4 Istio Gateway: getting traffic into your cluster

This chapter covers:

  • Defining entry points into a cluster
  • Routing ingress traffic to deployments in your cluster
  • Securing ingress traffic
  • Routing non HTTP/S traffic

As we’ll see throughout the rest of this book, Istio will allow us to solve some difficult challenges in service-to-service communication. For most of the book, we’ll assume a single cluster with a single Istio control-plane deployment, but in reality Istio’s capabilities are not limited to a single or homogeneous cluster. But even before we look at multi-cluster or hybrid deployments, we should understand how to connect different networks together. This chapter will consider two different networks: the cluster in which the service mesh is deployed and where user services are deployed, and anything outside of the cluster.

Figure 4.1. We want to connect networks: clients running outside of our cluster to services running inside our cluster
connect boundaries

We will most likely run interesting services and applications inside our cluster. We will most likely have intra-service communication within the cluster and that’s where Istio shines. But what about those clients that are deployed or exist outside of the cluster? In this chapter, we’ll take a look at connecting those clients that live outside the cluster to services running inside the cluster.

4.1  Traffic ingress concepts

4.1.1  Virtual IPs: simplifying service access

4.1.2  Virtual Hosting: multiple services from a single access point

4.2  Istio Gateway

4.2.1  Specifying Gateway resources

4.2.2  Gateway routing with Virtual Services

4.2.3  Overall view of traffic flow

4.2.4  Istio Gateway vs Kubernetes Ingress

4.3  Securing Gateway traffic

4.3.1  HTTP traffic with TLS

4.3.2  HTTP redirect to HTTPS

4.3.3  HTTP traffic with mutual TLS

4.3.4  Serving multiple virtual hosts with TLS

4.4  TCP traffic

4.4.1  Exposing TCP ports on the Istio Gateway

4.4.2  Traffic routing with SNI and TLS

4.5  Summary