istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
istio.io/archive/v1.4/docs/examples/virtual-machines/single-network/index.html

176 lines
81 KiB
HTML
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<!doctype html><html lang=en itemscope itemtype=https://schema.org/WebPage><head><meta charset=utf-8><meta http-equiv=x-ua-compatible content="IE=edge"><meta name=viewport content="width=device-width,initial-scale=1,shrink-to-fit=no"><meta name=theme-color content=#466BB0><meta name=title content="Virtual Machines in Single-Network Meshes"><meta name=description content="Learn how to add a service running on a virtual machine to your single network Istio mesh."><meta name=keywords content=microservices,services,mesh,kubernetes,vms,virtual-machines><meta property=og:title content="Virtual Machines in Single-Network Meshes"><meta property=og:type content=website><meta property=og:description content="Learn how to add a service running on a virtual machine to your single network Istio mesh."><meta property=og:url content=/v1.4/docs/examples/virtual-machines/single-network/><meta property=og:image content=/v1.4/img/istio-whitelogo-bluebackground-framed.svg><meta property=og:image:alt content="Istio Logo"><meta property=og:image:width content=112><meta property=og:image:height content=150><meta property=og:site_name content=Istio><meta name=twitter:card content=summary><meta name=twitter:site content=@IstioMesh><title>Istioldie 1.4 / Virtual Machines in Single-Network Meshes</title><script async src="https://www.googletagmanager.com/gtag/js?id=UA-98480406-2"></script><script>window.dataLayer=window.dataLayer||[];function gtag(){dataLayer.push(arguments);}
gtag('js',new Date());gtag('config','UA-98480406-2');</script><link rel=alternate type=application/rss+xml title="Istio Blog" href=/v1.4/blog/feed.xml><link rel=alternate type=application/rss+xml title="Istio News" href=/v1.4/news/feed.xml><link rel=alternate type=application/rss+xml title="Istio Blog and News" href=/v1.4/feed.xml><link rel="shortcut icon" href=/v1.4/favicons/favicon.ico><link rel=apple-touch-icon href=/v1.4/favicons/apple-touch-icon-180x180.png sizes=180x180><link rel=icon type=image/png href=/v1.4/favicons/favicon-16x16.png sizes=16x16><link rel=icon type=image/png href=/v1.4/favicons/favicon-32x32.png sizes=32x32><link rel=icon type=image/png href=/v1.4/favicons/android-36x36.png sizes=36x36><link rel=icon type=image/png href=/v1.4/favicons/android-48x48.png sizes=48x48><link rel=icon type=image/png href=/v1.4/favicons/android-72x72.png sizes=72x72><link rel=icon type=image/png href=/v1.4/favicons/android-96x96.png sizes=96xW96><link rel=icon type=image/png href=/v1.4/favicons/android-144x144.png sizes=144x144><link rel=icon type=image/png href=/v1.4/favicons/android-192x192.png sizes=192x192><link rel=manifest href=/v1.4/manifest.json><meta name=apple-mobile-web-app-title content=Istio><meta name=application-name content=Istio><link rel=stylesheet href="https://fonts.googleapis.com/css?family=Work+Sans:400|Chivo:400|Work+Sans:500,300,600,300italic,400italic,500italic,600italic|Chivo:500,300,600,300italic,400italic,500italic,600italic"><link rel=stylesheet href=/v1.4/css/all.css><script src=/v1.4/js/themes_init.min.js></script></head><body class="language-unknown archive-site"><script>const branchName="release-1.4";const docTitle="Virtual Machines in Single-Network Meshes";const iconFile="\/v1.4/img/icons.svg";const buttonCopy='Copy to clipboard';const buttonPrint='Print';const buttonDownload='Download';</script><script src="https://www.google.com/cse/brand?form=search-form" defer></script><script src=/v1.4/js/all.min.js data-manual defer></script><header><nav><a id=brand href=/v1.4/><span class=logo><svg viewBox="0 0 300 300"><circle cx="150" cy="150" r="146" stroke-width="2"/><path d="M65 240H225L125 270z"/><path d="M65 230l60-10V110z"/><path d="M135 220l90 10L135 30z"/></svg></span><span class=name>Istioldie 1.4</span></a><div id=hamburger><svg class="icon"><use xlink:href="/v1.4/img/icons.svg#hamburger"/></svg></div><div id=header-links><a class=current title="Learn how to deploy, use, and operate Istio." href=/v1.4/docs/>Docs</a>
<a title="Posts about using Istio." href=/v1.4/blog/2020/>Blog<i class=dot data-prefix=/blog></i></a>
<a title="Timely news about the Istio project." href=/v1.4/news/>News<i class=dot data-prefix=/news></i></a>
<a title="Frequently Asked Questions about Istio." href=/v1.4/faq/>FAQ</a>
<a title="Get a bit more in-depth info about the Istio project." href=/v1.4/about/>About</a><div class=menu><button id=gearDropdownButton class=menu-trigger title="Options and settings" aria-label="Options and Settings" aria-controls=gearDropdownContent><svg class="icon"><use xlink:href="/v1.4/img/icons.svg#gear"/></svg></button><div id=gearDropdownContent class=menu-content aria-labelledby=gearDropdownButton role=menu><a tabindex=-1 role=menuitem class=active id=light-theme-item>Light Theme</a>
<a tabindex=-1 role=menuitem id=dark-theme-item>Dark Theme</a><div role=separator></div><a tabindex=-1 role=menuitem id=syntax-coloring-item>Color Examples</a><div role=separator></div><h6>Other versions of this site</h6><a tabindex=-1 role=menuitem onclick="navigateToUrlOrRoot('https://istio.io/docs\/examples\/virtual-machines\/single-network\/');return false;">Current Release</a>
<a tabindex=-1 role=menuitem onclick="navigateToUrlOrRoot('https://preliminary.istio.io/docs\/examples\/virtual-machines\/single-network\/');return false;">Next Release</a>
<a tabindex=-1 role=menuitem href=https://istio.io/archive>Older Releases</a></div></div><button id=search-show title="Search this site" aria-label=Search><svg class="icon"><use xlink:href="/v1.4/img/icons.svg#magnifier"/></svg></button></div><form id=search-form name=cse role=search><input type=hidden name=cx value=013699703217164175118:iwwf17ikgf4>
<input type=hidden name=ie value=utf-8>
<input type=hidden name=hl value=en>
<input type=hidden id=search-page-url value=/v1.4/search>
<input id=search-textbox class=form-control name=q type=search aria-label="Search this site">
<button id=search-close title="Cancel search" type=reset aria-label="Cancel search"><svg class="icon"><use xlink:href="/v1.4/img/icons.svg#cancel-x"/></svg></button></form></nav></header><div class=banner-container></div><main class=primary><div id=sidebar-container class="sidebar-container sidebar-offcanvas"><nav id=sidebar aria-label="Section Navigation"><div class=directory><div class=card><button class="header dynamic" id=card25 title="Learn about the different parts of the Istio system and the abstractions it uses." aria-controls=card25-body><svg class="icon"><use xlink:href="/v1.4/img/icons.svg#concepts"/></svg>Concepts</button><div class=body aria-labelledby=card25 role=region id=card25-body><ul role=tree aria-expanded=true class=leaf-section aria-labelledby=card25><li role=none><a role=treeitem title="Introduces Istio, the problems it solves, its high-level architecture, and its design goals." href=/v1.4/docs/concepts/what-is-istio/>What is Istio?</a></li><li role=none><a role=treeitem title="Describes the various Istio features focused on traffic routing and control." href=/v1.4/docs/concepts/traffic-management/>Traffic Management</a></li><li role=none><a role=treeitem title="Describes Istio's authorization and authentication functionality." href=/v1.4/docs/concepts/security/>Security</a></li><li role=none><a role=treeitem title="Describes Istio's policy management functionality." href=/v1.4/docs/concepts/policies/>Policies</a></li><li role=none><a role=treeitem title="Describes the telemetry and monitoring features provided by Istio." href=/v1.4/docs/concepts/observability/>Observability</a></li></ul></div></div><div class=card><button class="header dynamic" id=card52 title="Instructions for installing the Istio control plane on Kubernetes." aria-controls=card52-body><svg class="icon"><use xlink:href="/v1.4/img/icons.svg#setup"/></svg>Setup</button><div class=body aria-labelledby=card52 role=region id=card52-body><ul role=tree aria-expanded=true aria-labelledby=card52><li role=none><a role=treeitem title="Download, install, and learn how to evaluate and try Istios basic features quickly." href=/v1.4/docs/setup/getting-started/>Getting Started</a></li><li role=treeitem aria-label="Platform Setup"><button aria-hidden=true></button><a title="How to prepare various Kubernetes platforms before installing Istio." href=/v1.4/docs/setup/platform-setup/>Platform Setup</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Instructions to setup an Alibaba Cloud Kubernetes cluster for Istio." href=/v1.4/docs/setup/platform-setup/alicloud/>Alibaba Cloud</a></li><li role=none><a role=treeitem title="Instructions to setup an Azure cluster for Istio." href=/v1.4/docs/setup/platform-setup/azure/>Azure</a></li><li role=none><a role=treeitem title="Instructions to setup Docker Desktop for Istio." href=/v1.4/docs/setup/platform-setup/docker/>Docker Desktop</a></li><li role=none><a role=treeitem title="Instructions to setup a Google Kubernetes Engine cluster for Istio." href=/v1.4/docs/setup/platform-setup/gke/>Google Kubernetes Engine</a></li><li role=none><a role=treeitem title="Instructions to setup an IBM Cloud cluster for Istio." href=/v1.4/docs/setup/platform-setup/ibm/>IBM Cloud</a></li><li role=none><a role=treeitem title="Instructions to setup a Gardener cluster for Istio." href=/v1.4/docs/setup/platform-setup/gardener/>Kubernetes Gardener</a></li><li role=none><a role=treeitem title="Instructions to setup MicroK8s for use with Istio." href=/v1.4/docs/setup/platform-setup/microk8s/>MicroK8s</a></li><li role=none><a role=treeitem title="Instructions to setup minikube for Istio." href=/v1.4/docs/setup/platform-setup/minikube/>Minikube</a></li><li role=none><a role=treeitem title="Instructions to setup an OpenShift cluster for Istio." href=/v1.4/docs/setup/platform-setup/openshift/>OpenShift</a></li><li role=none><a role=treeitem title="Instructions to setup an OKE cluster for Istio." href=/v1.4/docs/setup/platform-setup/oci/>Oracle Cloud Infrastructure</a></li></ul></li><li