istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
istio.io/archive/v1.3/docs/concepts/traffic-management/index.html

591 lines
103 KiB
HTML
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<!doctype html><html lang=en itemscope itemtype=https://schema.org/WebPage><head><meta charset=utf-8><meta http-equiv=x-ua-compatible content="IE=edge"><meta name=viewport content="width=device-width,initial-scale=1,shrink-to-fit=no"><meta name=theme-color content=#466BB0><meta name=title content="Traffic Management"><meta name=description content="Describes the various Istio features focused on traffic routing and control."><meta name=keywords content=microservices,services,mesh,traffic-management,pilot,envoy-proxies,service-discovery,load-balancing><meta property=og:title content="Traffic Management"><meta property=og:type content=website><meta property=og:description content="Describes the various Istio features focused on traffic routing and control."><meta property=og:url content=/v1.3/docs/concepts/traffic-management/><meta property=og:image content=/v1.3/img/istio-whitelogo-bluebackground-framed.svg><meta property=og:image:alt content="Istio Logo"><meta property=og:image:width content=112><meta property=og:image:height content=150><meta property=og:site_name content=Istio><meta name=twitter:card content=summary><meta name=twitter:site content=@IstioMesh><title>Istioldie 1.3 / Traffic Management</title><script async src="https://www.googletagmanager.com/gtag/js?id=UA-98480406-2"></script><script>window.dataLayer=window.dataLayer||[];function gtag(){dataLayer.push(arguments);}
gtag('js',new Date());gtag('config','UA-98480406-2');</script><link rel=alternate type=application/rss+xml title="Istio Blog" href=/v1.3/blog/feed.xml><link rel=alternate type=application/rss+xml title="Istio News" href=/v1.3/news/feed.xml><link rel=alternate type=application/rss+xml title="Istio Blog and News" href=/v1.3/feed.xml><link rel="shortcut icon" href=/v1.3/favicons/favicon.ico><link rel=apple-touch-icon href=/v1.3/favicons/apple-touch-icon-180x180.png sizes=180x180><link rel=icon type=image/png href=/v1.3/favicons/favicon-16x16.png sizes=16x16><link rel=icon type=image/png href=/v1.3/favicons/favicon-32x32.png sizes=32x32><link rel=icon type=image/png href=/v1.3/favicons/android-36x36.png sizes=36x36><link rel=icon type=image/png href=/v1.3/favicons/android-48x48.png sizes=48x48><link rel=icon type=image/png href=/v1.3/favicons/android-72x72.png sizes=72x72><link rel=icon type=image/png href=/v1.3/favicons/android-96x96.png sizes=96xW96><link rel=icon type=image/png href=/v1.3/favicons/android-144x144.png sizes=144x144><link rel=icon type=image/png href=/v1.3/favicons/android-192x192.png sizes=192x192><link rel=manifest href=/v1.3/manifest.json><meta name=apple-mobile-web-app-title content=Istio><meta name=application-name content=Istio><link rel=stylesheet href="https://fonts.googleapis.com/css?family=Work+Sans:400|Chivo:400|Work+Sans:500,300,600,300italic,400italic,500italic,600italic|Chivo:500,300,600,300italic,400italic,500italic,600italic"><link rel=stylesheet href=/v1.3/css/all.css><script src=/v1.3/js/themes_init.min.js></script></head><body class="language-unknown archive-site"><script>const branchName="release-1.3";const docTitle="Traffic Management";const iconFile="\/v1.3/img/icons.svg";const buttonCopy='Copy to clipboard';const buttonPrint='Print';const buttonDownload='Download';</script><script src="https://www.google.com/cse/brand?form=search-form" defer></script><script src=/v1.3/js/all.min.js data-manual defer></script><header><nav><a id=brand href=/v1.3/><span class=logo><svg viewBox="0 0 300 300"><circle cx="150" cy="150" r="146" stroke-width="2" /><path d="M65 240H225L125 270z"/><path d="M65 230l60-10V110z"/><path d="M135 220l90 10L135 30z"/></svg></span><span class=name>Istioldie 1.3</span></a><div id=hamburger><svg class="icon"><use xlink:href="/v1.3/img/icons.svg#hamburger"/></svg></div><div id=header-links><span title="Learn how to deploy, use, and operate Istio.">Docs</span>
<a title="Posts about using Istio." href=/v1.3/blog/2019/proxy/>Blog</a>
<a title="Timely news about the Istio project." href=/v1.3/news/2019/announcing-1.2-eol/>News</a>
<a title="Frequently Asked Questions about Istio." href=/v1.3/faq/>FAQ</a>
<a title="Get a bit more in-depth info about the Istio project." href=/v1.3/about/>About</a><div class=menu><button id=gearDropdownButton class=menu-trigger title="Options and settings" aria-label="Options and Settings" aria-controls=gearDropdownContent><svg class="icon"><use xlink:href="/v1.3/img/icons.svg#gear"/></svg></button><div id=gearDropdownContent class=menu-content aria-labelledby=gearDropdownButton role=menu><a tabindex=-1 role=menuitem class=active id=light-theme-item>Light Theme</a>
<a tabindex=-1 role=menuitem id=dark-theme-item>Dark Theme</a><div role=separator></div><a tabindex=-1 role=menuitem id=syntax-coloring-item>Color Examples</a><div role=separator></div><h6>Other versions of this site</h6><a tabindex=-1 role=menuitem onclick="navigateToUrlOrRoot('https://istio.io/docs\/concepts\/traffic-management\/');return false;">Current Release</a>
<a tabindex=-1 role=menuitem onclick="navigateToUrlOrRoot('https://preliminary.istio.io/docs\/concepts\/traffic-management\/');return false;">Next Release</a>
<a tabindex=-1 role=menuitem href=https://archive.istio.io>Older Releases</a></div></div><button id=search-show title="Search this site" aria-label=Search><svg class="icon"><use xlink:href="/v1.3/img/icons.svg#magnifier"/></svg></button></div><form id=search-form name=cse role=search><input type=hidden name=cx value=013699703217164175118:iwwf17ikgf4>
<input type=hidden name=ie value=utf-8>
<input type=hidden name=hl value=en>
<input type=hidden id=search-page-url value=/v1.3/search>
<input id=search-textbox class=form-control name=q type=search aria-label="Search this site">
<button id=search-close title="Cancel search" type=reset aria-label="Cancel search"><svg class="icon"><use xlink:href="/v1.3/img/icons.svg#cancel-x"/></svg></button></form></nav></header><main class=primary><div id=sidebar-container class="sidebar-container sidebar-offcanvas"><nav id=sidebar aria-label="Section Navigation"><div class=directory><div class=card><button class="header dynamic" id=card32 title="Learn about the different parts of the Istio system and the abstractions it uses." aria-controls=card32-body><svg class="icon"><use xlink:href="/v1.3/img/icons.svg#concepts"/></svg>Concepts</button><div class="body default" aria-labelledby=card32 role=region id=card32-body><ul role=tree aria-expanded=true class=leaf-section aria-labelledby=card32><li role=none><a role=treeitem title="Introduces Istio, the problems it solves, its high-level architecture and design goals." href=/v1.3/docs/concepts/what-is-istio/>What is Istio?</a></li><li role=none><span role=treeitem class=current title="Describes the various Istio features focused on traffic routing and control.">Traffic Management</span></li><li role=none><a role=treeitem title="Describes Istio's authorization and authentication functionality." href=/v1.3/docs/concepts/security/>Policies and Security</a></li><li role=none><a role=treeitem title="Describes the telemetry and monitoring features provided by Istio." href=/v1.3/docs/concepts/observability/>Observability</a></li><li role=none><a role=treeitem title="Introduces performance and scalability for Istio." href=/v1.3/docs/concepts/performance-and-scalability/>Performance and Scalability</a></li><li role=none><a role=treeitem title="Describes the system models that impact your overall Istio depolyment." href=/v1.3/docs/concepts/deployment-models/>Deployment Models</a></li></ul></div></div><div class=card><button class="header dynamic" id=card49 title="Instructions for installing the Istio control plane on Kubernetes and adding virtual machines into the mesh." aria-controls=card49-body><svg class="icon"><use xlink:href="/v1.3/img/icons.svg#setup"/></svg>Setup</button><div class=body aria-labelledby=card49 role=region id=card49-body><ul role=tree aria-expanded=true aria-labelledby=card49><li role=none><a role=treeitem title="Download, install, and try out Istio." href=/v1.3/docs/setup/getting-started/>Getting Started</a></li><li role=treeitem aria-label="Platform Setup"><button aria-hidden=true></button><a title="How to prepare various Kubernetes platforms before installing Istio." href=/v1.3/docs/setup/platform-setup/>Platform Setup</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Instructions to setup an Alibaba Cloud Kubernetes cluster for Istio." href=/v1.3/docs/setup/platform-setup/alicloud/>Alibaba Cloud</a></li><li role=none><a role=treeitem title="Instructions to setup an Azure cluster for Istio." href=/v1.3/docs/setup/platform-setup/azure/>Azure</a></li><li role=none><a role=treeitem title="Instructions to setup Docker Desktop for Istio." href=/v1.3/docs/setup/platform-setup/docker/>Docker Desktop</a></li><li role=none><a role=treeitem title="Instructions to setup a Google Kubernetes Engine cluster for Istio." href=/v1.3/docs/setup/platform-setup/gke/>Google Kubernetes Engine</a></li><li role=none><a role=treeitem title="Instructions to setup an IBM Cloud cluster for Istio." href=/v1.3/docs/setup/platform-setup/ibm/>IBM Cloud</a></li><li role=none><a role=treeitem title="Instructions to setup a Gardener cluster for Istio." href=/v1.3/docs/setup/platform-setup/gardener/>Kubernetes Gardener</a></li><li role=none><a role=treeitem title="Instructions to setup MicroK8s for use with Istio." href=/v1.3/docs/setup/platform-setup/microk8s/>MicroK8s</a></li><li role=none><a role=treeitem title="Instructions to setup minikube for Istio." href=/v1.3/docs/setup/platform-setup/minikube/>Minikube</a></li><li role=none><a role=treeitem title="Instructions to setup an OpenShift cluster for Istio." href=/v1.3/docs/setup/platform-setup/openshift/>OpenShift</a></li><li role=none><a role=treeitem title="Instructions to setup an OKE cluster for Istio." href=/v1.3/docs/setup/platform-setup/oci/>Oracle Cloud Infrastructure</a></li></ul></li><li role=treeitem aria-label=Install><button aria-hidden=true></button><a title="Choose the guide that best suits your needs and platform." href=/v1.3/docs/setup/install/>Install</a><ul role=group aria-expanded=false><li role=none><a role=treeitem title="Instructions to install Istio in a Kubernetes cluster for evaluation." href=/v1.3/docs/setup/install/kubernetes/>Quick Start Evaluation Install</a></li><li role=none><a role=treeitem title="Install and configure Istio for in-depth evaluation or production use." href=/v1.3/docs/setup/install/helm/>Customizable Install with Helm</a></li><li role=none><a role=treeitem title="Install and configure Istio using the Istio Operator CLI." href=/v1.3/docs/setup/install/operator/>Operator CLI-based Installation [Experimental]</a></li><li role=treeitem aria-label="Multi-cluster Installation"><button aria-hidden=true></button><a title="Configure an Istio mesh spanning multiple Kubernetes clusters." href=/v1.3/docs/setup/install/multicluster/>Multi-cluster Installation</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Install an Istio mesh across multiple Kubernetes clusters with replicated control plane instances." href=/v1.3/docs/setup/install/multicluster/gateways/>Replicated control planes</a></li><li role=none><a role=treeitem title="Install an Istio mesh across multiple Kubernetes clusters with a shared control plane and VPN connectivity between clusters." href=/v1.3/docs/setup/install/multicluster/shared-vpn/>Shared control plane (single-network)</a></li><li role=none><a role=treeitem title="Install an Istio mesh across multiple Kubernetes clusters using a shared control plane for disconnected cluster networks." href=/v1.3/docs/setup/install/multicluster/shared-gateways/>Shared control plane (multi-network)</a></li></ul></li></ul></li><li role=treeitem aria-label=Upgrade><button aria-hidden=true></button><a title="Information on upgrading Istio." href=/v1.3/docs/setup/upgrade/>Upgrade</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Important changes to consider when upgrading to Istio 1.3." href=/v1.3/docs/setup/upgrade/notice/>1.3 Upgrade Notice</a></li><li role=none><a role=treeitem title="Upgrade the Istio control plane and data plane independently." href=/v1.3/docs/setup/upgrade/steps/>Upgrade Steps</a></li></ul></li><li role=treeitem aria-label="More Guides"><button aria-hidden=true></button><a title="More information on additional setup tasks." href=/v1.3/docs/setup/additional-setup/>More Guides</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Prepare your Kubernetes pods and services to run in an Istio-enabled cluster." href=/v1.3/docs/setup/additional-setup/requirements/>Pods and Services</a></li><li role=none><a role=treeitem title="Describes the built-in Istio installation configuration profiles." href=/v1.3/docs/setup/additional-setup/config-profiles/>Installation Configuration Profiles</a></li><li role=none><a role=treeitem title="Install the Istio sidecar in application pods automatically using the sidecar injector webhook or manually using istioctl CLI." href=/v1.3/docs/setup/additional-setup/sidecar-injection/>Installing the Sidecar</a></li><li role=none><a role=treeitem title="Install and use Istio with the Istio CNI plugin, allowing operators to deploy services with lower privilege." href=/v1.3/docs/setup/additional-setup/cni/>Install Istio with the Istio CNI plugin</a></li></ul></li></ul></div></div><div class=card><button class="header dynamic" id=card72 title="How to do single specific targeted activities with the Istio system." aria-controls=card72-body><svg class="icon"><use xlink:href="/v1.3/img/icons.svg#tasks"/></svg>Tasks</button><div class=body aria-labelledby=card72 role=region id=card72-body><ul role=tree aria-expanded=true aria-labelledby=card72><li role=treeitem aria-label="Traffic Management"><button aria-hidden=true></button><a title="Tasks that demonstrate Istio's traffic routing features." href=/v1.3/docs/tasks/traffic-management/>Traffic Management</a><ul role=group aria-expanded=false><li role=none><a role=treeitem title="This task shows you how to configure dynamic request routing to multiple versions of a microservice." href=/v1.3/docs/tasks/traffic-management/request-routing/>Request Routing</a></li><li role=none><a role=treeitem title="This task shows you how to inject faults to test the resiliency of your application." href=/v1.3/docs/tasks/traffic-management/fault-injection/>Fault Injection</a></li><li role=none><a role=treeitem title="Shows you how to migrate traffic from an old to new version of a service." href=/v1.3/docs/tasks/traffic-management/traffic-shifting/>Traffic Shifting</a></li><li role=none><a role=treeitem title="Shows you how to migrate TCP traffic from an old to new version of a TCP service." href=/v1.3/docs/tasks/traffic-management/tcp-traffic-shifting/>TCP Traffic Shifting</a></li><li role=none><a role=treeitem title="This task shows you how to setup request timeouts in Envoy using Istio." href=/v1.3/docs/tasks/traffic-management/request-timeouts/>Request Timeouts</a></li><li role=none><a role=treeitem title="This task shows you how to configure circuit breaking for connections, requests, and outlier detection." href=/v1.3/docs/tasks/traffic-management/circuit-breaking/>Circuit Breaking</a></li><li role=none><a role=treeitem title="This task demonstrates the traffic mirroring/shadowing capabilities of Istio." href=/v1.3/docs/tasks/traffic-management/mirroring/>Mirroring</a></li><li role=treeitem aria-label=Ingress><button aria-hidden=true></button><a title="Controlling ingress traffic for an Istio service mesh." href=/v1.3/docs/tasks/traffic-management/ingress/>Ingress</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Describes how to configure an Istio gateway to expose a service outside of the service mesh." href=/v1.3/docs/tasks/traffic-management/ingress/ingress-control/>Ingress Gateways</a></li><li role=none><a role=treeitem title="Expose a service outside of the service mesh over TLS or mTLS using file-mounted certificates." href=/v1.3/docs/tasks/traffic-management/ingress/secure-ingress-mount/>Secure Gateways (File Mount)</a></li><li role=none><a role=treeitem title="Expose a service outside of the service mesh over TLS or mTLS using the secret discovery service (SDS)." href=/v1.3/docs/tasks/traffic-management/ingress/secure-ingress-sds/>Secure Gateways (SDS)</a></li><li role=none><a role=treeitem title="Describes how to configure SNI passthrough for an ingress gateway." href=/v1.3/docs/tasks/traffic-management/ingress/ingress-sni-passthrough/>Ingress Gateway without TLS Termination</a></li><li role=none><a role=treeitem title="Demonstrates how to obtain Let's Encrypt TLS certificates for Kubernetes Ingress automatically using Cert-Manager." href=/v1.3/docs/tasks/traffic-management/ingress/ingress-certmgr/>Kubernetes Ingress with Cert-Manager</a></li></ul></li><li role=treeitem aria-label=Egress><button aria-hidden=true></button><a title="Controlling egress traffic for an Istio service mesh." href=/v1.3/docs/tasks/traffic-management/egress/>Egress</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Describes how to configure Istio to route traffic from services in the mesh to external services." href=/v1.3/docs/tasks/traffic-management/egress/egress-control/>Accessing External Services</a></li><li role=none><a role=treeitem title="Describes how to configure Istio to perform TLS origination for traffic to external services." href=/v1.3/docs/tasks/traffic-management/egress/egress-tls-origination/>Egress TLS Origination</a></li><li role=none><a role=treeitem title="Describes how to configure Istio to direct traffic to external services through a dedicated gateway." href=/v1.3/docs/tasks/traffic-management/egress/egress-gateway/>Egress Gateways</a></li><li role=none><a role=treeitem title="Describes how to configure an Egress Gateway to perform TLS origination to external services." href=/v1.3/docs/tasks/traffic-management/egress/egress-gateway-tls-origination/>Egress Gateways with TLS Origination</a></li><li role=none><a role=treeitem title="Describes how to enable egress traffic for a set of hosts in a common domain, instead of configuring each and every host separately." href=/v1.3/docs/tasks/traffic-management/egress/wildcard-egress-hosts/>Egress using Wildcard Hosts</a></li><li role=none><a role=treeitem title="Describes how to configure SNI monitoring and apply policies on TLS egress traffic." href=/v1.3/docs/tasks/traffic-management/egress/egress_sni_monitoring_and_policies/>Monitoring and Policies for TLS Egress</a></li><li role=none><a role=treeitem title="Describes how to configure Istio to let applications use an external HTTPS proxy." href=/v1.3/docs/tasks/traffic-management/egress/http-proxy/>Using an External HTTPS Proxy</a></li></ul></li></ul></li><li role=treeitem aria-label=Security><button aria-hidden=true></button><a title="Demonstrates how to secure the mesh." href=/v1.3/docs/tasks/security/>Security</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Shows you how to use Istio authentication policy to setup mutual TLS and basic end-user authentication." href=/v1.3/docs/tasks/security/authn-policy/>Authentication Policy</a></li><li role=none><a role=treeitem title="Shows how to set up role-based access control for HTTP services." href=/v1.3/docs/tasks/security/authz-http/>Authorization for HTTP Services</a></li><li role=none><a role=treeitem title="Shows how to set up role-based access control for TCP services." href=/v1.3/docs/tasks/security/authz-tcp/>Authorization for TCP Services</a></li><li role=none><a role=treeitem title="Tutorial on how to configure the groups-base authorization and configure the authorization of list-typed claims in Istio." href=/v1.3/docs/tasks/security/rbac-groups/>Authorization for groups and list claims</a></li><li role=none><a role=treeitem title="Shows how to use Authorization permissive mode." href=/v1.3/docs/tasks/security/authz-permissive/>Authorization permissive mode</a></li><li role=none><a role=treeitem title="Shows you how to verify and test Istio's automatic mutual TLS authentication." href=/v1.3/docs/tasks/security/mutual-tls/>Mutual TLS Deep-Dive</a></li><li role=none><a role=treeitem title="Shows how operators can configure Citadel with existing root certificate, signing certificate and key." href=/v1.3/docs/tasks/security/plugin-ca-cert/>Plugging in External CA Key and Certificate</a></li><li role=none><a role=treeitem title="Shows how to enable Citadel health checking with Kubernetes." href=/v1.3/docs/tasks/security/health-check/>Citadel Health Checking</a></li><li role=none><a role=treeitem title="Shows how to enable SDS (secret discovery service) for Istio identity provisioning." href=/v1.3/docs/tasks/security/auth-sds/>Provisioning Identity through SDS</a></li><li role=none><a role=treeitem title="Configure which namespaces Citadel should generate service account secrets for." href=/v1.3/docs/tasks/security/ca-namespace-targeting/>Configure Citadel Service Account Secret Generation</a></li><li role=none><a role=treeitem title="Shows you how to incrementally migrate your Istio services to mutual TLS." href=/v1.3/docs/tasks/security/mtls-migration/>Mutual TLS Migration</a></li><li role=none><a role=treeitem title="Shows how to enable mutual TLS on HTTPS services." href=/v1.3/docs/tasks/security/https-overlay/>Mutual TLS over HTTPS</a></li></ul></li><li role=treeitem aria-label=Policies><button aria-hidden=true></button><a title="Demonstrates policy enforcement features." href=/v1.3/docs/tasks/policy-enforcement/>Policies</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="This task shows you how to enable Istio policy enforcement." href=/v1.3/docs/tasks/policy-enforcement/enabling-policy/>Enabling Policy Enforcement</a></li><li role=none><a role=treeitem title="This task shows you how to use Istio to dynamically limit the traffic to a service." href=/v1.3/docs/tasks/policy-enforcement/rate-limiting/>Enabling Rate Limits</a></li><li role=none><a role=treeitem title="Shows how to modify request headers and routing using policy adapters." href=/v1.3/docs/tasks/policy-enforcement/control-headers/>Control Headers and Routing</a></li><li role=none><a role=treeitem title="Shows how to control access to a service using simple denials or white/black listing." href=/v1.3/docs/tasks/policy-enforcement/denial-and-list/>Denials and White/Black Listing</a></li></ul></li><li role=treeitem aria-label=Telemetry><button aria-hidden=true></button><a title="Demonstrates how to collect telemetry information from the mesh." href=/v1.3/docs/tasks/telemetry/>Telemetry</a><ul role=group aria-expanded=false><li role=treeitem aria-label=Metrics><button aria-hidden=true></button><a title="Demonstrates the configuration, collection, and processing of Istio mesh metrics." href=/v1.3/docs/tasks/telemetry/metrics/>Metrics</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="This task shows you how to configure Istio to collect and customize metrics." href=/v1.3/docs/tasks/telemetry/metrics/collecting-metrics/>Collecting Metrics</a></li><li role=none><a role=treeitem title="This task shows you how to configure Istio to collect metrics for TCP services." href=/v1.3/docs/tasks/telemetry/metrics/tcp-metrics/>Collecting Metrics for TCP services</a></li><li role=none><a role=treeitem title="This task shows you how to query for Istio Metrics using Prometheus." href=/v1.3/docs/tasks/telemetry/metrics/querying-metrics/>Querying Metrics from Prometheus</a></li><li role=none><a role=treeitem title="This task shows you how to setup and use the Istio Dashboard to monitor mesh traffic." href=/v1.3/docs/tasks/telemetry/metrics/using-istio-dashboard/>Visualizing Metrics with Grafana</a></li></ul></li><li role=treeitem aria-label=Logs><button aria-hidden=true></button><a title="Demonstrates the configuration, collection, and processing of Istio mesh logs." href=/v1.3/docs/tasks/telemetry/logs/>Logs</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="This task shows you how to configure Istio to collect and customize logs." href=/v1.3/docs/tasks/telemetry/logs/collecting-logs/>Collecting Logs</a></li><li role=none><a role=treeitem title="This task shows you how to configure Envoy proxies to print access log to their standard output." href=/v1.3/docs/tasks/telemetry/logs/access-log/>Getting Envoy&#39;s Access Logs</a></li><li role=none><a role=treeitem title="This task shows you how to configure Istio to log to a Fluentd daemon." href=/v1.3/docs/tasks/telemetry/logs/fluentd/>Logging with Fluentd</a></li></ul></li><li role=treeitem aria-label="Distributed Tracing"><button aria-hidden=true></button><a title="This task shows you how to configure Istio-enabled applications to collect trace spans." href=/v1.3/docs/tasks/telemetry/distributed-tracing/>Distributed Tracing</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Overview of distributed tracing in Istio." href=/v1.3/docs/tasks/telemetry/distributed-tracing/overview/>Overview</a></li><li role=none><a role=treeitem title="Learn how to configure the proxies to send tracing requests to Jaeger." href=/v1.3/docs/tasks/telemetry/distributed-tracing/jaeger/>Jaeger</a></li><li role=none><a role=treeitem title="Learn how to configure the proxies to send tracing requests to Zipkin." href=/v1.3/docs/tasks/telemetry/distributed-tracing/zipkin/>Zipkin</a></li><li role=none><a role=treeitem title="How to configure the proxies to send tracing requests to LightStep." href=/v1.3/docs/tasks/telemetry/distributed-tracing/lightstep/>LightStep</a></li></ul></li><li role=none><a role=treeitem title="This task shows you how to visualize your services within an Istio mesh." href=/v1.3/docs/tasks/telemetry/kiali/>Visualizing Your Mesh</a></li><li role=none><a role=treeitem title="This task shows you how to configure external access to the set of Istio telemetry addons." href=/v1.3/docs/tasks/telemetry/gateways/>Remotely Accessing Telemetry Addons</a></li></ul></li></ul></div></div><div class=card><button class="header dynamic" id=card90 title="A variety of fully working example uses for Istio that you can experiment with." aria-controls=card90-body><svg class="icon"><use xlink:href="/v1.3/img/icons.svg#examples"/></svg>Examples</button><div class=body aria-labelledby=card90 role=region id=card90-body><ul role=tree aria-expanded=true aria-labelledby=card90><li role=none><a role=treeitem title="Deploys a sample application composed of four separate microservices used to demonstrate various Istio features." href=/v1.3/docs/examples/bookinfo/>Bookinfo Application</a></li><li role=none><a role=treeitem title="Explains how to manually integrate Google Cloud Endpoints services with Istio." href=/v1.3/docs/examples/endpoints/>Install Istio for Google Cloud Endpoints Services</a></li><li role=treeitem aria-label="Mesh Expansion"><button aria-hidden=true></button><a title="Configure an Istio mesh spanning Kubernetes clusters, VMs and bare metals." href=/v1.3/docs/examples/mesh-expansion/>Mesh Expansion</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Integrate VMs and bare metal hosts into an Istio mesh deployed on Kubernetes." href=/v1.3/docs/examples/mesh-expansion/single-network/>Single-network Mesh Expansion</a></li><li role=none><a role=treeitem title="Integrate VMs and bare metal hosts into an Istio mesh deployed on Kubernetes with gateways." href=/v1.3/docs/examples/mesh-expansion/multi-network/>Multi-network Mesh Expansion</a></li><li role=none><a role=treeitem title="Illustrates how to expand the Bookinfo application's mesh with a raw VM service." href=/v1.3/docs/examples/mesh-expansion/bookinfo-expanded/>Bookinfo with Mesh Expansion</a></li></ul></li><li role=treeitem aria-label="Multicluster Service Mesh"><button aria-hidden=true></button><a title="Multicluster service mesh examples for Istio that you can experiment with." href=/v1.3/docs/examples/multicluster/>Multicluster Service Mesh</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Set up a multicluster mesh over two GKE clusters." href=/v1.3/docs/examples/multicluster/gke/>Google Kubernetes Engine</a></li><li role=none><a role=treeitem title="Example multicluster mesh over two IBM Cloud Private clusters." href=/v1.3/docs/examples/multicluster/icp/>IBM Cloud Private</a></li></ul></li></ul></div></div><div class=card><button class="header dynamic" id=card104 title="Hints, tips, tricks about running an Istio mesh." aria-controls=card104-body><svg class="icon"><use xlink:href="/v1.3/img/icons.svg#guide"/></svg>Operations</button><div class=body aria-labelledby=card104 role=region id=card104-body><ul role=tree aria-expanded=true aria-labelledby=card104><li role=none><a role=treeitem title="Shows how to do health checking for Istio services." href=/v1.3/docs/ops/app-health-check/>Health Checking of Istio Services</a></li><li role=treeitem aria-label="Installation and Configuration"><button aria-hidden=true></button><a title="Describes important requirements, concepts, and considerations for installing and configuring Istio." href=/v1.3/docs/ops/setup/>Installation and Configuration</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Describes Istio's use of Kubernetes webhooks for automatic sidecar injection." href=/v1.3/docs/ops/setup/injection-concepts/>Automatic Sidecar Injection</a></li><li role=none><a role=treeitem title="Describes how to check which capabilities are allowed for your pods." href=/v1.3/docs/ops/setup/required-pod-capabilities/>Required Pod Capabilities</a></li><li role=none><a role=treeitem title="Provides a general overview of Istio's use of Kubernetes webhooks and the related issues that can arise." href=/v1.3/docs/ops/setup/webhook/>Dynamic Admission Webhooks Overview</a></li><li role=none><a role=treeitem title="Describes Istio's use of Kubernetes webhooks for server-side configuration validation." href=/v1.3/docs/ops/setup/validation/>Configuration Validation Webhook</a></li></ul></li><li role=treeitem aria-label="Traffic Management"><button aria-hidden=true></button><a title="Helps you manage the networking aspects of a running mesh." href=/v1.3/docs/ops/traffic-management/>Traffic Management</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="An introduction to Istio networking operational aspects." href=/v1.3/docs/ops/traffic-management/introduction/>Introduction to Network Operations</a></li><li role=none><a role=treeitem title="Provides specific deployment or configuration guidelines to avoid networking or traffic management issues." href=/v1.3/docs/ops/traffic-management/deploy-guidelines/>Avoiding Traffic Management Issues</a></li><li role=none><a role=treeitem title="Information on how to enable and understand Locality Load Balancing." href=/v1.3/docs/ops/traffic-management/locality-load-balancing/>Locality Load Balancing</a></li><li role=none><a role=treeitem title="Information on how to specify protocols." href=/v1.3/docs/ops/traffic-management/protocol-selection/>Protocol Selection</a></li></ul></li><li role=treeitem aria-label=Security><button aria-hidden=true></button><a title="Helps you manage the security aspects of a running mesh." href=/v1.3/docs/ops/security/>Security</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Use hardened container images to reduce Istio's attack surface." href=/v1.3/docs/ops/security/harden-docker-images/>Harden Docker Container Images</a></li><li role=none><a role=treeitem title="Learn how to extend the lifetime of the Istio self-signed root certificate." href=/v1.3/docs/ops/security/root-transition/>Extending Self-Signed Certificate Lifetime</a></li></ul></li><li role=treeitem aria-label=Telemetry><button aria-hidden=true></button><a title="Helps you manage telemetry collection and visualization in a running mesh." href=/v1.3/docs/ops/telemetry/>Telemetry</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="How to enable in-proxy generation of HTTP service-level metrics." href=/v1.3/docs/ops/telemetry/in-proxy-service-telemetry/>Generate Istio Metrics Without Mixer [Experimental]</a></li><li role=none><a role=treeitem title="Fine-grained control of Envoy statistics." href=/v1.3/docs/ops/telemetry/envoy-stats/>Envoy Statistics</a></li></ul></li><li role=treeitem aria-label=Troubleshooting><button aria-hidden=true></button><a title="Describes how to identify and resolve common problems in Istio." href=/v1.3/docs/ops/troubleshooting/>Troubleshooting</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Istio includes a supplemental tool that provides debugging and diagnosis for Istio service mesh deployments." href=/v1.3/docs/ops/troubleshooting/istioctl/>Using the istioctl command-line tool</a></li><li role=none><a role=treeitem title="Tools and techniques to address common Istio traffic management and network problems." href=/v1.3/docs/ops/troubleshooting/network-issues/>Network Problems</a></li><li role=none><a role=treeitem title="Tools and techniques to address common Istio authentication, authorization, and general security-related problems." href=/v1.3/docs/ops/troubleshooting/security-issues/>Security Problems</a></li><li role=none><a role=treeitem title="Resolve common problems with Istio's use of Kubernetes webhooks for automatic sidecar injection." href=/v1.3/docs/ops/troubleshooting/injection/>Sidecar Injection Problems</a></li><li role=none><a role=treeitem title="What to do if Citadel is not behaving properly." href=/v1.3/docs/ops/troubleshooting/repairing-citadel/>Repairing Citadel</a></li><li role=none><a role=treeitem title="Describes tools and techniques to diagnose Envoy configuration issues related to traffic management." href=/v1.3/docs/ops/troubleshooting/proxy-cmd/>Debugging Envoy and Pilot</a></li><li role=none><a role=treeitem title="Describes how to resolve Galley configuration problems." href=/v1.3/docs/ops/troubleshooting/validation/>Galley Configuration Problems</a></li><li role=none><a role=treeitem title="Diagnose problems where metrics are not being collected." href=/v1.3/docs/ops/troubleshooting/missing-metrics/>Missing Metrics</a></li><li role=none><a role=treeitem title="Dealing with Grafana issues." href=/v1.3/docs/ops/troubleshooting/grafana/>Missing Grafana Output</a></li><li role=none><a role=treeitem title="Fix missing traces in Zipkin." href=/v1.3/docs/ops/troubleshooting/missing-traces/>Missing Zipkin Traces</a></li><li role=none><a role=treeitem title="Shows you how to use istioctl describe to verify the configurations of a pod in your mesh." href=/v1.3/docs/ops/troubleshooting/istioctl-describe/>Understand your Mesh with istioctl describe</a></li><li role=none><a role=treeitem title="Describes how to use component-level logging to get insights into a running component's behavior." href=/v1.3/docs/ops/troubleshooting/component-logging/>Component Logging</a></li><li role=none><a role=treeitem title="Describes how to use ControlZ to get insight into individual running components." href=/v1.3/docs/ops/troubleshooting/controlz/>Component Introspection</a></li><li role=none><a role=treeitem title="Limitations for using Tcpdump in pods." href=/v1.3/docs/ops/troubleshooting/tcpdump-notes/>Tcpdump Limitations</a></li></ul></li></ul></div></div><div class=card><button class="header dynamic" id=card126 title="Detailed authoritative reference material such as command-line options, configuration options, and API calling parameters." aria-controls=card126-body><svg class="icon"><use xlink:href="/v1.3/img/icons.svg#reference"/></svg>Reference</button><div class=body aria-labelledby=card126 role=region id=card126-body><ul role=tree aria-expanded=true aria-labelledby=card126><li role=treeitem aria-label=Configuration><button aria-hidden=true></button><a title="Detailed information on configuration options." href=/v1.3/docs/reference/config/>Configuration</a><ul role=group aria-expanded=false><li role=treeitem aria-label="Traffic Management"><button aria-hidden=true></button><a title="Describes how to configure HTTP/TCP routing features." href=/v1.3/docs/reference/config/networking/>Traffic Management</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Configuration affecting load balancing, outlier detection, etc." href=/v1.3/docs/reference/config/networking/v1alpha3/destination-rule/>Destination Rule</a></li><li role=none><a role=treeitem title="Customizing Envoy configuration generated by Istio." href=/v1.3/docs/reference/config/networking/v1alpha3/envoy-filter/>Envoy Filter</a></li><li role=none><a role=treeitem title="Configuration affecting edge load balancer." href=/v1.3/docs/reference/config/networking/v1alpha3/gateway/>Gateway</a></li><li role=none><a role=treeitem title="Configuration affecting service registry." href=/v1.3/docs/reference/config/networking/v1alpha3/service-entry/>Service Entry</a></li><li role=none><a role=treeitem title="Configuration affecting network reachability of a sidecar." href=/v1.3/docs/reference/config/networking/v1alpha3/sidecar/>Sidecar</a></li><li role=none><a role=treeitem title="Configuration affecting label/content routing, sni routing, etc." href=/v1.3/docs/reference/config/networking/v1alpha3/virtual-service/>Virtual Service</a></li></ul></li><li role=none><a role=treeitem title="Authentication policy for Istio services." href=/v1.3/docs/reference/config/istio.authentication.v1alpha1/>Authentication Policy</a></li><li role=none><a role=treeitem title="Resource annotations used by Istio." href=/v1.3/docs/reference/config/annotations/>Resource Annotations</a></li><li role=treeitem aria-label=Authorization><button aria-hidden=true></button><a title="Describes how to configure Istio's authorization features." href=/v1.3/docs/reference/config/authorization/>Authorization</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Describes the supported constraints and properties." href=/v1.3/docs/reference/config/authorization/constraints-and-properties/>Constraints and Properties</a></li><li role=none><a role=treeitem title="Configuration for Role Based Access Control." href=/v1.3/docs/reference/config/authorization/istio.rbac.v1alpha1/>RBAC</a></li></ul></li><li role=none><a role=treeitem title="Describes the options available when installing Istio using the included Helm chart." href=/v1.3/docs/reference/config/installation-options/>Installation Options</a></li><li role=none><a role=treeitem title="Details the Helm chart installation options differences between release-1.2 and release-1.3." href=/v1.3/docs/reference/config/installation-options-changes/>Installation Options Changes</a></li><li role=treeitem aria-label="Policies and Telemetry"><button aria-hidden=true></button><a title="Describes how to configure Istio's policy and telemetry features." href=/v1.3/docs/reference/config/policy-and-telemetry/>Policies and Telemetry</a><ul role=group aria-expanded=false><li role=none><a role=treeitem title="Describes the configuration model for Istio's policy enforcement and telemetry mechanisms." href=/v1.3/docs/reference/config/policy-and-telemetry/mixer-overview/>Mixer Configuration Model</a></li><li role=none><a role=treeitem title="Describes the base attribute vocabulary used for policy and control." href=/v1.3/docs/reference/config/policy-and-telemetry/attribute-vocabulary/>Attribute Vocabulary</a></li><li role=none><a role=treeitem title="Mixer configuration expression language reference." href=/v1.3/docs/reference/config/policy-and-telemetry/expression-language/>Expression Language</a></li><li role=treeitem aria-label=Adapters><button aria-hidden=true></button><a title="Mixer adapters allow Istio to interface to a variety of infrastructure backends for such things as metrics and logs." href=/v1.3/docs/reference/config/policy-and-telemetry/adapters/>Adapters</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Adapter to deliver metrics to Apache SkyWalking." href=/v1.3/docs/reference/config/policy-and-telemetry/adapters/apache-skywalking/>Apache SkyWalking</a></li><li role=none><a role=treeitem title="Adapter for Apigee's distributed policy checks and analytics." href=/v1.3/docs/reference/config/policy-and-telemetry/adapters/apigee/>Apigee</a></li><li role=none><a role=treeitem title="Adapter to enforce authentication and authorization policies for web apps and APIs." href=/v1.3/docs/reference/config/policy-and-telemetry/adapters/app-identity-access-adapter/>App Identity and Access</a></li><li role=none><a role=treeitem title="Adapter for circonus.com's monitoring solution." href=/v1.3/docs/reference/config/policy-and-telemetry/adapters/circonus/>Circonus</a></li><li role=none><a role=treeitem title="Adapter for cloudmonitor metrics." href=/v1.3/docs/reference/config/policy-and-telemetry/adapters/cloudmonitor/>CloudMonitor</a></li><li role=none><a role=treeitem title="Adapter for cloudwatch metrics." href=/v1.3/docs/reference/config/policy-and-telemetry/adapters/cloudwatch/>CloudWatch</a></li><li role=none><a role=treeitem title="Adapter to deliver metrics to a dogstatsd agent for delivery to DataDog." href=/v1.3/docs/reference/config/policy-and-telemetry/adapters/datadog/>Datadog</a></li><li role=none><a role=treeitem title="Adapter that always returns a precondition denial." href=/v1.3/docs/reference/config/policy-and-telemetry/adapters/denier/>Denier</a></li><li role=none><a role=treeitem title="Adapter that delivers logs to a Fluentd daemon." href=/v1.3/docs/reference/config/policy-and-telemetry/adapters/fluentd/>Fluentd</a></li><li role=none><a role=treeitem title="Adapter that extracts information from a Kubernetes environment." href=/v1.3/docs/reference/config/policy-and-telemetry/adapters/kubernetesenv/>Kubernetes Env</a></li><li role=none><a role=treeitem title="Adapter that performs whitelist or blacklist checks." href=/v1.3/docs/reference/config/policy-and-telemetry/adapters/list/>List</a></li><li role=none><a role=treeitem title="Adapter for a simple in-memory quota management system." href=/v1.3/docs/reference/config/policy-and-telemetry/adapters/memquota/>Memory quota</a></li><li role=none><a role=treeitem title="Adapter that implements an Open Policy Agent engine." href=/v1.3/docs/reference/config/policy-and-telemetry/adapters/opa/>OPA</a></li><li role=none><a role=treeitem title="Adapter that exposes Istio metrics for ingestion by a Prometheus harvester." href=/v1.3/docs/reference/config/policy-and-telemetry/adapters/prometheus/>Prometheus</a></li><li role=none><a role=treeitem title="Adapter for a Redis-based quota management system." href=/v1.3/docs/reference/config/policy-and-telemetry/adapters/redisquota/>Redis Quota</a></li><li role=none><a role=treeitem title="Adapter that sends metrics to SignalFx." href=/v1.3/docs/reference/config/policy-and-telemetry/adapters/signalfx/>SignalFx</a></li><li role=none><a role=treeitem title="Adapter to deliver logs and metrics to Papertrail and AppOptics backends." href=/v1.3/docs/reference/config/policy-and-telemetry/adapters/solarwinds/>SolarWinds</a></li><li role=none><a role=treeitem title="Adapter to deliver logs, metrics, and traces to Stackdriver." href=/v1.3/docs/reference/config/policy-and-telemetry/adapters/stackdriver/>Stackdriver</a></li><li role=none><a role=treeitem title="Adapter to deliver metrics to a StatsD backend." href=/v1.3/docs/reference/config/policy-and-telemetry/adapters/statsd/>StatsD</a></li><li role=none><a role=treeitem title="Adapter to locally output logs and metrics." href=/v1.3/docs/reference/config/policy-and-telemetry/adapters/stdio/>Stdio</a></li><li role=none><a role=treeitem title="Adapter to deliver metrics to Wavefront by VMware." href=/v1.3/docs/reference/config/policy-and-telemetry/adapters/wavefront/>Wavefront by VMware</a></li><li role=none><a role=treeitem title="Adapter to deliver tracing data to Zipkin." href=/v1.3/docs/reference/config/policy-and-telemetry/adapters/zipkin/>Zipkin</a></li></ul></li><li role=none><a role=treeitem title="Default Metrics exported from Istio through Mixer." href=/v1.3/docs/reference/config/policy-and-telemetry/metrics/>Default Metrics</a></li><li role=treeitem aria-label=Templates><button aria-hidden=true></button><a title="Mixer templates are used to send data to individual adapters." href=/v1.3/docs/reference/config/policy-and-telemetry/templates/>Templates</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="A template that represents a single API key." href=/v1.3/docs/reference/config/policy-and-telemetry/templates/apikey/>API Key</a></li><li role=none><a role=treeitem title="The Analytics template is used to dispatch runtime telemetry to Apigee." href=/v1.3/docs/reference/config/policy-and-telemetry/templates/analytics/>Analytics</a></li><li role=none><a role=treeitem title="A template used to represent an access control query." href=/v1.3/docs/reference/config/policy-and-telemetry/templates/authorization/>Authorization</a></li><li role=none><a role=treeitem title="A template that carries no data, useful for testing." href=/v1.3/docs/reference/config/policy-and-telemetry/templates/checknothing/>Check Nothing</a></li><li role=none><a role=treeitem title="A template designed to report observed communication edges between workloads." href=/v1.3/docs/reference/config/policy-and-telemetry/templates/edge/>Edge</a></li><li role=none><a role=treeitem title="A template that is used to control the production of Kubernetes-specific attributes." href=/v1.3/docs/reference/config/policy-and-telemetry/templates/kubernetes/>Kubernetes</a></li><li role=none><a role=treeitem title="A template designed to let you perform list checking operations." href=/v1.3/docs/reference/config/policy-and-telemetry/templates/listentry/>List Entry</a></li><li role=none><a role=treeitem title="A template that represents a single runtime log entry." href=/v1.3/docs/reference/config/policy-and-telemetry/templates/logentry/>Log Entry</a></li><li role=none><a role=treeitem title="A template that represents a single runtime metric." href=/v1.3/docs/reference/config/policy-and-telemetry/templates/metric/>Metric</a></li><li role=none><a role=treeitem title="A template that represents a quota allocation request." href=/v1.3/docs/reference/config/policy-and-telemetry/templates/quota/>Quota</a></li><li role=none><a role=treeitem title="A template that carries no data, useful for testing." href=/v1.3/docs/reference/config/policy-and-telemetry/templates/reportnothing/>Report Nothing</a></li><li role=none><a role=treeitem title="A template that represents an individual span within a distributed trace." href=/v1.3/docs/reference/config/policy-and-telemetry/templates/tracespan/>Trace Span</a></li></ul></li><li role=none><a role=treeitem title="Configuration state for the Mixer client library." href=/v1.3/docs/reference/config/policy-and-telemetry/istio.mixer.v1.config.client/>Mixer Client</a></li><li role=none><a role=treeitem title="Describes the rules used to configure Mixer's policy and telemetry features." href=/v1.3/docs/reference/config/policy-and-telemetry/istio.policy.v1beta1/>Rules</a></li></ul></li><li role=none><a role=treeitem title="Configuration for Istio control plane installation through the