4 Istio gateways: Getting traffic into a cluster


This chapter covers

  • Defining entry points into a cluster
  • Routing ingress traffic to deployments in your cluster
  • Securing ingress traffic
  • Routing non HTTP/S traffic

We usually run interesting services and applications inside our cluster. And as we’ll see throughout the book, Istio allows us to solve some difficult challenges in service-to-service communication. It is this intra-service communication where Istio shines (within a cluster or across clusters).

Before services communicate with each other, something must trigger the interactions. For example, an end user purchasing an item, a client querying our API, and so on. What each of these triggers have in common is that they originate outside of the cluster. This raises the question: how do we get traffic from the outside of the cluster and into it (see figure 4.1)? In this chapter, we will answer the question by opening an entry point for clients that live outside the cluster to connect securely to services running inside the cluster.

Figure 4.1 We want to connect networks by connecting clients running outside of our cluster to services running inside our cluster.

4.1 Traffic ingress concepts

4.1.1 Virtual IPs: Simplifying service access

4.1.2 Virtual hosting: Multiple services from a single access point

4.2 Istio ingress gateways

4.2.1 Specifying Gateway resources

4.2.2 Gateway routing with virtual services

4.2.3 Overall view of traffic flow

4.2.4 Istio ingress gateway vs. Kubernetes Ingress

4.2.5 Istio ingress gateway vs. API gateways

4.3 Securing gateway traffic

4.3.1 HTTP traffic with TLS

4.3.2 HTTP redirect to HTTPS

4.3.3 HTTP traffic with mutual TLS