role=treeitem aria-label=Install><button aria-hidden=true></button><a title="Choose the guide that best suits your needs and platform." href=/v1.4/docs/setup/install/>Install</a><ul role=group aria-expanded=false><li role=none><a role=treeitem title="Install and customize any Istio configuration profile for in-depth evaluation or production use." href=/v1.4/docs/setup/install/istioctl/>Customizable Install with Istioctl</a></li><li role=none><a role=treeitem title="Install and configure Istio for in-depth evaluation or production use." href=/v1.4/docs/setup/install/helm/>Customizable Install with Helm</a></li><li role=none><a role=treeitem title="Instructions to install Istio in a Kubernetes cluster using the Istio operator." href=/v1.4/docs/setup/install/standalone-operator/>Standalone Operator Install [Experimental]</a></li><li role=treeitem aria-label="Multicluster Installation"><button aria-hidden=true></button><a title="Configure an Istio mesh spanning multiple Kubernetes clusters." href=/v1.4/docs/setup/install/multicluster/>Multicluster Installation</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Configure an Istio mesh spanning multiple Kubernetes clusters." href=/v1.4/docs/setup/install/multicluster/simplified/>Simplified Multicluster Install [Experimental]</a></li><li role=none><a role=treeitem title="Install an Istio mesh across multiple Kubernetes clusters with replicated control plane instances." href=/v1.4/docs/setup/install/multicluster/gateways/>Replicated control planes</a></li><li role=none><a role=treeitem title="Install an Istio mesh across multiple Kubernetes clusters with a shared control plane and VPN connectivity between clusters." href=/v1.4/docs/setup/install/multicluster/shared-vpn/>Shared control plane (single-network)</a></li><li role=none><a role=treeitem title="Install an Istio mesh across multiple Kubernetes clusters using a shared control plane for disconnected cluster networks." href=/v1.4/docs/setup/install/multicluster/shared-gateways/>Shared control plane (multi-network)</a></li></ul></li></ul></li><li role=treeitem aria-label=Upgrade><button aria-hidden=true></button><a title="Choose the upgrade guide that corresponds to the approach you previously used to install Istio." href=/v1.4/docs/setup/upgrade/>Upgrade</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Upgrade or downgrade Istio using the istioctl upgrade command." href=/v1.4/docs/setup/upgrade/istioctl-upgrade/>Upgrade Istio using istioctl [Experimental]</a></li><li role=none><a role=treeitem title="Upgrade the Istio control plane, and optionally, the CNI plug-in using Helm." href=/v1.4/docs/setup/upgrade/cni-helm-upgrade/>Upgrade using Helm</a></li></ul></li><li role=treeitem aria-label="More Guides"><button aria-hidden=true></button><a title="More information on additional setup tasks." href=/v1.4/docs/setup/additional-setup/>More Guides</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Describes the built-in Istio installation configuration profiles." href=/v1.4/docs/setup/additional-setup/config-profiles/>Installation Configuration Profiles</a></li><li role=none><a role=treeitem title="Install the Istio sidecar in application pods automatically using the sidecar injector webhook or manually using istioctl CLI." href=/v1.4/docs/setup/additional-setup/sidecar-injection/>Installing the Sidecar</a></li><li role=none><a role=treeitem title="Install and use Istio with the Istio CNI plugin, allowing operators to deploy services with lower privilege." href=/v1.4/docs/setup/additional-setup/cni/>Install Istio with the Istio CNI plugin</a></li></ul></li></ul></div></div><div class=card><button class="header dynamic" id=card83 title="How to do single specific targeted activities with the Istio system." aria-controls=card83-body><svg class="icon"><use xlink:href="/v1.4/img/icons.svg#tasks"/></svg>Tasks</button><div class=body aria-labelledby=card83 role=region id=card83-body><ul role=tree aria-expanded=true aria-labelledby=card83><li role=treeitem aria-label="Traffic Management"><button aria-hidden=true></button><a title="Tasks that demonstrate Istio's traffic routing features." href=/v1.4/docs/tasks/traffic-management/>Traffic Management</a><ul role=group aria-expanded=false><li role=none><a role=treeitem title="This task shows you how to configure dynamic request routing to multiple versions of a microservice." href=/v1.4/docs/tasks/traffic-management/request-routing/>Request Routing</a></li><li role=none><a role=treeitem title="This task shows you how to inject faults to test the resiliency of your application." href=/v1.4/docs/tasks/traffic-management/fault-injection/>Fault Injection</a></li><li role=none><a role=treeitem title="Shows you how to migrate traffic from an old to new version of a service." href=/v1.4/docs/tasks/traffic-management/traffic-shifting/>Traffic Shifting</a></li><li role=none><a role=treeitem title="Shows you how to migrate TCP traffic from an old to new version of a TCP service." href=/v1.4/docs/tasks/traffic-management/tcp-traffic-shifting/>TCP Traffic Shifting</a></li><li role=none><a role=treeitem title="This task shows you how to setup request timeouts in Envoy using Istio." href=/v1.4/docs/tasks/traffic-management/request-timeouts/>Request Timeouts</a></li><li role=none><a role=treeitem title="This task shows you how to configure circuit breaking for connections, requests, and outlier detection." href=/v1.4/docs/tasks/traffic-management/circuit-breaking/>Circuit Breaking</a></li><li role=none><a role=treeitem title="This task demonstrates the traffic mirroring/shadowing capabilities of Istio." href=/v1.4/docs/tasks/traffic-management/mirroring/>Mirroring</a></li><li role=treeitem aria-label=Ingress><button aria-hidden=true></button><a title="Controlling ingress traffic for an Istio service mesh." href=/v1.4/docs/tasks/traffic-management/ingress/>Ingress</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Describes how to configure an Istio gateway to expose a service outside of the service mesh." href=/v1.4/docs/tasks/traffic-management/ingress/ingress-control/>Ingress Gateways</a></li><li role=none><a role=treeitem title="Expose a service outside of the service mesh over TLS or mTLS using file-mounted certificates." href=/v1.4/docs/tasks/traffic-management/ingress/secure-ingress-mount/>Secure Gateways (File Mount)</a></li><li role=none><a role=treeitem title="Expose a service outside of the service mesh over TLS or mTLS using the secret discovery service (SDS)." href=/v1.4/docs/tasks/traffic-management/ingress/secure-ingress-sds/>Secure Gateways (SDS)</a></li><li role=none><a role=treeitem title="Describes how to configure SNI passthrough for an ingress gateway." href=/v1.4/docs/tasks/traffic-management/ingress/ingress-sni-passthrough/>Ingress Gateway without TLS Termination</a></li><li role=none><a role=treeitem title="Demonstrates how to obtain Let's Encrypt TLS certificates for Kubernetes Ingress automatically using Cert-Manager." href=/v1.4/docs/tasks/traffic-management/ingress/ingress-certmgr/>Kubernetes Ingress with Cert-Manager</a></li></ul></li><li role=treeitem aria-label=Egress><button aria-hidden=true></button><a title="Controlling egress traffic for an Istio service mesh." href=/v1.4/docs/tasks/traffic-management/egress/>Egress</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Describes how to configure Istio to route traffic from services in the mesh to external services." href=/v1.4/docs/tasks/traffic-management/egress/egress-control/>Accessing External Services</a></li><li role=none><a role=treeitem title="Describes how to configure Istio to perform TLS origination for traffic to external services." href=/v1.4/docs/tasks/traffic-management/egress/egress-tls-origination/>Egress TLS Origination</a></li><li role=none><a role=treeitem title="Describes how to configure Istio to direct traffic to external services through a dedicated gateway." href=/v1.4/docs/tasks/traffic-management/egress/egress-gateway/>Egress Gateways</a></li><li role=none><a role=treeitem title="Describes how to configure an Egress Gateway to perform TLS origination to external services." href=/v1.4/docs/tasks/traffic-management/egress/egress-gateway-tls-origination/>Egress Gateways with TLS Origination</a></li><li role=none><a role=treeitem title="Describes how to enable egress traffic for a set of hosts in a common domain, instead of configuring each and every host separately." href=/v1.4/docs/tasks/traffic-management/egress/wildcard-egress-hosts/>Egress using Wildcard Hosts</a></li><li role=none><a role=treeitem title="Describes how to configure SNI monitoring and apply policies on TLS egress traffic." href=/v1.4/docs/tasks/traffic-management/egress/egress_sni_monitoring_and_policies/>Monitoring and Policies for TLS Egress</a></li><li role=none><a role=treeitem title="Shows how to configure Istio Kubernetes External Services." href=/v1.4/docs/tasks/traffic-management/egress/egress-kubernetes-services/>Kubernetes Services for Egress Traffic</a></li><li role=none><a role=treeitem title="Describes how to configure Istio to let applications use an external HTTPS proxy." href=/v1.4/docs/tasks/traffic-management/egress/http-proxy/>Using an External HTTPS Proxy</a></li></ul></li></ul></li><li role=treeitem aria-label=Security><button aria-hidden=true></button><a title="Demonstrates how to secure the mesh." href=/v1.4/docs/tasks/security/>Security</a><ul role=group aria-expanded=false><li role=treeitem aria-label=Authentication><button aria-hidden=true></button><a title="Controlling mutual TLS and end-user authentication for mesh services." href=/v1.4/docs/tasks/security/authentication/>Authentication</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="A simplified workflow to adopt mutual TLS with minimal configuration overhead." href=/v1.4/docs/tasks/security/authentication/auto-mtls/>Automatic mutual TLS</a></li><li role=none><a role=treeitem title="Shows you how to use Istio authentication policy to setup mutual TLS and basic end-user authentication." href=/v1.4/docs/tasks/security/authentication/authn-policy/>Authentication Policy</a></li><li role=none><a role=treeitem title="Shows you how to verify and test Istio's automatic mutual TLS authentication." href=/v1.4/docs/tasks/security/authentication/mutual-tls/>Mutual TLS Deep-Dive</a></li><li role=none><a role=treeitem title="Shows how to enable mutual TLS on HTTPS services." href=/v1.4/docs/tasks/security/authentication/https-overlay/>Mutual TLS over HTTPS</a></li><li role=none><a role=treeitem title="Shows you how to incrementally migrate your Istio services to mutual TLS." href=/v1.4/docs/tasks/security/authentication/mtls-migration/>Mutual TLS Migration</a></li></ul></li><li role=treeitem aria-label="Citadel Configuration"><button aria-hidden=true></button><a title="Customizing the Citadel certificate authority." href=/v1.4/docs/tasks/security/citadel-config/>Citadel Configuration</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Shows how operators can configure Citadel with existing root certificate, signing certificate and key." href=/v1.4/docs/tasks/security/citadel-config/plugin-ca-cert/>Plugging in External CA Key and Certificate</a></li><li role=none><a role=treeitem title="Shows how to enable Citadel health checking with Kubernetes." href=/v1.4/docs/tasks/security/citadel-config/health-check/>Citadel Health Checking</a></li><li role=none><a role=treeitem title="Shows how to enable SDS (secret discovery service) for Istio identity provisioning." href=/v1.4/docs/tasks/security/citadel-config/auth-sds/>Provisioning Identity through SDS</a></li><li role=none><a role=treeitem title="Configure which namespaces Citadel should generate service account secrets for." href=/v1.4/docs/tasks/security/citadel-config/ca-namespace-targeting/>Configure Citadel Service Account Secret Generation</a></li></ul></li><li role=treeitem aria-label=Authorization><button aria-hidden=true></button><a title="Shows how to control access to Istio services." href=/v1.4/docs/tasks/security/authorization/>Authorization</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Shows how to set up role-based access control for HTTP traffic." href=/v1.4/docs/tasks/security/authorization/authz-http/>Authorization for HTTP traffic</a></li><li role=none><a role=treeitem title="Shows how to set up access control for TCP traffic." href=/v1.4/docs/tasks/security/authorization/authz-tcp/>Authorization for TCP traffic</a></li><li role=none><a role=treeitem title="Tutorial on how to configure the groups-base authorization and configure the authorization of list-typed claims in Istio." href=/v1.4/docs/tasks/security/authorization/rbac-groups/>Authorization for groups and list claims</a></li><li role=none><a role=treeitem title="Shows how to migrate from one trust domain to another without changing authorization policy." href=/v1.4/docs/tasks/security/authorization/authz-td-migration/>Authorization Policy Trust Domain Migration</a></li></ul></li><li role=none><a role=treeitem title="Shows how to provision and manage DNS certificates in Istio." href=/v1.4/docs/tasks/security/dns-cert/>Istio DNS Certificate Management</a></li><li role=none><a role=treeitem title="How to manage webhooks in Istio through istioctl." href=/v1.4/docs/tasks/security/webhook/>Istio Webhook Management [Experimental]</a></li></ul></li><li role=treeitem aria-label=Policies><button aria-hidden=true></button><a title="Demonstrates policy enforcement features." href=/v1.4/docs/tasks/policy-enforcement/>Policies</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="This task shows you how to enable Istio policy enforcement." href=/v1.4/docs/tasks/policy-enforcement/enabling-policy/>Enabling Policy Enforcement</a></li><li role=none><a role=treeitem title="This task shows you how to use Istio to dynamically limit the traffic to a service." href=/v1.4/docs/tasks/policy-enforcement/rate-limiting/>Enabling Rate Limits</a></li><li role=none><a role=treeitem title="Shows how to modify request headers and routing using policy adapters." href=/v1.4/docs/tasks/policy-enforcement/control-headers/>Control Headers and Routing</a></li><li role=none><a role=treeitem title="Shows how to control access to a service using simple denials or white/black listing." href=/v1.4/docs/tasks/policy-enforcement/denial-and-list/>Denials and White/Black Listing</a></li></ul></li><li role=treeitem aria-label=Observability><button aria-hidden=true></button><a title="Demonstrates how to collect telemetry information from the mesh." href=/v1.4/docs/tasks/observability/>Observability</a><ul role=group aria-expanded=false><li role=treeitem aria-label=Metrics><button aria-hidden=true></button><a title="Demonstrates the configuration, collection, and processing of Istio mesh metrics." href=/v1.4/docs/tasks/observability/metrics/>Metrics</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="This task shows you how to configure Istio to collect and customize metrics." href=/v1.4/docs/tasks/observability/metrics/collecting-metrics/>Collecting Metrics</a></li><li role=none><a role=treeitem title="This task shows you how to configure Istio to collect metrics for TCP services." href=/v1.4/docs/tasks/observability/metrics/tcp-metrics/>Collecting Metrics for TCP services</a></li><li role=none><a role=treeitem title="This task shows you how to query for Istio Metrics using Prometheus." href=/v1.4/docs/tasks/observability/metrics/querying-metrics/>Querying Metrics from Prometheus</a></li><li role=none><a role=treeitem title="This task shows you how to setup and use the Istio Dashboard to monitor mesh traffic." href=/v1.4/docs/tasks/observability/metrics/using-istio-dashboard/>Visualizing Metrics with Grafana</a></li></ul></li><li role=treeitem aria-label=Logs><button aria-hidden=true></button><a title="Demonstrates the configuration, collection, and processing of Istio mesh logs." href=/v1.4/docs/tasks/observability/logs/>Logs</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="This task shows you how to configure Istio to collect and customize logs." href=/v1.4/docs/tasks/observability/logs/collecting-logs/>Collecting Logs</a></li><li role=none><a role=treeitem title="This task shows you how to configure Envoy proxies to print access log to their standard output." href=/v1.4/docs/tasks/observability/logs/access-log/>Getting Envoy&#39;s Access Logs</a></li><li role=none><a role=treeitem title="This task shows you how to configure Istio to log to a Fluentd daemon." href=/v1.4/docs/tasks/observability/logs/fluentd/>Logging with Fluentd</a></li></ul></li><li role=treeitem aria-label="Distributed Tracing"><button aria-hidden=true></button><a title="This task shows you how to configure Istio-enabled applications to collect trace spans." href=/v1.4/docs/tasks/observability/distributed-tracing/>Distributed Tracing</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Overview of distributed tracing in Istio." href=/v1.4/docs/tasks/observability/distributed-tracing/overview/>Overview</a></li><li role=none><a role=treeitem title="Learn how to configure the proxies to send tracing requests to Jaeger." href=/v1.4/docs/tasks/observability/distributed-tracing/jaeger/>Jaeger</a></li><li role=none><a role=treeitem title="Learn how to configure the proxies to send tracing requests to Zipkin." href=/v1.4/docs/tasks/observability/distributed-tracing/zipkin/>Zipkin</a></li><li role=none><a role=treeitem title="How to configure the proxies to send tracing requests to LightStep." href=/v1.4/docs/tasks/observability/distributed-tracing/lightstep/>LightStep</a></li></ul></li><li role=none><a role=treeitem title="This task shows you how to visualize your services within an Istio mesh." href=/v1.4/docs/tasks/observability/kiali/>Visualizing Your Mesh</a></li><li role=none><a role=treeitem title="This task shows you how to configure external access to the set of Istio telemetry addons." href=/v1.4/docs/tasks/observability/gateways/>Remotely Accessing Telemetry Addons</a></li></ul></li></ul></div></div><div class=card><button class="header dynamic" id=card104 title="A variety of fully working example uses for Istio that you can experiment with." aria-controls=card104-body><svg class="icon"><use xlink:href="/v1.4/img/icons.svg#examples"/></svg>Examples</button><div class="body default" aria-labelledby=card104 role=region id=card104-body><ul role=tree aria-expanded=true aria-labelledby=card104><li role=none><a role=treeitem title="Deploys a sample application composed of four separate microservices used to demonstrate various Istio features." href=/v1.4/docs/examples/bookinfo/>Bookinfo Application</a></li><li role=none><a role=treeitem title="Deploys a sample application across a multicluster mesh." href=/v1.4/docs/examples/bookinfo-multicluster/>Bookinfo Application - Multicluster</a></li><li role=treeitem aria-label="Virtual Machines"><button class=show aria-hidden=true></button><a title="Examples that add workloads running on virtual machines to an Istio mesh." href=/v1.4/docs/examples/virtual-machines/>Virtual Machines</a><ul role=group aria-expanded=true class=leaf-section><li role=none><span role=treeitem class=current title="Learn how to add a service running on a virtual machine to your single network Istio mesh.">Virtual Machines in Single-Network Meshes</span></li><li role=none><a role=treeitem title="Learn how to add a service running on a virtual machine to your multi-network Istio mesh." href=/v1.4/docs/examples/virtual-machines/multi-network/>Virtual Machines in Multi-Network Meshes</a></li><li role=none><a role=treeitem title="Run the Bookinfo application with a MySQL service running on a virtual machine within your mesh." href=/v1.4/docs/examples/virtual-machines/bookinfo/>Bookinfo with a Virtual Machine</a></li></ul></li><li role=treeitem aria-label="Learn Microservices using Kubernetes and Istio"><button aria-hidden=true></button><a title="This modular tutorial provides new users with hands-on experience using Istio for common microservices scenarios, one step at a time." href=/v1.4/docs/examples/microservices-istio/>Learn Microservices using Kubernetes and Istio</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem href=/v1.4/docs/examples/microservices-istio/prereq/>Prerequisites</a></li><li role=none><a role=treeitem href=/v1.4/docs/examples/microservices-istio/setup-kubernetes-cluster/>Setup a Kubernetes Cluster</a></li><li role=none><a role=treeitem href=/v1.4/docs/examples/microservices-istio/setup-local-computer/>Setup a Local Computer</a></li><li role=none><a role=treeitem href=/v1.4/docs/examples/microservices-istio/single/>Run a Microservice Locally</a></li></ul></li><li role=treeitem aria-label="Platform-specific Examples (Deprecated)"><button aria-hidden=true></button><a title="Examples for specific platform installations of Istio." href=/v1.4/docs/examples/platform/>Platform-specific Examples (Deprecated)</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Explains how to manually integrate Google Cloud Endpoints services with Istio." href=/v1.4/docs/examples/platform/endpoints/>Install Istio for Google Cloud Endpoints Services</a></li><li role=none><a role=treeitem title="Set up a multicluster mesh over two GKE clusters." href=/v1.4/docs/examples/platform/gke/>Google Kubernetes Engine</a></li><li role=none><a role=treeitem title="Example multicluster mesh over two IBM Cloud Private clusters." href=/v1.4/docs/examples/platform/icp/>IBM Cloud Private</a></li></ul></li></ul></div></div><div class=card><button class="header dynamic" id=card125 title="Concepts, tools, and techniques to deploy and manage an Istio mesh." aria-controls=card125-body><svg class="icon"><use xlink:href="/v1.4/img/icons.svg#guide"/></svg>Operations</button><div class=body aria-labelledby=card125 role=region id=card125-body><ul role=tree aria-expanded=true aria-labelledby=card125><li role=treeitem aria-label=Deployment><button aria-hidden=true></button><a title="Requirements, concepts, and considerations for setting up an Istio deployment." href=/v1.4/docs/ops/deployment/>Deployment</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Describes Istio's high-level architecture and design goals." href=/v1.4/docs/ops/deployment/architecture/>Architecture</a></li><li role=none><a role=treeitem title="Describes the options and considerations when configuring your Istio deployment." href=/v1.4/docs/ops/deployment/deployment-models/>Deployment Models</a></li><li role=none><a role=treeitem title="Istio performance and scalability summary." href=/v1.4/docs/ops/deployment/performance-and-scalability/>Performance and Scalability</a></li><li role=none><a role=treeitem title="Prepare your Kubernetes pods and services to run in an Istio-enabled cluster." href=/v1.4/docs/ops/deployment/requirements/>Pods and Services</a></li></ul></li><li role=treeitem aria-label=Configuration><button aria-hidden=true></button><a title="Advanced concepts and features for configuring a running Istio mesh." href=/v1.4/docs/ops/configuration/>Configuration</a><ul role=group aria-expanded=false><li role=treeitem aria-label="Mesh Configuration"><button aria-hidden=true></button><a title="Helps you manage the global mesh configuration." href=/v1.4/docs/ops/configuration/mesh/>Mesh Configuration</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Provides a general overview of Istio's use of Kubernetes webhooks and the related issues that can arise." href=/v1.4/docs/ops/configuration/mesh/webhook/>Dynamic Admission Webhooks Overview</a></li><li role=none><a role=treeitem title="Describes Istio's use of Kubernetes webhooks for automatic sidecar injection." href=/v1.4/docs/ops/configuration/mesh/injection-concepts/>Automatic Sidecar Injection</a></li><li role=none><a role=treeitem title="Describes how Citadel determines whether to create service account secrets." href=/v1.4/docs/ops/configuration/mesh/secret-creation/>Service Account Secret Creation</a></li><li role=none><a role=treeitem title="Describes Istio's use of Kubernetes webhooks for server-side configuration validation." href=/v1.4/docs/ops/configuration/mesh/validation/>Configuration Validation Webhook</a></li><li role=none><a role=treeitem title="Shows how to do health checking for Istio services." href=/v1.4/docs/ops/configuration/mesh/app-health-check/>Health Checking of Istio Services</a></li></ul></li><li role=treeitem aria-label="Traffic Management"><button aria-hidden=true></button><a title="Helps you manage the networking aspects of a running mesh." href=/v1.4/docs/ops/configuration/traffic-management/>Traffic Management</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Information on how to specify protocols." href=/v1.4/docs/ops/configuration/traffic-management/protocol-selection/>Protocol Selection</a></li><li role=none><a role=treeitem title="Information on how to enable and understand Locality Load Balancing." href=/v1.4/docs/ops/configuration/traffic-management/locality-load-balancing/>Locality Load Balancing</a></li></ul></li><li role=treeitem aria-label=Security><button aria-hidden=true></button><a title="Helps you manage the security aspects of a running mesh." href=/v1.4/docs/ops/configuration/security/>Security</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Use hardened container images to reduce Istio's attack surface." href=/v1.4/docs/ops/configuration/security/harden-docker-images/>Harden Docker Container Images</a></li><li role=none><a role=treeitem title="Learn how to extend the lifetime of the Istio self-signed root certificate." href=/v1.4/docs/ops/configuration/security/root-transition/>Extending Self-Signed Certificate Lifetime</a></li></ul></li><li role=treeitem aria-label=Observability><button aria-hidden=true></button><a title="Helps you manage telemetry collection and visualization in a running mesh." href=/v1.4/docs/ops/configuration/telemetry/>Observability</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Fine-grained control of Envoy statistics." href=/v1.4/docs/ops/configuration/telemetry/envoy-stats/>Envoy Statistics</a></li><li role=none><a role=treeitem title="How to enable in-proxy generation of HTTP service-level metrics." href=/v1.4/docs/ops/configuration/telemetry/in-proxy-service-telemetry/>Generate Istio Metrics Without Mixer [Alpha]</a></li></ul></li></ul></li><li role=treeitem aria-label="Best Practices"><button aria-hidden=true></button><a title="Best practices for setting up and managing an Istio service mesh." href=/v1.4/docs/ops/best-practices/>Best Practices</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="General best practices when setting up an Istio service mesh." href=/v1.4/docs/ops/best-practices/deployment/>Deployment Best Practices</a></li><li role=none><a role=treeitem title="Configuration best practices to avoid networking or traffic management issues." href=/v1.4/docs/ops/best-practices/traffic-management/>Traffic Management Best Practices</a></li><li role=none><a role=treeitem title="Best practices for securing applications using Istio." href=/v1.4/docs/ops/best-practices/security/>Security Best Practices</a></li></ul></li><li role=treeitem aria-label="Common Problems"><button aria-hidden=true></button><a title="Describes how to identify and resolve common problems in Istio." href=/v1.4/docs/ops/common-problems/>Common Problems</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Techniques to address common Istio traffic management and network problems." href=/v1.4/docs/ops/common-problems/network-issues/>Traffic Management Problems</a></li><li role=none><a role=treeitem title="Techniques to address common Istio authentication, authorization, and general security-related problems." href=/v1.4/docs/ops/common-problems/security-issues/>Security Problems</a></li><li role=none><a role=treeitem title="Dealing with telemetry collection issues." href=/v1.4/docs/ops/common-problems/observability-issues/>Observability Problems</a></li><li role=none><a role=treeitem title="Resolve common problems with Istio's use of Kubernetes webhooks for automatic sidecar injection." href=/v1.4/docs/ops/common-problems/injection/>Sidecar Injection Problems</a></li><li role=none><a role=treeitem title="Describes how to resolve Galley configuration problems." href=/v1.4/docs/ops/common-problems/validation/>Galley Configuration Problems</a></li></ul></li><li role=treeitem aria-label="Diagnostic Tools"><button aria-hidden=true></button><a title="Tools and techniques to help troubleshoot an Istio mesh." href=/v1.4/docs/ops/diagnostic-tools/>Diagnostic Tools</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Istio includes a supplemental tool that provides debugging and diagnosis for Istio service mesh deployments." href=/v1.4/docs/ops/diagnostic-tools/istioctl/>Using the Istioctl Command-line Tool</a></li><li role=none><a role=treeitem title="Describes tools and techniques to diagnose Envoy configuration issues related to traffic management." href=/v1.4/docs/ops/diagnostic-tools/proxy-cmd/>Debugging Envoy and Pilot</a></li><li role=none><a role=treeitem title="Shows you how to use istioctl describe to verify the configurations of a pod in your mesh." href=/v1.4/docs/ops/diagnostic-tools/istioctl-describe/>Understand your Mesh with Istioctl Describe</a></li><li role=none><a role=treeitem title="Shows you how to use istioctl analyze to identify potential issues with your configuration." href=/v1.4/docs/ops/diagnostic-tools/istioctl-analyze/>Diagnose your Configuration with Istioctl Analyze</a></li><li role=none><a role=treeitem title="Describes how to use ControlZ to get insight into individual running components." href=/v1.4/docs/ops/diagnostic-tools/controlz/>Component Introspection</a></li><li role=none><a role=treeitem title="Describes how to use component-level logging to get insights into a running component's behavior." href=/v1.4/docs/ops/diagnostic-tools/component-logging/>Component Logging</a></li></ul></li></ul></div></div><div class=card><button class="header dynamic" id=card160 title="Detailed authoritative reference material such as command-line options, configuration options, and API calling parameters." aria-controls=card160-body><svg class="icon"><use xlink:href="/v1.4/img/icons.svg#reference"/></svg>Reference</button><div class=body aria-labelledby=card160 role=region id=card160-body><ul role=tree aria-expanded=true aria-labelledby=card160><li role=treeitem aria-label=Configuration><button aria-hidden=true></button><a title="Detailed information on configuration options." href=/v1.4/docs/reference/config/>Configuration</a><ul role=group aria-expanded=false><li role=none><a role=treeitem title="Configuration options for Istio control plane installation using istioctl." href=/v1.4/docs/reference/config/istio.operator.v1alpha12.pb/>Installation Options (istioctl)</a></li><li role=none><a role=treeitem title="Describes the options available when installing Istio using Helm charts." href=/v1.4/docs/reference/config/installation-options/>Installation Options (Helm)</a></li><li role=none><a role=treeitem title="Configuration affecting the service mesh as a whole." href=/v1.4/docs/reference/config/istio.mesh.v1alpha1/>Global Mesh Options</a></li><li role=none><a role=treeitem title="Resource annotations used by Istio." href=/v1.4/docs/reference/config/annotations/>Resource Annotations</a></li><li role=treeitem aria-label="Traffic Management"><button aria-hidden=true></button><a title="Describes how to configure HTTP/TCP routing features." href=/v1.4/docs/reference/config/networking/>Traffic Management</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Configuration affecting load balancing, outlier detection, etc." href=/v1.4/docs/reference/config/networking/destination-rule/>Destination Rule</a></li><li role=none><a role=treeitem title="Customizing Envoy configuration generated by Istio." href=/v1.4/docs/reference/config/networking/envoy-filter/>Envoy Filter</a></li><li role=none><a role=treeitem title="Configuration affecting edge load balancer." href=/v1.4/docs/reference/config/networking/gateway/>Gateway</a></li><li role=none><a role=treeitem title="Configuration affecting label/content routing, sni routing, etc." href=/v1.4/docs/reference/config/networking/virtual-service/>Virtual Service</a></li><li role=none><a role=treeitem title="Configuration affecting network reachability of a sidecar." href=/v1.4/docs/reference/config/networking/sidecar/>Sidecar</a></li><li role=none><a role=treeitem title="Configuration affecting service registry." href=/v1.4/docs/reference/config/networking/service-entry/>Service Entry</a></li></ul></li><li role=treeitem aria-label=Security><button aria-hidden=true></button><a title="Describes how to configure Istio's security features." href=/v1.4/docs/reference/config/security/>Security</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Authentication policy for Istio services." href=/v1.4/docs/reference/config/security/istio.authentication.v1alpha1/>Authentication Policy</a></li><li role=none><a role=treeitem title="Configuration for access control on workloads." href=/v1.4/docs/reference/config/security/authorization-policy/>Authorization Policy</a></li><li role=none><a role=treeitem title="Describes the supported conditions in authorization policies." href=/v1.4/docs/reference/config/security/conditions/>Authorization Policy Conditions</a></li><li role=none><a role=treeitem title="Configuration for Role Based Access Control." href=/v1.4/docs/reference/config/security/istio.rbac.v1alpha1/>RBAC (deprecated)</a></li><li role=none><a role=treeitem title="Describes the supported constraints and properties." href=/v1.4/docs/reference/config/security/constraints-and-properties/>RBAC Constraints and Properties (deprecated)</a></li></ul></li><li role=treeitem aria-label="Policies and Telemetry"><button aria-hidden=true></button><a title="Describes how to configure Istio's policy and telemetry features." href=/v1.4/docs/reference/config/policy-and-telemetry/>Policies and Telemetry</a><ul role=group aria-expanded=false><li role=none><a role=treeitem title="Configuration state for the Mixer client library." href=/v1.4/docs/reference/config/policy-and-telemetry/istio.mixer.v1.config.client/>Mixer Client</a></li><li role=none><a role=treeitem title="Describes the rules used to configure Mixer's policy and telemetry features." href=/v1.4/docs/reference/config/policy-and-telemetry/istio.policy.v1beta1/>Rules</a></li><li role=none><a role=treeitem title="Describes the configuration model for Istio's policy enforcement and telemetry mechanisms." href=/v1.4/docs/reference/config/policy-and-telemetry/mixer-overview/>Mixer Configuration Model</a></li><li role=none><a role=treeitem title="Describes the base attribute vocabulary used for policy and control." href=/v1.4/docs/reference/config/policy-and-telemetry/attribute-vocabulary/>Attribute Vocabulary</a></li><li role=none><a role=treeitem title="Mixer configuration expression language reference." href=/v1.4/docs/reference/config/policy-and-telemetry/expression-language/>Expression Language</a></li><li role=treeitem aria-label=Adapters><button aria-hidden=true></button><a title="Mixer adapters allow Istio to interface to a variety of infrastructure backends for such things as metrics and logs." href=/v1.4/docs/reference/config/policy-and-telemetry/adapters/>Adapters</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Adapter to deliver metrics to Apache SkyWalking." href=/v1.4/docs/reference/config/policy-and-telemetry/adapters/apache-skywalking/>Apache SkyWalking</a></li><li role=none><a role=treeitem title="Adapter for Apigee's distributed policy checks and analytics." href=/v1.4/docs/reference/config/policy-and-telemetry/adapters/apigee/>Apigee</a></li><li role=none><a role=treeitem title="Adapter to enforce authentication and authorization policies for web apps and APIs." href=/v1.4/docs/reference/config/policy-and-telemetry/adapters/app-identity-access-adapter/>App Identity and Access</a></li><li role=none><a role=treeitem title="Adapter for circonus.com's monitoring solution." href=/v1.4/docs/reference/config/policy-and-telemetry/adapters/circonus/>Circonus</a></li><li role=none><a role=treeitem title="Adapter for cloudmonitor metrics." href=/v1.4/docs/reference/config/policy-and-telemetry/adapters/cloudmonitor/>CloudMonitor</a></li><li role=none><a role=treeitem title="Adapter for cloudwatch metrics." href=/v1.4/docs/reference/config/policy-and-telemetry/adapters/cloudwatch/>CloudWatch</a></li><li role=none><a role=treeitem title="Adapter to deliver metrics to a dogstatsd agent for delivery to DataDog." href=/v1.4/docs/reference/config/policy-and-telemetry/adapters/datadog/>Datadog</a></li><li role=none><a role=treeitem title="Adapter to deliver tracing data to Zipkin." href=/v1.4/docs/reference/config/policy-and-telemetry/adapters/zipkin/>Zipkin</a></li><li role=none><a role=treeitem title="Adapter that always returns a precondition denial." href=/v1.4/docs/reference/config/policy-and-telemetry/adapters/denier/>Denier</a></li><li role=none><a role=treeitem title="Adapter that delivers logs to a Fluentd daemon." href=/v1.4/docs/reference/config/policy-and-telemetry/adapters/fluentd/>Fluentd</a></li><li role=none><a role=treeitem title="Adapter that extracts information from a Kubernetes environment." href=/v1.4/docs/reference/config/policy-and-telemetry/adapters/kubernetesenv/>Kubernetes Env</a></li><li role=none><a role=treeitem title="Adapter that performs whitelist or blacklist checks." href=/v1.4/docs/reference/config/policy-and-telemetry/adapters/list/>List</a></li><li role=none><a role=treeitem title="Adapter for a simple in-memory quota management system." href=/v1.4/docs/reference/config/policy-and-telemetry/adapters/memquota/>Memory quota</a></li><li role=none><a role=treeitem title="An Istio Mixer adapter to send telemetry data to New Relic." href=/v1.4/docs/reference/config/policy-and-telemetry/adapters/newrelic/>New Relic</a></li><li role=none><a role=treeitem title="Adapter to deliver metrics to Wavefront by VMware." href=/v1.4/docs/reference/config/policy-and-telemetry/adapters/wavefront/>Wavefront by VMware</a></li><li role=none><a role=treeitem title="Adapter to locally output logs and metrics." href=/v1.4/docs/reference/config/policy-and-telemetry/adapters/stdio/>Stdio</a></li><li role=none><a role=treeitem title="Adapter to deliver metrics to a StatsD backend." href=/v1.4/docs/reference/config/policy-and-telemetry/adapters/statsd/>StatsD</a></li><li role=none><a role=treeitem title="Adapter to deliver logs, metrics, and traces to Stackdriver." href=/v1.4/docs/reference/config/policy-and-telemetry/adapters/stackdriver/>Stackdriver</a></li><li role=none><a role=treeitem title="Adapter to deliver logs and metrics to Papertrail and AppOptics backends." href=/v1.4/docs/reference/config/policy-and-telemetry/adapters/solarwinds/>SolarWinds</a></li><li role=none><a role=treeitem title="Adapter that implements an Open Policy Agent engine." href=/v1.4/docs/reference/config/policy-and-telemetry/adapters/opa/>OPA</a></li><li role=none><a role=treeitem title="Adapter for a Redis-based quota management system." href=/v1.4/docs/reference/config/policy-and-telemetry/adapters/redisquota/>Redis Quota</a></li><li role=none><a role=treeitem title="Adapter that exposes Istio metrics for ingestion by a Prometheus harvester." href=/v1.4/docs/reference/config/policy-and-telemetry/adapters/prometheus/>Prometheus</a></li></ul></li><li role=treeitem aria-label=Templates><button aria-hidden=true></button><a title="Mixer templates are used to send data to individual adapters." href=/v1.4/docs/reference/config/policy-and-telemetry/templates/>Templates</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="A template that represents a single API key." href=/v1.4/docs/reference/config/policy-and-telemetry/templates/apikey/>API Key</a></li><li role=none><a role=treeitem title="A template used to represent an access control query." href=/v1.4/docs/reference/config/policy-and-telemetry/templates/authorization/>Authorization</a></li><li role=none><a role=treeitem title="A template that carries no data, useful for testing." href=/v1.4/docs/reference/config/policy-and-telemetry/templates/checknothing/>Check Nothing</a></li><li role=none><a role=treeitem title="A template designed to report observed communication edges between workloads." href=/v1.4/docs/reference/config/policy-and-telemetry/templates/edge/>Edge</a></li><li