4 Istio Gateway: getting traffic into your cluster


This chapter covers

  • Defining entry points into a cluster
  • Routing ingress traffic to deployments in your cluster
  • Securing ingress traffic
  • Routing non HTTP/S traffic

As we’ll see throughout the rest of this book, Istio will allow us to solve some difficult challenges in service-to-service communication. For most of the book, we’ll assume a single cluster with a single Istio control-plane deployment, but in reality Istio’s capabilities are not limited to a single or homogeneous cluster. But even before we look at multi-cluster or hybrid deployments, we should understand how to connect different networks together. This chapter will consider two different networks: the cluster in which the service mesh is deployed, and anything outside of the cluster.

Figure 4.1. We want to connect networks: clients running outside of our cluster to services running inside our cluster
CH04 F01 connect boundaries

We will most likely run interesting services and applications inside our cluster. We will most likely have intra-service communication within the cluster and that’s where Istio shines. But what about those clients that are deployed or exist outside of the cluster? In this chapter, we’ll take a look at connecting those clients that live outside the cluster to services running inside the cluster.

4.1 Traffic ingress concepts

4.1.1 Virtual IPs: simplifying service access

4.1.2 Virtual Hosting: multiple services from a single access point

4.2 Istio Ingress Gateway

4.2.1 Specifying Gateway resources

4.2.2 Gateway routing with Virtual Services

4.2.3 Overall view of traffic flow

4.2.4 Istio Ingress Gateway vs Kubernetes Ingress

4.2.5 Istio Ingress Gateway vs API Gateway

4.3 Securing Gateway traffic

4.3.1 HTTP traffic with TLS

4.3.2 HTTP redirect to HTTPS

4.3.4 HTTP traffic with mutual TLS

4.3.4 Serving multiple virtual hosts with TLS

4.4 TCP traffic

4.4.1 Exposing TCP ports on the Istio Gateway

4.4.2 Traffic routing with SNI Passthrough

4.5 Operational Tips

4.5.1 Split gateway responsibilities