North-South Traffic Management of Istio Gateways (with Answers from Service Mesh Experts)

Istio Gateway

How an Istio Gateway Works

Figure 1: How an Istio gateway works

Load Balancing of Istio Gateways

Figure 2: Gateway usage in mesh
Figure 3: Ingress gateway service of Istio
  • Firstly, Kubernetes Ingress is a simple specification for HTTP workloads. Each implementation of Kubernetes Ingress such as Nginx and Heptio Contour is applicable to HTTP traffic. In fact, only port 80 and port 443 are considered as entries in the ingress specification. This severely limits the types of traffic that cluster O&M personnel allow to access the service mesh. For example, if you have Kafka workloads, you may want to expose direct TCP connections to these message proxies.
  • Secondly, Kubernetes Ingress APIs cannot express the routing requirements of Istio. Ingress does not have a common method to specify complex traffic routing rules, such as traffic splitting or traffic mirroring. The lack of specifications in this field leads each vendor to re-consider how to better manage the configuration of each type of Ingress implementation, such as HAProxy and Nginx. Ingress attempts to obtain a public intersection among different HTTP proxies. Therefore, it supports only the most basic HTTP routing.
  • Lastly, since no specifications are available, most vendors choose to configure custom annotations on deployment. Annotations differ with vendors and are not portable. If there are still no specifications available for Istio, more annotations must be used to explain all the functions of Envoy as the edge gateway.
  • HTTP: port 80, which forwards traffic to port 30080.
  • HTTPS: port 443, which forwards traffic to port 30443.
  • MySQL: port 3306, which forwards traffic to port 30306.

Ingress Gateway Service

ports:
- name: http2
nodePort: 30000
port: 80
protocol: TCP
- name: https
nodePort: 30443
port: 443
protocol: TCP
- name: mysql
nodePort: 30306
port: 3306
protocol: TCP

Ingress Gateway Deployment

Gateway Resources

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: default-gateway
namespace: istio-system
spec:
selector:
istio: ingressgateway
servers:
- hosts:
- '*'
port:
name: http
number: 80
protocol: HTTP
- hosts:
- '*'
port:
name: https
number: 443
protocol: HTTPS
tls:
mode: SIMPLE
privateKey: /etc/istio/ingressgateway-certs/tls.key
serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
- hosts: # For TCP routing this fields seems to be ignored, but it is matched
- '*' # with the VirtualService, I use * since it will match anything.
port:
name: mysql
number: 3306
protocol: TCP

Gateway Virtual Service

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: counter
spec:
gateways:
- default-gateway.istio-system.svc.cluster.local
hosts:
- counter.lab.example.com
http:
- match:
- uri:
prefix: /
route:
- destination:
host: counter
port:
number: 80
kubectl port-forward istio-ingressgateway-xxxx-yyyy-n istio-system 15000

Debugging Ingress Gateway

kubectl -n istio-system port-forward $(kubectl -n istio-system get pods 
-listio=ingressgateway -o=jsonpath="{.items[0].metadata.name}") 15000
Curl --silent http://localhost:15000/config_dump |jq .configs[3].dynamic_route_configs[].route_config.virtual_hosts[]
Figure 4: IngressGateway pod forwarded by the port
kubectl -n istio-system logs $(kubectl -n istio-system get pods 
-listio=ingressgateway -o=jsonpath="{.items[0].metadata.name}") --tail=300
kubectl -n istio-system logs $(kubectl -n istio-system get pods 
-listio=pilot -o=jsonpath="{.items[0].metadata.name}") discovery --tail=300
  • Visit http://localhost:15000/listeners to view the Envoy listener.
  • Visit http://localhost:15000/logging to view detailed logs.
  • Find more information in the root directory http://localhost:15000/.

About the Author

Q&A About Istio

  • Logs: This function provides access logs and analysis reports for each Sidecar proxy and Ingress Gateway.
  • Tracking: This function integrates Tracing Analysis from Alibaba Cloud. It provides developers with various features, including trace restoration, request counting, trace topology, and application dependency analysis.
  • Monitoring: This function integrates capabilities of ARMS Prometheus and Grafana Dashboard, and the related documentation will be available soon.

Original Source:

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Alibaba Cloud

Alibaba Cloud

Follow me to keep abreast with the latest technology news, industry insights, and developer trends. Alibaba Cloud website:https://www.alibabacloud.com