role=none><a role=treeitem title="A template that is used to control the production of Kubernetes-specific attributes." href=/v1.4/docs/reference/config/policy-and-telemetry/templates/kubernetes/>Kubernetes</a></li><li role=none><a role=treeitem title="A template designed to let you perform list checking operations." href=/v1.4/docs/reference/config/policy-and-telemetry/templates/listentry/>List Entry</a></li><li role=none><a role=treeitem title="A template that represents a single runtime log entry." href=/v1.4/docs/reference/config/policy-and-telemetry/templates/logentry/>Log Entry</a></li><li role=none><a role=treeitem title="A template that represents a single runtime metric." href=/v1.4/docs/reference/config/policy-and-telemetry/templates/metric/>Metric</a></li><li role=none><a role=treeitem title="A template that represents an individual span within a distributed trace." href=/v1.4/docs/reference/config/policy-and-telemetry/templates/tracespan/>Trace Span</a></li><li role=none><a role=treeitem title="A template that carries no data, useful for testing." href=/v1.4/docs/reference/config/policy-and-telemetry/templates/reportnothing/>Report Nothing</a></li><li role=none><a role=treeitem title="A template that represents a quota allocation request." href=/v1.4/docs/reference/config/policy-and-telemetry/templates/quota/>Quota</a></li><li role=none><a role=treeitem title="The Analytics template is used to dispatch runtime telemetry to Apigee." href=/v1.4/docs/reference/config/policy-and-telemetry/templates/analytics/>Analytics</a></li></ul></li><li role=none><a role=treeitem title="Default Metrics exported from Istio through Mixer." href=/v1.4/docs/reference/config/policy-and-telemetry/metrics/>Default Metrics</a></li></ul></li><li role=treeitem aria-label="Configuration Analysis Messages"><button aria-hidden=true></button><a title="Documents the individual error and warning messages produced during configurarion analysis." href=/v1.4/docs/reference/config/analysis/>Configuration Analysis Messages</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem href=/v1.4/docs/reference/config/analysis/message-format/>Analyzer Message Format</a></li><li role=none><a role=treeitem href=/v1.4/docs/reference/config/analysis/ist0109/>ConflictingMeshGatewayVirtualServiceHosts</a></li><li role=none><a role=treeitem href=/v1.4/docs/reference/config/analysis/ist0110/>ConflictingSidecarWorkloadSelectors</a></li><li role=none><a role=treeitem href=/v1.4/docs/reference/config/analysis/ist0002/>Deprecated</a></li><li role=none><a role=treeitem href=/v1.4/docs/reference/config/analysis/ist0104/>GatewayPortNotOnWorkload</a></li><li role=none><a role=treeitem href=/v1.4/docs/reference/config/analysis/ist0001/>InternalError</a></li><li role=none><a role=treeitem href=/v1.4/docs/reference/config/analysis/ist0105/>IstioProxyVersionMismatch</a></li><li role=none><a role=treeitem href=/v1.4/docs/reference/config/analysis/ist0119/>JwtFailureDueToInvalidServicePortPrefix</a></li><li role=none><a role=treeitem href=/v1.4/docs/reference/config/analysis/ist0107/>MisplacedAnnotation</a></li><li role=none><a role=treeitem href=/v1.4/docs/reference/config/analysis/ist0111/>MultipleSidecarsWithoutWorkloadSelectors</a></li><li role=none><a role=treeitem href=/v1.4/docs/reference/config/analysis/ist0102/>NamespaceNotInjected</a></li><li role=none><a role=treeitem href=/v1.4/docs/reference/config/analysis/ist0112/>VirtualServiceDestinationPortSelectorRequired</a></li><li role=none><a role=treeitem href=/v1.4/docs/reference/config/analysis/ist0108/>UnknownAnnotation</a></li><li role=none><a role=treeitem href=/v1.4/docs/reference/config/analysis/ist0106/>SchemaValidationError</a></li><li role=none><a role=treeitem href=/v1.4/docs/reference/config/analysis/ist0101/>ReferencedResourceNotFound</a></li><li role=none><a role=treeitem href=/v1.4/docs/reference/config/analysis/ist0103/>PodMissingProxy</a></li></ul></li></ul></li><li role=treeitem aria-label=Commands><button aria-hidden=true></button><a title="Describes usage and options of the Istio commands and utilities." href=/v1.4/docs/reference/commands/>Commands</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Galley provides configuration management services for Istio." href=/v1.4/docs/reference/commands/galley/>galley</a></li><li role=none><a role=treeitem title="Istio Certificate Authority (CA)." href=/v1.4/docs/reference/commands/istio_ca/>istio_ca</a></li><li role=none><a role=treeitem title="Istio control interface." href=/v1.4/docs/reference/commands/istioctl/>istioctl</a></li><li role=none><a role=treeitem title="Mixer is Istio's abstraction on top of infrastructure backends." href=/v1.4/docs/reference/commands/mixs/>mixs</a></li><li role=none><a role=treeitem title="Kubernetes webhook for automatic Istio sidecar injection." href=/v1.4/docs/reference/commands/sidecar-injector/>sidecar-injector</a></li><li role=none><a role=treeitem title="Istio security per-node agent." href=/v1.4/docs/reference/commands/node_agent/>node_agent</a></li><li role=none><a role=treeitem title="The Istio operator." href=/v1.4/docs/reference/commands/operator/>operator</a></li><li role=none><a role=treeitem title="Istio Pilot agent." href=/v1.4/docs/reference/commands/pilot-agent/>pilot-agent</a></li><li role=none><a role=treeitem title="Istio Pilot." href=/v1.4/docs/reference/commands/pilot-discovery/>pilot-discovery</a></li></ul></li><li role=none><a role=treeitem title="A glossary of common Istio terms." href=/v1.4/docs/reference/glossary/>Glossary</a></li></ul></div></div></div></nav></div><div class=article-container><button tabindex=-1 id=sidebar-toggler title="Toggle the navigation bar"><svg class="icon"><use xlink:href="/v1.4/img/icons.svg#pull"/></svg></button><nav aria-label=Breadcrumb><ol><li><a href=/v1.4/ title="Connect, secure, control, and observe services.">Istio</a></li><li><a href=/v1.4/docs/ title="Learn how to deploy, use, and operate Istio.">Docs</a></li><li><a href=/v1.4/docs/examples/ title="A variety of fully working example uses for Istio that you can experiment with.">Examples</a></li><li><a href=/v1.4/docs/examples/virtual-machines/ title="Examples that add workloads running on virtual machines to an Istio mesh.">Virtual Machines</a></li><li>Virtual Machines in Single-Network Meshes</li></ol></nav><article aria-labelledby=title><div class=title-area><div style=width:100%><h1 id=title>Virtual Machines in Single-Network Meshes</h1><p class=byline><span title="1672 words"><svg class="icon"><use xlink:href="/v1.4/img/icons.svg#clock"/></svg><span>&nbsp;</span>8 minute read</span></p></div></div><nav class=toc-inlined aria-label="Table of Contents"><div><hr><ol><li role=none aria-label=Prerequisites><a href=#prerequisites>Prerequisites</a><li role=none aria-label="Installation steps"><a href=#installation-steps>Installation steps</a><ol><li role=none aria-label="Preparing the Kubernetes cluster for VMs"><a href=#preparing-the-kubernetes-cluster-for-vms>Preparing the Kubernetes cluster for VMs</a><li role=none aria-label="Setting up the VM"><a href=#setting-up-the-vm>Setting up the VM</a></ol></li><li role=none aria-label="Send requests from VM workloads to Kubernetes services"><a href=#send-requests-from-vm-workloads-to-kubernetes-services>Send requests from VM workloads to Kubernetes services</a><li role=none aria-label="Running services on the added VM"><a href=#running-services-on-the-added-vm>Running services on the added VM</a><li role=none aria-label=Cleanup><a href=#cleanup>Cleanup</a><li role=none aria-label=Troubleshooting><a href=#troubleshooting>Troubleshooting</a><li role=none aria-label="See also"><a href=#see-also>See also</a></li></ol><hr></div></nav><p>This example shows how to integrate a VM or a bare metal host into a single-network
Istio mesh deployed on Kubernetes.</p><h2 id=prerequisites>Prerequisites</h2><ul><li><p>You have already set up Istio on Kubernetes. If you haven&rsquo;t done so, you can
find out how in the <a href=/v1.4/docs/setup/getting-started/>Installation guide</a>.</p></li><li><p>Virtual machines (VMs) must have IP connectivity to the endpoints in the mesh.
This typically requires a VPC or a VPN, as well as a container network that
provides direct (without NAT or firewall deny) routing to the endpoints. The
machine is not required to have access to the cluster IP addresses assigned by
Kubernetes.</p></li><li><p>VMs must have access to a DNS server that resolves names to cluster IP
addresses. Options include exposing the Kubernetes DNS server through an
internal load balancer, using a <a href=https://coredns.io/>Core DNS</a> server, or
configuring the IPs in any other DNS server accessible from the VM.</p></li><li><p>Install the <a href=https://docs.helm.sh/using_helm/>Helm client</a>. Helm is needed to
support adding VMs to your mesh.</p></li></ul><p>The following instructions:</p><ul><li>Assume the expansion VM is running on GCE.</li><li>Use Google platform-specific commands for some steps.</li></ul><h2 id=installation-steps>Installation steps</h2><p>Setup consists of preparing the mesh for expansion and installing and configuring each VM.</p><h3 id=preparing-the-kubernetes-cluster-for-vms>Preparing the Kubernetes cluster for VMs</h3><p>The first step when adding non-Kubernetes services to an Istio mesh is to
configure the Istio installation itself, and generate the configuration files
that let VMs connect to the mesh. Prepare the cluster for the VM with the
following commands on a machine with cluster admin privileges:</p><ol><li><p>Ensure that the <code>mesh expansion</code> option is enabled for the cluster. If you
didn&rsquo;t use the <code>--set global.meshExpansion.enabled=true</code> flag when
installing Helm, you can use one of the following two options depending on
how you originally installed Istio on the cluster:</p><ul><li>If you installed Istio with Helm and Tiller, run <code>helm upgrade</code> with the new option:</li></ul><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ cd install/kubernetes/helm/istio
$ helm upgrade --set global.meshExpansion.enabled=true istio .
$ cd -
</code></pre><ul><li>If you installed Istio without Helm and Tiller, use <code>helm template</code> to update your configuration with the option and reapply with <code>kubectl</code>:</li></ul><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl create namespace istio-system
$ helm template install/kubernetes/helm/istio-init --name istio-init --namespace istio-system | kubectl apply -f -
$ cd install/kubernetes/helm/istio
$ helm template --set global.meshExpansion.enabled=true --namespace istio-system . &gt; istio.yaml
$ kubectl apply -f istio.yaml
$ cd -
</code></pre><div><aside class="callout tip"><div class=type><svg class="large-icon"><use xlink:href="/v1.4/img/icons.svg#callout-tip"/></svg></div><div class=content>When updating configuration with Helm, you can either set the option on the command line, as in our examples, or add
it to a <code>.yaml</code> values file and pass it to
the command with <code>--values</code>, which is the recommended approach when managing configurations with multiple options. You
can see some sample values files in your Istio installation&rsquo;s <code>install/kubernetes/helm/istio</code> directory and find out
more about customizing Helm charts in the <a href=https://helm.sh/docs/intro/using_helm/>Helm documentation</a>.</div></aside></div></li><li><p>Define the namespace the VM joins. This example uses the <code>SERVICE_NAMESPACE</code>
environment variable to store the namespace. The value of this variable must
match the namespace you use in the configuration files later on.</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ export SERVICE_NAMESPACE=&#34;default&#34;
</code></pre></li><li><p>Determine and store the IP address of the Istio ingress gateway since the VMs
access <a href=/v1.4/docs/concepts/security/>Citadel</a> and
<a href=/v1.4/docs/ops/deployment/architecture/#pilot>Pilot</a> through this IP address.</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ export GWIP=$(kubectl get -n istio-system service istio-ingressgateway -o jsonpath=&#39;{.status.loadBalancer.ingress[0].ip}&#39;)
$ echo $GWIP
35.232.112.158
</code></pre></li><li><p>Generate a <code>cluster.env</code> configuration to deploy in the VMs. This file contains the Kubernetes cluster IP address ranges
to intercept and redirect via Envoy. You specify the CIDR range when you install Kubernetes as <code>servicesIpv4Cidr</code>.
Replace <code>$MY_ZONE</code> and <code>$MY_PROJECT</code> in the following example commands with the appropriate values to obtain the CIDR
after installation:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ ISTIO_SERVICE_CIDR=$(gcloud container clusters describe $K8S_CLUSTER --zone $MY_ZONE --project $MY_PROJECT --format &#34;value(servicesIpv4Cidr)&#34;)
$ echo -e &#34;ISTIO_CP_AUTH=MUTUAL_TLS\nISTIO_SERVICE_CIDR=$ISTIO_SERVICE_CIDR\n&#34; &gt; cluster.env
</code></pre></li><li><p>Check the contents of the generated <code>cluster.env</code> file. It should be similar to the following example:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ cat cluster.env
ISTIO_CP_AUTH=MUTUAL_TLS
ISTIO_SERVICE_CIDR=10.55.240.0/20
</code></pre></li><li><p>If the VM only calls services in the mesh, you can skip this step. Otherwise, add the ports the VM exposes
to the <code>cluster.env</code> file with the following command. You can change the ports later if necessary.</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ echo &#34;ISTIO_INBOUND_PORTS=3306,8080&#34; &gt;&gt; cluster.env
</code></pre></li><li><p>Extract the initial keys the service account needs to use on the VMs.</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl -n $SERVICE_NAMESPACE get secret istio.default \
-o jsonpath=&#39;{.data.root-cert\.pem}&#39; |base64 --decode &gt; root-cert.pem
$ kubectl -n $SERVICE_NAMESPACE get secret istio.default \
-o jsonpath=&#39;{.data.key\.pem}&#39; |base64 --decode &gt; key.pem
$ kubectl -n $SERVICE_NAMESPACE get secret istio.default \
-o jsonpath=&#39;{.data.cert-chain\.pem}&#39; |base64 --decode &gt; cert-chain.pem
</code></pre></li></ol><h3 id=setting-up-the-vm>Setting up the VM</h3><p>Next, run the following commands on each machine that you want to add to the mesh:</p><ol><li><p>Copy the previously created <code>cluster.env</code> and <code>*.pem</code> files to the VM. For example:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ export GCE_NAME=&#34;your-gce-instance&#34;
$ gcloud compute scp --project=${MY_PROJECT} --zone=${MY_ZONE} {key.pem,cert-chain.pem,cluster.env,root-cert.pem} ${GCE_NAME}:~
</code></pre></li><li><p>Install the Debian package with the Envoy sidecar.</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ gcloud compute ssh --project=${MY_PROJECT} --zone=${MY_ZONE} &#34;${GCE_NAME}&#34;
$ curl -L https://storage.googleapis.com/istio-release/releases/1.4.6/deb/istio-sidecar.deb &gt; istio-sidecar.deb
$ sudo dpkg -i istio-sidecar.deb
</code></pre></li><li><p>Add the IP address of the Istio gateway to <code>/etc/hosts</code>. Revisit the <a href=#preparing-the-kubernetes-cluster-for-vms>preparing the cluster</a> section to learn how to obtain the IP address.
The following example updates the <code>/etc/hosts</code> file with the Istio gateway address:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ echo &#34;35.232.112.158 istio-citadel istio-pilot istio-pilot.istio-system&#34; | sudo tee -a /etc/hosts
</code></pre></li><li><p>Install <code>root-cert.pem</code>, <code>key.pem</code> and <code>cert-chain.pem</code> under <code>/etc/certs/</code>.</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ sudo mkdir -p /etc/certs
$ sudo cp {root-cert.pem,cert-chain.pem,key.pem} /etc/certs
</code></pre></li><li><p>Install <code>cluster.env</code> under <code>/var/lib/istio/envoy/</code>.</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ sudo cp cluster.env /var/lib/istio/envoy
</code></pre></li><li><p>Transfer ownership of the files in <code>/etc/certs/</code> and <code>/var/lib/istio/envoy/</code> to the Istio proxy.</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ sudo chown -R istio-proxy /etc/certs /var/lib/istio/envoy
</code></pre></li><li><p>Verify the node agent works:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ sudo node_agent
....
CSR is approved successfully. Will renew cert in 1079h59m59.84568493s
</code></pre></li><li><p>Start Istio using <code>systemctl</code>.</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ sudo systemctl start istio-auth-node-agent
$ sudo systemctl start istio
</code></pre></li></ol><h2 id=send-requests-from-vm-workloads-to-kubernetes-services>Send requests from VM workloads to Kubernetes services</h2><p>After setup, the machine can access services running in the Kubernetes cluster
or on other VMs.</p><p>The following example shows accessing a service running in the Kubernetes cluster from a VM using
<code>/etc/hosts/</code>, in this case using a service from the <a href=/v1.4/docs/examples/bookinfo/>Bookinfo example</a>.</p><ol><li><p>First, on the cluster admin machine get the virtual IP address (<code>clusterIP</code>) for the service:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl get svc productpage -o jsonpath=&#39;{.spec.clusterIP}&#39;
10.55.246.247
</code></pre></li><li><p>Then on the added VM, add the service name and address to its <code>etc/hosts</code>
file. You can then connect to the cluster service from the VM, as in the
example below:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ echo &#34;10.55.246.247 productpage.default.svc.cluster.local&#34; | sudo tee -a /etc/hosts
$ curl -v productpage.default.svc.cluster.local:9080
&lt; HTTP/1.1 200 OK
&lt; content-type: text/html; charset=utf-8
&lt; content-length: 1836
&lt; server: envoy
... html content ...
</code></pre></li></ol><p>The <code>server: envoy</code> header indicates that the sidecar intercepted the traffic.</p><h2 id=running-services-on-the-added-vm>Running services on the added VM</h2><ol><li><p>Setup an HTTP server on the VM instance to serve HTTP traffic on port 8080:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ gcloud compute ssh ${GCE_NAME}
$ python -m SimpleHTTPServer 8080
</code></pre></li><li><p>Determine the VM instance&rsquo;s IP address. For example, find the IP address
of the GCE instance with the following commands:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ export GCE_IP=$(gcloud --format=&#34;value(networkInterfaces[0].networkIP)&#34; compute instances describe ${GCE_NAME})
$ echo ${GCE_IP}
</code></pre></li><li><p>Configure a service entry to enable service discovery for the VM. You can add VM services to the mesh using a
<a href=/v1.4/docs/reference/config/networking/service-entry/>service entry</a>. Service entries let you manually add
additional services to Pilot&rsquo;s abstract model of the mesh. Once VM services are part of the mesh&rsquo;s abstract model,
other services can find and direct traffic to them. Each service entry configuration contains the IP addresses, ports,
and appropriate labels of all VMs exposing a particular service, for example:</p><pre><code class=language-bash data-expandlinks=true data-outputis=yaml data-repo=istio>$ kubectl -n ${SERVICE_NAMESPACE} apply -f - &lt;&lt;EOF
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: vmhttp
spec:
hosts:
- vmhttp.${SERVICE_NAMESPACE}.svc.cluster.local
ports:
- number: 8080
name: http
protocol: HTTP
resolution: STATIC
endpoints:
- address: ${GCE_IP}
ports:
http: 8080
labels:
app: vmhttp
version: &#34;v1&#34;
EOF
</code></pre></li><li><p>The workloads in a Kubernetes cluster need a DNS mapping to resolve the domain names of VM services. To
integrate the mapping with your own DNS system, use <a href=/v1.4/docs/reference/commands/istioctl#istioctl-register><code>istioctl register</code></a> and creates a Kubernetes <code>selector-less</code>
service, for example:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ istioctl register -n ${SERVICE_NAMESPACE} vmhttp ${GCE_IP} 8080
</code></pre><div><aside class="callout tip"><div class=type><svg class="large-icon"><use xlink:href="/v1.4/img/icons.svg#callout-tip"/></svg></div><div class=content>Make sure you have already added the <a href=/v1.4/docs/reference/commands/istioctl><code>istioctl</code></a> client to your path, as described in the <a href=/v1.4/docs/setup/getting-started/#download>download page</a>.</div></aside></div></li><li><p>Deploy a pod running the <code>sleep</code> service in the Kubernetes cluster, and wait until it is ready:</p><div><a data-skipendnotes=true style=display:none href=https://raw.githubusercontent.com/istio/istio/release-1.4/samples/sleep/sleep.yaml>Zip</a><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl apply -f @samples/sleep/sleep.yaml@
$ kubectl get pod
NAME READY STATUS RESTARTS AGE
productpage-v1-8fcdcb496-xgkwg 2/2 Running 0 1d
sleep-88ddbcfdd-rm42k 2/2 Running 0 1s
...
</code></pre></div></li><li><p>Send a request from the <code>sleep</code> service on the pod to the VM&rsquo;s HTTP service:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl exec -it sleep-88ddbcfdd-rm42k -c sleep -- curl vmhttp.${SERVICE_NAMESPACE}.svc.cluster.local:8080
</code></pre><p>You should see something similar to the output below.</p><pre><code class=language-html data-expandlinks=true data-repo=istio>&lt;!DOCTYPE html PUBLIC &#34;-//W3C//DTD HTML 3.2 Final//EN&#34;&gt;&lt;html&gt;
&lt;title&gt;Directory listing for /&lt;/title&gt;
&lt;body&gt;
&lt;h2&gt;Directory listing for /&lt;/h2&gt;
&lt;hr&gt;
&lt;ul&gt;
&lt;li&gt;&lt;a href=&#34;.bashrc&#34;&gt;.bashrc&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href=&#34;.ssh/&#34;&gt;.ssh/&lt;/a&gt;&lt;/li&gt;
...
&lt;/body&gt;
</code></pre></li></ol><p><strong>Congratulations!</strong> You successfully configured a service running in a pod within the cluster to
send traffic to a service running on a VM outside of the cluster and tested that
the configuration worked.</p><h2 id=cleanup>Cleanup</h2><p>Run the following commands to remove the expansion VM from the mesh&rsquo;s abstract
model.</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ istioctl deregister -n ${SERVICE_NAMESPACE} vmhttp ${GCE_IP}
2019-02-21T22:12:22.023775Z info Deregistered service successfull
$ kubectl delete ServiceEntry vmhttp -n ${SERVICE_NAMESPACE}
serviceentry.networking.istio.io &#34;vmhttp&#34; deleted
</code></pre><h2 id=troubleshooting>Troubleshooting</h2><p>The following are some basic troubleshooting steps for common VM-related issues.</p><ul><li><p>When making requests from a VM to the cluster, ensure you don&rsquo;t run the requests as <code>root</code> or
<code>istio-proxy</code> user. By default, Istio excludes both users from interception.</p></li><li><p>Verify the machine can reach the IP of the all workloads running in the cluster. For example:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl get endpoints productpage -o jsonpath=&#39;{.subsets[0].addresses[0].ip}&#39;
10.52.39.13
</code></pre><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ curl 10.52.39.13:9080
html output
</code></pre></li><li><p>Check the status of the node agent and sidecar:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ sudo systemctl status istio-auth-node-agent
$ sudo systemctl status istio
</code></pre></li><li><p>Check that the processes are running. The following is an example of the processes you should see on the VM if you run
<code>ps</code>, filtered for <code>istio</code>:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ ps aux | grep istio
root 6941 0.0 0.2 75392 16820 ? Ssl 21:32 0:00 /usr/local/istio/bin/node_agent --logtostderr
root 6955 0.0 0.0 49344 3048 ? Ss 21:32 0:00 su -s /bin/bash -c INSTANCE_IP=10.150.0.5 POD_NAME=demo-vm-1 POD_NAMESPACE=default exec /usr/local/bin/pilot-agent proxy &gt; /var/log/istio/istio.log istio-proxy
istio-p+ 7016 0.0 0.1 215172 12096 ? Ssl 21:32 0:00 /usr/local/bin/pilot-agent proxy
istio-p+ 7094 4.0 0.3 69540 24800 ? Sl 21:32 0:37 /usr/local/bin/envoy -c /etc/istio/proxy/envoy-rev1.json --restart-epoch 1 --drain-time-s 2 --parent-shutdown-time-s 3 --service-cluster istio-proxy --service-node sidecar~10.150.0.5~demo-vm-1.default~default.svc.cluster.local
</code></pre></li><li><p>Check the Envoy access and error logs:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ tail /var/log/istio/istio.log
$ tail /var/log/istio/istio.err.log
</code></pre></li></ul><nav id=see-also><h2>See also</h2><div class=see-also><div class=entry><p class=link><a data-skipendnotes=true href=/v1.4/docs/examples/virtual-machines/multi-network/>Virtual Machines in Multi-Network Meshes</a></p><p class=desc>Learn how to add a service running on a virtual machine to your multi-network Istio mesh.</p></div><div class=entry><p class=link><a data-skipendnotes=true href=/v1.4/blog/2019/dns-cert/>DNS Certificate Management</a></p><p class=desc>Provision and manage DNS certificates in Istio.</p></div><div class=entry><p class=link><a data-skipendnotes=true href=/v1.4/blog/2019/webhook/>Secure Webhook Management</a></p><p class=desc>A more secure way to manage Istio webhooks.</p></div><div class=entry><p class=link><a data-skipendnotes=true href=/v1.4/blog/2019/data-plane-setup/>Demystifying Istio&#39;s Sidecar Injection Model</a></p><p class=desc>De-mystify how Istio manages to plugin its data-plane components into an existing deployment.</p></div><div class=entry><p class=link><a data-skipendnotes=true href=/v1.4/docs/examples/virtual-machines/bookinfo/>Bookinfo with a Virtual Machine</a></p><p class=desc>Run the Bookinfo application with a MySQL service running on a virtual machine within your mesh.</p></div><div class=entry><p class=link><a data-skipendnotes=true href=/v1.4/docs/setup/install/helm/>Customizable Install with Helm</a></p><p class=desc>Install and configure Istio for in-depth evaluation or production use.</p></div></div></nav></article><nav class=pagenav><div class=left></div><div class=right><a title="Learn how to add a service running on a virtual machine to your multi-network Istio mesh." href=/v1.4/docs/examples/virtual-machines/multi-network/>Virtual Machines in Multi-Network Meshes<svg class="icon"><use xlink:href="/v1.4/img/icons.svg#right-arrow"/></svg></a></div></nav><div id=feedback><div id=feedback-initial>Was this information useful?<br><button class="btn feedback" onclick="sendFeedback('en',1)">Yes</button>
<button class="btn feedback" onclick="sendFeedback('en',0)">No</button></div><div id=feedback-comment>Do you have any suggestions for improvement?<br><br><input id=feedback-textbox type=text placeholder="Help us improve..." data-lang=en></div><div id=feedback-thankyou>Thanks for your feedback!</div></div><div id=endnotes-container aria-hidden=true><h2>Links</h2><ol id=endnotes></ol></div></div><div class=toc-container><nav class=toc aria-label="Table of Contents"><div id=toc><ol><li role=none aria-label=Prerequisites><a href=#prerequisites>Prerequisites</a><li role=none aria-label="Installation steps"><a href=#installation-steps>Installation steps</a><ol><li role=none aria-label="Preparing the Kubernetes cluster for VMs"><a href=#preparing-the-kubernetes-cluster-for-vms>Preparing the Kubernetes cluster for VMs</a><li role=none aria-label="Setting up the VM"><a href=#setting-up-the-vm>Setting up the VM</a></ol></li><li role=none aria-label="Send requests from VM workloads to Kubernetes services"><a href=#send-requests-from-vm-workloads-to-kubernetes-services>Send requests from VM workloads to Kubernetes services</a><li role=none aria-label="Running services on the added VM"><a href=#running-services-on-the-added-vm>Running services on the added VM</a><li role=none aria-label=Cleanup><a href=#cleanup>Cleanup</a><li role=none aria-label=Troubleshooting><a href=#troubleshooting>Troubleshooting</a><li role=none aria-label="See also"><a href=#see-also>See also</a></li></ol></div></nav></div></main><footer><div class=user-links><a class=channel title="Go download Istio 1.4.6 now" href=/v1.4/docs/setup/getting-started/#download aria-label="Download Istio"><span>download</span><svg class="icon"><use xlink:href="/v1.4/img/icons.svg#download"/></svg>
</a><a class=channel title="Join the Istio discussion board to participate in discussions and get help troubleshooting problems" href=https://discuss.istio.io aria-label="Istio discussion board"><span>discuss</span><svg class="icon"><use xlink:href="/v1.4/img/icons.svg#discourse"/></svg></a>
<a class=channel title="Stack Overflow is where you can ask questions and find curated answers on deploying, configuring, and using Istio" href=https://stackoverflow.com/questions/tagged/istio aria-label="Stack Overflow"><span>stack overflow</span><svg class="icon"><use xlink:href="/v1.4/img/icons.svg#stackoverflow"/></svg></a>
<a class=channel title="Interactively discuss issues with the Istio community on Slack" href=https://istio.slack.com aria-label=slack><span>slack</span><svg class="icon"><use xlink:href="/v1.4/img/icons.svg#slack"/></svg></a>
<a class=channel title="Follow us on Twitter to get the latest news" href=https://twitter.com/IstioMesh aria-label=Twitter><span>twitter</span><svg class="icon"><use xlink:href="/v1.4/img/icons.svg#twitter"/></svg></a><div class=tag>for everyone</div></div><div class=info><p class=copyright>Istio Archive
1.4.6<br>&copy; 2019 Istio Authors, <a href=https://policies.google.com/privacy>Privacy Policy</a><br>Archived on March 5, 2020</p></div><div class=dev-links><a class=channel title="GitHub is where development takes place on Istio code" href=https://github.com/istio/community aria-label=GitHub><span>github</span><svg class="icon"><use xlink:href="/v1.4/img/icons.svg#github"/></svg></a>
<a class=channel title="Access our team drive if you'd like to take a look at the Istio technical design documents" href=https://groups.google.com/forum/#!forum/istio-team-drive-access aria-label="team drive"><span>drive</span><svg class="icon"><use xlink:href="/v1.4/img/icons.svg#drive"/></svg></a>
<a class=channel title="If you'd like to contribute to the Istio project, consider participating in our working groups" href=https://github.com/istio/community/blob/master/WORKING-GROUPS.md aria-label="working groups"><span>working groups</span><svg class="icon"><use xlink:href="/v1.4/img/icons.svg#working-groups"/></svg></a><div class=tag>for developers</div></div></footer><div id=scroll-to-top-container aria-hidden=true><button id=scroll-to-top title="Back to top"><svg class="icon"><use xlink:href="/v1.4/img/icons.svg#top"/></svg></button></div></body></html>
Reference in New Issue View Git Blame Copy Permalink