Traffic Management

Istio’s traffic routing rules let you easily control the flowof traffic and API calls between services. Istio simplifies configuration ofservice-level properties like circuit breakers, timeouts, and retries, and makesit easy to set up important tasks like A/B testing, canary rollouts, and stagedrollouts with percentage-based traffic splits. It also provides out-of-boxfailure recovery features that help make your applicationmore robust against failures of dependent services or the network.

Istio’s traffic management model relies on the Envoyproxies that are deployed along with your services. All traffic that your meshservices send and receive (data plane traffic) is proxied through Envoy, makingit easy to direct and control traffic around your mesh without making anychanges to your services.

If you’re interested in the details of how the features described in this guidework, you can find out more about Istio’s traffic management implementation in thearchitecture overview. The rest ofthis guide introduces Istio’s traffic management features.

Introducing Istio Traffic Management

In order to direct traffic within your mesh, Istio needs to know where all yourendpoints are, and which services they belong to. To populate its own service registry, Istio connects to a servicediscovery system. For example, if you’ve installed Istio on a Kubernetes cluster,then Istio automatically detects the services and endpoints in that cluster.

Using this service registry, the Envoy proxies can then direct traffic to therelevant services. Most microservice-based applications have multiple instancesof each service workload to handle service traffic, sometimes referred to as aload balancing pool. By default, the Envoy proxies distribute traffic acrosseach service’s load balancing pool using a round-robin model, where requests aresent to each pool member in turn, returning to the top of the pool once eachservice instance has received a request.

While Istio’s basic service discovery and load balancing gives you a workingservice mesh, it’s far from all that Istio can do. In many cases you might wantmore fine-grained control over what happens to your mesh traffic.You might want to direct a particular percentage of traffic to a new version ofa service as part of A/B testing, or apply a different load balancing policy totraffic for a particular subset of service instances. You might also want toapply special rules to traffic coming into or out of your mesh, or add anexternal dependency of your mesh to the service registry. You can do all thisand more by adding your own traffic configuration to Istio using Istio’s trafficmanagement API.

Like other Istio configuration, the API is specified using Kubernetes customresource definitions (CRDs), which you can configureusing YAML, as you’ll see in the examples.

The rest of this guide examines each of the traffic management API resourcesand what you can do with them. These resources are:

This guide also gives an overview of some of thenetwork resilience and testing features thatare built in to the API resources.

Virtual services

Virtual services,along with destination rules, are the key building blocks of Istio’s trafficrouting functionality. A virtual service lets you configure how requests arerouted to a service within an Istio service mesh, building on the basicconnectivity and discovery provided by Istio and your platform. Each virtualservice consists of a set of routing rules that are evaluated in order, lettingIstio match each given request to the virtual service to a specific realdestination within the mesh. Your mesh can require multiple virtual services ornone depending on your use case.

Why use virtual services?

Virtual services play a key role in making Istio’s traffic management flexibleand powerful. They do this by strongly decoupling where clients send theirrequests from the destination workloads that actually implement them. Virtualservices also provide a rich way of specifying different traffic routing rulesfor sending traffic to those workloads.

Why is this so useful? Without virtual services, Envoy distributestraffic using round-robin load balancing between all service instances, asdescribed in the introduction. You can improve this behavior with what you knowabout the workloads. For example, some might represent a different version. Thiscan be useful in A/B testing, where you might want to configure traffic routesbased on percentages across different service versions, or to directtraffic from your internal users to a particular set of instances.

With a virtual service, you can specify traffic behavior for one or more hostnames.You use routing rules in the virtual service that tell Envoy how to send thevirtual service’s traffic to appropriate destinations. Route destinations canbe versions of the same service or entirely different services.

A typical use case is to send traffic to different versions of a service,specified as service subsets. Clients send requests to the virtual service host as ifit was a single entity, and Envoy then routes the traffic to the differentversions depending on the virtual service rules: for example, “20% of calls go tothe new version” or “calls from these users go to version 2”. This allows you to,for instance, create a canary rollout where you gradually increase thepercentage of traffic that’s sent to a new service version. The traffic routingis completely separate from the instance deployment, meaning that the number ofinstances implementing the new service version can scale up and down based ontraffic load without referring to traffic routing at all. By contrast, containerorchestration platforms like Kubernetes only support traffic distribution basedon instance scaling, which quickly becomes complex. You can read more about howvirtual services help with canary deployments in Canary Deployments using Istio.

Virtual services also let you:

  • Address multiple application services through a single virtual service. Ifyour mesh uses Kubernetes, for example, you can configure a virtual serviceto handle all services in a specific namespace. Mapping a singlevirtual service to multiple “real” services is particularly useful infacilitating turning a monolithic application into a composite service builtout of distinct microservices without requiring the consumers of the serviceto adapt to the transition. Your routing rules can specify “calls to these URIs ofmonolith.com go to microservice A”, and so on. You can see how this worksin one of our examples below.
  • Configure traffic rules in combination withgateways to control ingressand egress traffic.

In some cases you also need to configure destination rules to use thesefeatures, as these are where you specify your service subsets. Specifyingservice subsets and other destination-specific policies in a separate objectlets you reuse these cleanly between virtual services. You can find out moreabout destination rules in the next section.

Virtual service example

The following virtual service routesrequests to different versions of a service depending on whether the requestcomes from a particular user.

  1. apiVersion: networking.istio.io/v1alpha3
  2. kind: VirtualService
  3. metadata:
  4.   name: reviews
  5. spec:
  6.   hosts:
  7.   - reviews
  8.   http:
  9.   - match:
  10.     - headers:
  11.         end-user:
  12.           exact: jason
  13.     route:
  14.     - destination:
  15.         host: reviews
  16.         subset: v2
  17.   - route:
  18.     - destination:
  19.         host: reviews
  20.         subset: v3

The hosts field

The hosts field lists the virtual service’s hosts - in other words, the user-addressabledestination or destinations that these routing rules apply to. This is theaddress or addresses the client uses when sending requests to the service.

  1. hosts:
  2. - reviews

The virtual service hostname can be an IP address, a DNS name, or, depending onthe platform, a short name (such as a Kubernetes service short name) that resolves,implicitly or explicitly, to a fully qualified domain name (FQDN). You can alsouse wildcard (”*”) prefixes, letting you create a single set of routing rules forall matching services. Virtual service hosts don’t actually have to be part of theIstio service registry, they are simply virtual destinations. This lets you modeltraffic for virtual hosts that don’t have routable entries inside the mesh.

Routing rules

The http section contains the virtual service’s routing rules, describingmatch conditions and actions for routing HTTP/1.1, HTTP2, and gRPC traffic sentto the destination(s) specified in the hosts field (you can also use tcp andtls sections to configure routing rules forTCP andunterminatedTLStraffic). A routing rule consists of the destination where you want the trafficto go and zero or more match conditions, depending on your use case.

Match condition

The first routing rule in the example has a condition and so begins with thematch field. In this case you want this routing to apply to all requests fromthe user “jason”, so you use the headers, end-user, and exact fields to selectthe appropriate requests.

  1. - match:
  2.    - headers:
  3.        end-user:
  4.          exact: jason
Destination

The route section’s destination field specifies the actual destination fortraffic that matches this condition. Unlike the virtual service’s host(s), thedestination’s host must be a real destination that exists in Istio’s serviceregistry or Envoy won’t know where to send traffic to it. This can be a meshservice with proxies or a non-mesh service added using a service entry. In thiscase we’re running on Kubernetes and the host name is a Kubernetes service name:

  1. route:
  2. - destination:
  3.     host: reviews
  4.     subset: v2

Note in this and the other examples on this page, we use a Kubernetes short name for thedestination hosts for simplicity. When this rule is evaluated, Istio adds a domain suffix basedon the namespace of the virtual service that contains the routing rule to getthe fully qualified name for the host. Using short names in our examplesalso means that you can copy and try them in any namespace you like.

Using short names like this only works if thedestination hosts and the virtual service are actually in the same Kubernetesnamespace. Because using the Kubernetes short name can result inmisconfigurations, we recommend that you specify fully qualified host names inproduction environments.

The destination section also specifies which subset of this Kubernetes serviceyou want requests that match this rule’s conditions to go to, in this case thesubset named v2. You’ll see how you define a service subset in the section ondestination rules below.

Routing rule precedence

Routing rules are evaluated in sequential order from top to bottom, with thefirst rule in the virtual service definition being given highest priority. Inthis case you want anything that doesn’t match the first routing rule to go to adefault destination, specified in the second rule. Because of this, the secondrule has no match conditions and just directs traffic to the v3 subset.

  1. - route:
  2.   - destination:
  3.       host: reviews
  4.       subset: v3

We recommend providing a default “no condition” or weight-based rule (describedbelow) like this as the last rule in each virtual service to ensure that trafficto the virtual service always has at least one matching route.

