPCReferenceGrants for cross-namespace routing permissionsThese routes attach to the Gateway you prepared in Gateway quickstart.
The <domain> is your Gateway’s load balancer address (e.g., a1b2c3d4.us-west-2.elb.amazonaws.com) or your custom domain. The helmfile deployment automatically configures the HTTPRoute hostnames using this value from your environment configuration.
When the LLM invocation route is enabled in self-managed deployments, send OpenAI-compatible requests to http://${GATEWAY_ADDR}/v1/... with Host: llm.invocation.${GATEWAY_ADDR} and set model to <function-id>/<model-name>.
For local and multi-cluster invocation-path diagrams, see Generic HTTP Function Invocation, gRPC Function Invocation, and LLM Gateway.
Vanity Gateway is disabled by default. It is available only in stack packages
that include the Vanity Gateway addon. If your extracted stack package does not
contain a vanity-gateway release and vanityGateway route values, skip this
section until you use a stack package that includes them.
Enable it only when you need a customer-facing hostname or mapping layer in front of the standard NVCF service routes. In Helmfile-based stack packages that include the addon, set:
By default, the route host is vanity.<domain> and the backend is
vanity-gateway.nvcf:8080. Use addons.vanityGateway.mappingConfig for the
host and path mappings required by your deployment. If you need custom vanity
hostnames instead of vanity.<domain>, configure the route hostname overrides
supported by your stack package, then create matching DNS records for those
hosts.
Host header and matches it against HTTPRoute hostnames.api-keys service on port 8080).grpc service. No hostname matching is required.gRPC doesn’t need Host headers because it uses a dedicated TCP listener on port 10081. The gateway routes all traffic on that port directly to the gRPC service without hostname matching.
After deploying the control plane, use these commands to verify your gateway configuration.
The gateway routes requests based on the Host header. Check what hostnames are configured:
If Vanity Gateway is disabled or your stack package does not include the addon,
the vanity-gateway HTTPRoute is not expected.
For development and testing when you don’t have DNS configured, you can use Host header overrides to route requests through the gateway.
The Envoy Gateway uses hostname-based routing to direct traffic to different backend services through a single load balancer. When you send a request to the raw load balancer address (e.g., http://a1b2c3d4.elb.amazonaws.com), the gateway needs to know which service to route to.
Without the correct Host header, the gateway cannot match the request to an HTTPRoute and returns 404.
Host header routing only works with plaintext HTTP traffic. Without TLS/SNI spoofing support in your client, you cannot use HTTPS with this method. The TLS handshake occurs before the Host header is sent, so the server cannot route based on a custom Host header when using HTTPS. For encrypted traffic, use proper DNS records as described in production-dns-https.
When using tools that support custom Host headers (like the NVCF CLI or curl), specify the expected hostname:
For the NVCF CLI, configure the *_host settings in your configuration file:
See cli-configuration for complete CLI configuration documentation.
For production deployments, configure proper DNS and TLS to eliminate the need for Host header overrides.
With proper DNS and HTTPS:
api-keys.nvcf.example.com) to your Gateway’s load balancerSelect a domain you control for your NVCF deployment:
Create DNS records pointing to your Gateway’s load balancer address:
Automate with external-dns. The nvcf-gateway-routes chart supports routeAnnotations for automatic DNS record creation via external-dns. See the chart’s README for configuration examples.
Update your helmfile environment to use your custom domain instead of the load balancer address:
Redeploy to update the HTTPRoute hostnames:
Verify the routes updated:
For TLS, you have two main options:
Terminate TLS at the AWS NLB using ACM certificates:
*.nvcf.example.comUse cert-manager to automatically provision Let’s Encrypt certificates:
Then update your Gateway to use HTTPS listeners with the certificate secret.
With DNS and HTTPS configured, client configurations simplify significantly:
If you receive 404 errors when accessing services:
Verify the Host header matches the HTTPRoute hostname:
Confirm the gateway is programmed:
Check route attachment:
If routes show 0 attached in gateway status:
Verify namespace labels:
Check ReferenceGrants exist:
Review gateway listener configuration:
For gRPC connection problems:
Verify port 10081 is exposed:
Test with grpcurl:
Check TCPRoute status: