Skip to content

TLSRoute API Reference


With integration of the Gateway API, AWS Gateway API Controller supports TLSRoute. This allows you to define and manage end-to-end TLS encrypted traffic routing to your Kubernetes clusters.


  • TLSRoute sectionName must refer to a TLS protocol listener with mode: Passthrough in the parentRefs Gateway.
  • TLSRoute only supports to have one rule.
  • TLSRoute does not support any rule matching condition.
  • The hostnames field with exactly one host name is required.

Example Configuration

Here is a sample configuration that demonstrates how to set up a TLSRoute resource to route end-to-end TLS encrypted traffic to a nginx service:

kind: TLSRoute
  name: nginx-tls-route
    - name: my-hotel-tls-passthrough
      sectionName: tls
    - backendRefs:
        - name: nginx-tls
          kind: Service
          port: 443

In this example:

  • The TLSRoute is named nginx-tls-route and is associated with a parent gateway named my-hotel-tls-passthrough that has a listener section named tls:
        - name: tls
          protocol: TLS
          port: 443
            mode: Passthrough
  • The TLSRoute is configured to route traffic to a k8s service named nginx-tls on port 443.
  • The hostnames field is set to The customer must use this hostname to send traffic to the nginx service.

For the detailed tls passthrough traffic connectivity setup, please refer the user guide here.

For the detailed Gateway API TLSRoute resource specifications, you can refer to the Kubernetes official documentation.

For the VPC Lattice tls passthrough Listener configuration details, you can refer to the VPC Lattice documentation.