More about routing rules

As you saw above, routing rules are a powerful tool for routing particularsubsets of traffic to particular destinations. You can set match conditions ontraffic ports, header fields, URIs, and more. For example, this virtual servicelets users send traffic to two separate services, ratings and reviews, as ifthey were part of a bigger virtual service at http://bookinfo.com/. Thevirtual service rules match traffic based on request URIs and direct requests tothe appropriate service.

  1. apiVersion: networking.istio.io/v1alpha3
  2. kind: VirtualService
  3. metadata:
  4.   name: bookinfo
  5. spec:
  6.   hosts:
  7.     - bookinfo.com
  8.   http:
  9.   - match:
  10.     - uri:
  11.         prefix: /reviews
  12.     route:
  13.     - destination:
  14.         host: reviews
  15.   - match:
  16.     - uri:
  17.         prefix: /ratings
  18.     route:
  19.     - destination:
  20.         host: ratings
  21. ...
  23.   http:
  24.   - match:
  25.       sourceLabels:
  26.         app: reviews
  27.     route:
  28. ...

For some match conditions, you can also choose to select them using the exactvalue, a prefix, or a regex.

You can add multiple match conditions to the same match block to AND yourconditions, or add multiple match blocks to the same rule to OR your conditions.You can also have multiple routing rules for any given virtual service. Thislets you make your routing conditions as complex or simple as you like within asingle virtual service. A full list of match condition fields and their possiblevalues can be found in theHTTPMatchRequest reference.

In addition to using match conditions, you can distribute trafficby percentage “weight”. This is useful for A/B testing and canary rollouts:

  1. spec:
  2.   hosts:
  3.   - reviews
  4.   http:
  5.   - route:
  6.     - destination:
  7.         host: reviews
  8.         subset: v1
  9.       weight: 75
  10.     - destination:
  11.         host: reviews
  12.         subset: v2
  13.       weight: 25

You can also use routing rules to perform some actions on the traffic, forexample:

  • Append or remove headers.
  • Rewrite the URL.
  • Set a retry policy for calls to this destination. To learn more about the actions available, see theHTTPRoute reference.

Destination rules

Along with virtual services,destination rulesare a key part of Istio’s traffic routing functionality. You can think ofvirtual services as how you route your traffic to a given destination, andthen you use destination rules to configure what happens to traffic for thatdestination. Destination rules are applied after virtual service routing rulesare evaluated, so they apply to the traffic’s “real” destination.

In particular, you use destination rules to specify named service subsets, suchas grouping all a given service’s instances by version. You can then use theseservice subsets in the routing rules of virtual services to control thetraffic to different instances of your services.

Destination rules also let you customize Envoy’s traffic policies when callingthe entire destination service or a particular service subset, such as yourpreferred load balancing model, TLS security mode, or circuit breaker settings.You can see a complete list of destination rule options in theDestination Rule reference.

Load balancing options

By default, Istio uses a round-robin load balancing policy, where each serviceinstance in the instance pool gets a request in turn. Istio also supports thefollowing models, which you can specify in destination rules for requests to aparticular service or service subset.

  • Random: Requests are forwarded at random to instances in the pool.
  • Weighted: Requests are forwarded to instances in the pool according to aspecific percentage.
  • Least requests: Requests are forwarded to instances with the least number ofrequests. See theEnvoy load balancing documentationfor more information about each option.

Destination rule example

The following example destination rule configures three different subsets forthe my-svc destination service, with different load balancing policies:

  1. apiVersion: networking.istio.io/v1alpha3
  2. kind: DestinationRule
  3. metadata:
  4.   name: my-destination-rule
  5. spec:
  6.   host: my-svc
  7.   trafficPolicy:
  8.     loadBalancer:
  9.       simple: RANDOM
  10.   subsets:
  11.   - name: v1
  12.     labels:
  13.       version: v1
  14.   - name: v2
  15.     labels:
  16.       version: v2
  17.     trafficPolicy:
  18.       loadBalancer:
  19.         simple: ROUND_ROBIN
  20.   - name: v3
  21.     labels:
  22.       version: v3

Each subset is defined based on one or more labels, which in Kubernetes arekey/value pairs that are attached to objects such as Pods. These labels areapplied in the Kubernetes service’s deployment as metadata to identifydifferent versions.

As well as defining subsets, this destination rule has both a default trafficpolicy for all subsets in this destination and a subset-specific policy thatoverrides it for just that subset. The default policy, defined above the subsetsfield, sets a simple random load balancer for the v1 and v3 subsets. In thev2 policy, a round-robin load balancer is specified in the correspondingsubset’s field.

Gateways

You use a gateway tomanage inbound and outbound traffic for your mesh, letting you specify whichtraffic you want to enter or leave the mesh. Gateway configurations are appliedto standalone Envoy proxies that are running at the edge of the mesh, ratherthan sidecar Envoy proxies running alongside your service workloads.

Unlike other mechanisms for controlling traffic entering your systems, such asthe Kubernetes Ingress APIs, Istio gateways let you use the full power andflexibility of Istio’s traffic routing. You can do this because Istio’s Gatewayresource just lets you configure layer 4-6 load balancing properties such asports to expose, TLS settings, and so on. Then instead of addingapplication-layer traffic routing (L7) to the same API resource, you bind aregular Istio virtual service to the gateway. This lets youbasically manage gateway traffic like any other data plane traffic in an Istiomesh.

Gateways are primarily used to manage ingress traffic, but you can alsoconfigure egress gateways. An egress gateway lets you configure a dedicated exitnode for the traffic leaving the mesh, letting you limit which services can orshould access external networks, or to enablesecure control of egress trafficto add security to your mesh, for example. You can also use a gateway toconfigure a purely internal proxy.

Istio provides some preconfigured gateway proxy deployments(istio-ingressgateway and istio-egressgateway) that you can use - both aredeployed if you use our demo installation,while just the ingress gateway is deployed with ourdefault or sds profiles. Youcan apply your own gateway configurations to these deployments or deploy andconfigure your own gateway proxies.

Gateway example

The following example shows a possible gateway configuration for external HTTPSingress traffic:

  1. apiVersion: networking.istio.io/v1alpha3
  2. kind: Gateway
  3. metadata:
  4.   name: ext-host-gwy
  5. spec:
  6.   selector:
  7.     app: my-gateway-controller
  8.   servers:
  9.   - port:
  10.       number: 443
  11.       name: https
  12.       protocol: HTTPS
  13.     hosts:
  14.     - ext-host.example.com
  15.     tls:
  16.       mode: SIMPLE
  17.       serverCertificate: /tmp/tls.crt
  18.       privateKey: /tmp/tls.key

This gateway configuration lets HTTPS traffic from ext-host.example.com into the mesh onport 443, but doesn’t specify any routing for the traffic.

To specify routing and for the gateway to work as intended, you must also bindthe gateway to a virtual service. You do this using the virtual service’sgateways field, as shown in the following example:

  1. apiVersion: networking.istio.io/v1alpha3
  2. kind: VirtualService
  3. metadata:
  4.   name: virtual-svc
  5. spec:
  6.   hosts:
  7.   - ext-host.example.com
  8.   gateways:
  9.     - ext-host-gwy

You can then configure the virtual service with routing rules for the externaltraffic.

Service entries

You use aservice entry to addan entry to the service registry that Istio maintains internally. After you addthe service entry, the Envoy proxies can send traffic to the service as if itwas a service in your mesh. Configuring service entries allows you to managetraffic for services running outside of the mesh, including the following tasks:

  • Redirect and forward traffic for external destinations, such as APIsconsumed from the web, or traffic to services in legacy infrastructure.
  • Define retry, timeout, andfault injection policies for external destinations.
  • Add a service running in a Virtual Machine (VM) to the mesh toexpand your mesh.
  • Logically add services from a different cluster to the mesh to configure amulticluster Istio meshon Kubernetes. You don’t need to add a service entry for every external service that you wantyour mesh services to use. By default, Istio configures the Envoy proxies topassthrough requests to unknown services. However, you can’t use Istio featuresto control the traffic to destinations that aren’t registered in the mesh.

Service entry example

The following example mesh-external service entry adds the ext-resourceexternal dependency to Istio’s service registry:

  1. apiVersion: networking.istio.io/v1alpha3
  2. kind: ServiceEntry
  3. metadata:
  4.   name: svc-entry
  5. spec:
  6.   hosts:
  7.   - ext-svc.example.com
  8.   ports:
  9.   - number: 443
  10.     name: https
  11.     protocol: HTTPS
  12.   location: MESH_EXTERNAL
  13.   resolution: DNS

You specify the external resource using the hosts field. You can qualify itfully or use a wildcard prefixed domain name.

You can configure virtual services and destination rules to control traffic to aservice entry in a more granular way, in the same way you configure traffic forany other service in the mesh. For example, the following destination ruleconfigures the traffic route to use mutual TLS to secure the connection to theext-svc.example.com external service that we configured using the service entry:

  1. apiVersion: networking.istio.io/v1alpha3
  2. kind: DestinationRule
  3. metadata:
  4.   name: ext-res-dr
  5. spec:
  6.   host: ext-svc.example.com
  7.   trafficPolicy:
  8.     tls:
  9.       mode: MUTUAL
  10.       clientCertificate: /etc/certs/myclientcert.pem
  11.       privateKey: /etc/certs/client_private_key.pem
  12.       caCertificates: /etc/certs/rootcacerts.pem

See theService Entry referencefor more possible configuration options.

Sidecars

By default, Istio configures every Envoy proxy to accept traffic on all theports of its associated workload, and to reach every workload in the mesh whenforwarding traffic. You can use a sidecar configuration to do the following:

  • Fine-tune the set of ports and protocols that an Envoy proxy accepts.
  • Limit the set of services that the Envoy proxy can reach. You might want to limit sidecar reachability like this in larger applications,where having every proxy configured to reach every other service in the mesh canpotentially affect mesh performance due to high memory usage.

You can specify that you want a sidecar configuration to apply to all workloadsin a particular namespace, or choose specific workloads using aworkloadSelector. For example, the following sidecar configuration configuresall services in the bookinfo namespace to only reach services running in thesame namespace and the Istio control plane (currently needed to use Istio’spolicy and telemetry features):

  1. apiVersion: networking.istio.io/v1alpha3
  2. kind: Sidecar
  3. metadata:
  4.   name: default
  5.   namespace: bookinfo
  6. spec:
  7.   egress:
  8.   - hosts:
  9.     - "./*"
  10.     - "istio-system/*"

See the Sidecar referencefor more details.

Network resilience and testing

As well as helping you direct traffic around your mesh, Istio provides opt-infailure recovery and fault injection features that you can configure dynamicallyat runtime. Using these features helps your applications operate reliably,ensuring that the service mesh can tolerate failing nodes and preventinglocalized failures from cascading to other nodes.

Timeouts

A timeout is the amount of time that an Envoy proxy should wait for replies froma given service, ensuring that services don’t hang around waiting for repliesindefinitely and that calls succeed or fail within a predictable timeframe. Thedefault timeout for HTTP requests is 15 seconds, which means that if the servicedoesn’t respond within 15 seconds, the call fails.

For some applications and services, Istio’s default timeout might not beappropriate. For example, a timeout that is too long could result in excessivelatency from waiting for replies from failing services, while a timeout that istoo short could result in calls failing unnecessarily while waiting for anoperation involving multiple services to return. To find and use your optimal timeoutsettings, Istio lets you easily adjust timeouts dynamically on a per-servicebasis using virtual services without having to edit yourservice code. Here’s a virtual service that specifies a 10 second timeout forcalls to the v1 subset of the ratings service:

  1. apiVersion: networking.istio.io/v1alpha3
  2. kind: VirtualService
  3. metadata:
  4.   name: ratings
  5. spec:
  6.   hosts:
  7.   - ratings
  8.   http:
  9.   - route:
  10.     - destination:
  11.         host: ratings
  12.         subset: v1
  13.     timeout: 10s

Retries

A retry setting specifies the maximum number of times an Envoy proxy attempts toconnect to a service if the initial call fails. Retries can enhance serviceavailability and application performance by making sure that calls don’t failpermanently because of transient problems such as a temporarily overloadedservice or network. The interval between retries (25ms+) is variable anddetermined automatically by Istio, preventing the called service from beingoverwhelmed with requests. By default, the Envoy proxy doesn’t attempt toreconnect to services after a first failure.

Like timeouts, Istio’s default retry behavior might not suit your applicationneeds in terms of latency (too many retries to a failed service can slow thingsdown) or availability. Also like timeouts, you can adjust your retry settings ona per-service basis in virtual services without having totouch your service code. You can also further refine your retry behavior byadding per-retry timeouts, specifying the amount of time you want to wait foreach retry attempt to successfully connect to the service. The following exampleconfigures a maximum of 3 retries to connect to this service subset after aninitial call failure, each with a 2 second timeout.

  1. apiVersion: networking.istio.io/v1alpha3
  2. kind: VirtualService
  3. metadata:
  4.   name: ratings
  5. spec:
  6.   hosts:
  7.   - ratings
  8.   http:
  9.   - route:
  10.     - destination:
  11.         host: ratings
  12.         subset: v1
  13.     retries:
  14.       attempts: 3
  15.       perTryTimeout: 2s

Circuit breakers

Circuit breakers are another useful mechanism Istio provides for creatingresilient microservice-based applications. In a circuit breaker, you set limitsfor calls to individual hosts within a service, such as the number of concurrentconnections or how many times calls to this host have failed. Once that limithas been reached the circuit breaker “trips” and stops further connections tothat host. Using a circuit breaker pattern enables fast failure rather thanclients trying to connect to an overloaded or failing host.

As circuit breaking applies to “real” mesh destinations in a load balancingpool, you configure circuit breaker thresholds indestination rules, with the settings applying to eachindividual host in the service. The following example limits the number ofconcurrent connections for the reviews service workloads of the v1 subset to100:

  1. apiVersion: networking.istio.io/v1alpha3
  2. kind: DestinationRule
  3. metadata:
  4.   name: reviews
  5. spec:
  6.   host: reviews
  7.   subsets:
  8.   - name: v1
  9.     labels:
  10.       version: v1
  11.     trafficPolicy:
  12.       connectionPool:
  13.         tcp:
  14.           maxConnections: 100

You can find out more about creating circuit breakers inCircuit Breaking.

Fault injection

After you’ve configured your network, including failure recovery policies, youcan use Istio’s fault injection mechanisms to test the failure recovery capacityof your application as a whole. Fault injection is a testing method thatintroduces errors into a system to ensure that it can withstand and recover fromerror conditions. Using fault injection can be particularly useful to ensurethat your failure recovery policies aren’t incompatible or too restrictive,potentially resulting in critical services being unavailable.

Unlike other mechanisms for introducing errors such as delaying packets orkilling pods at the network layer, Istio’ lets you inject faults at theapplication layer. This lets you inject more relevant failures, such as HTTPerror codes, to get more relevant results.

You can inject two types of faults, both configured using avirtual service:

  • Delays: Delays are timing failures. They mimic increased network latency oran overloaded upstream service.
  • Aborts: Aborts are crash failures. They mimic failures in upstream services.Aborts usually manifest in the form of HTTP error codes or TCP connectionfailures. For example, this virtual service introduces a 5 second delay for 1 out of every 1000requests to the ratings service.
  1. apiVersion: networking.istio.io/v1alpha3
  2. kind: VirtualService
  3. metadata:
  4.   name: ratings
  5. spec:
  6.   hosts:
  7.   - ratings
  8.   http:
  9.   - fault:
  10.       delay:
  11.         percentage:
  12.           value: 0.1
  13.         fixedDelay: 5s
  14.     route:
  15.     - destination:
  16.         host: ratings
  17.         subset: v1

For detailed instructions on how to configure delays and aborts, seeFault Injection.

Working with your applications

Istio failure recovery features are completely transparent to theapplication. Applications don’t know if an Envoy sidecar proxy is handlingfailures for a called service before returning a response. This means thatif you are also setting failure recovery policies in your application codeyou need to keep in mind that both work independently, and therefore mightconflict. For example, suppose you can have two timeouts, one configured ina virtual service and another in the application. The application sets a 2second timeout for an API call to a service. However, you configured a 3second timeout with 1 retry in your virtual service. In this case, theapplication’s timeout kicks in first, so your Envoy timeout and retryattempt has no effect.

While Istio failure recovery features improve the reliability andavailability of services in the mesh, applications must handle the failureor errors and take appropriate fallback actions. For example, when allinstances in a load balancing pool have failed, Envoy returns an HTTP 503code. The application must implement any fallback logic needed to handle theHTTP 503 error code..

相关内容

Istio as a Proxy for External Services

Configure Istio ingress gateway to act as a proxy for external services.

Multi-mesh deployments for isolation and boundary protection

Deploy environments that require isolation into separate meshes and enable inter-mesh communication by mesh federation.

Secure Control of Egress Traffic in Istio, part 3

Comparison of alternative solutions to control egress traffic including performance considerations.

Secure Control of Egress Traffic in Istio, part 2

Use Istio Egress Traffic Control to prevent attacks involving egress traffic.

Secure Control of Egress Traffic in Istio, part 1

Attacks involving egress traffic and requirements for egress traffic control.

Version Routing in a Multicluster Service Mesh

Configuring Istio route rules in a multicluster service mesh.