Operator." href=/v1.3/docs/reference/config/istio.operator.v1alpha12.pb/>Operator Installation</a></li><li role=none><a role=treeitem title="Configuration affecting the service mesh as a whole." href=/v1.3/docs/reference/config/istio.mesh.v1alpha1/>Service Mesh</a></li></ul></li><li role=treeitem aria-label=Commands><button aria-hidden=true></button><a title="Describes usage and options of the Istio commands and utilities." href=/v1.3/docs/reference/commands/>Commands</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Galley provides configuration management services for Istio." href=/v1.3/docs/reference/commands/galley/>galley</a></li><li role=none><a role=treeitem title="Istio Certificate Authority (CA)." href=/v1.3/docs/reference/commands/istio_ca/>istio_ca</a></li><li role=none><a role=treeitem title="Istio control interface." href=/v1.3/docs/reference/commands/istioctl/>istioctl</a></li><li role=none><a role=treeitem title="Mixer is Istio's abstraction on top of infrastructure backends." href=/v1.3/docs/reference/commands/mixs/>mixs</a></li><li role=none><a role=treeitem title="Istio security per-node agent." href=/v1.3/docs/reference/commands/node_agent/>node_agent</a></li><li role=none><a role=treeitem title="The Istio operator." href=/v1.3/docs/reference/commands/operator/>operator</a></li><li role=none><a role=treeitem title="Istio Pilot agent." href=/v1.3/docs/reference/commands/pilot-agent/>pilot-agent</a></li><li role=none><a role=treeitem title="Istio Pilot." href=/v1.3/docs/reference/commands/pilot-discovery/>pilot-discovery</a></li><li role=none><a role=treeitem title="Kubernetes webhook for automatic Istio sidecar injection." href=/v1.3/docs/reference/commands/sidecar-injector/>sidecar-injector</a></li></ul></li><li role=none><a role=treeitem title="A glossary of common Istio terms." href=/v1.3/docs/reference/glossary/>Glossary</a></li></ul></div></div></div></nav></div><div class=article-container><button tabindex=-1 id=sidebar-toggler title="Toggle the navigation bar"><svg class="icon"><use xlink:href="/v1.3/img/icons.svg#pull"/></svg></button><nav aria-label=Breadcrumb><ol><li><a href=/v1.3/ title="Connect, secure, control, and observe services.">Istio</a></li><li><a href=/v1.3/docs/ title="Learn how to deploy, use, and operate Istio.">Docs</a></li><li><a href=/v1.3/docs/concepts/ title="Learn about the different parts of the Istio system and the abstractions it uses.">Concepts</a></li><li>Traffic Management</li></ol></nav><article aria-labelledby=title><div class=title-area><div><h1 id=title>Traffic Management</h1><p class=byline><span title="5064 words"><svg class="icon"><use xlink:href="/v1.3/img/icons.svg#clock"/></svg><span>&nbsp;</span>24 minute read</span></p></div></div><nav class=toc-inlined aria-label="Table of Contents"><div><hr><ol><li role=none aria-label="Introducing Istio Traffic Management"><a href=#introducing-istio-traffic-management>Introducing Istio Traffic Management</a><li role=none aria-label="Virtual services"><a href=#virtual-services>Virtual services</a><ol><li role=none aria-label="Why use virtual services?"><a href=#why-use-virtual-services>Why use virtual services?</a><li role=none aria-label="Virtual service example"><a href=#virtual-service-example>Virtual service example</a><ol><li role=none aria-label="The hosts field"><a href=#the-hosts-field>The hosts field</a><li role=none aria-label="Routing rules"><a href=#routing-rules>Routing rules</a><ol><li role=none aria-label="Match condition"><a href=#match-condition>Match condition</a><li role=none aria-label=Destination><a href=#destination>Destination</a></ol></li><li role=none aria-label="Routing rule precedence"><a href=#routing-rule-precedence>Routing rule precedence</a></ol></li><li role=none aria-label="More about routing rules"><a href=#more-about-routing-rules>More about routing rules</a></ol></li><li role=none aria-label="Destination rules"><a href=#destination-rules>Destination rules</a><ol><li role=none aria-label="Load balancing options"><a href=#load-balancing-options>Load balancing options</a><li role=none aria-label="Destination rule example"><a href=#destination-rule-example>Destination rule example</a></ol></li><li role=none aria-label=Gateways><a href=#gateways>Gateways</a><ol><li role=none aria-label="Gateway example"><a href=#gateway-example>Gateway example</a></ol></li><li role=none aria-label="Service entries"><a href=#service-entries>Service entries</a><ol><li role=none aria-label="Service entry example"><a href=#service-entry-example>Service entry example</a></ol></li><li role=none aria-label=Sidecars><a href=#sidecars>Sidecars</a><li role=none aria-label="Network resilience and testing"><a href=#network-resilience-and-testing>Network resilience and testing</a><ol><li role=none aria-label=Timeouts><a href=#timeouts>Timeouts</a><li role=none aria-label=Retries><a href=#retries>Retries</a><li role=none aria-label="Circuit breakers"><a href=#circuit-breakers>Circuit breakers</a><li role=none aria-label="Fault injection"><a href=#fault-injection>Fault injection</a><li role=none aria-label="Working with your applications"><a href=#working-with-your-applications>Working with your applications</a></ol></li><li role=none aria-label=Architecture><a href=#architecture>Architecture</a><ol><li role=none aria-label="Pilot: Core traffic management"><a href=#pilot>Pilot: Core traffic management</a><li role=none aria-label="Envoy proxies"><a href=#envoy-proxies>Envoy proxies</a><ol><li role=none aria-label="Service discovery and load balancing"><a href=#discovery>Service discovery and load balancing</a></ol></li></ol></li><li role=none aria-label="See also"><a href=#see-also>See also</a></li></ol><hr></div></nav><p>Istios traffic routing rules let you easily control the flow
of traffic and API calls between services. Istio simplifies configuration of
service-level properties like circuit breakers, timeouts, and retries, and makes
it easy to set up important tasks like A/B testing, canary rollouts, and staged
rollouts with percentage-based traffic splits. It also provides out-of-box
failure recovery features that help make your application
more robust against failures of dependent services or the network.</p><p>Istios traffic management model relies on the <span class=term data-title=Envoy data-body='&lt;p&gt;The high-performance proxy that Istio uses to mediate inbound and outbound traffic for all &lt;a href="#service"&gt;services&lt;/a&gt; in the
&lt;a href="#service-mesh"&gt;service mesh&lt;/a&gt;. &lt;a href="https://envoyproxy.github.io/envoy/"&gt;Learn more about Envoy&lt;/a&gt;.&lt;/p&gt;'>Envoy</span>
proxies that are deployed along with your services. All traffic that your mesh
services send and receive (<span class=term data-title="Data Plane" data-body='&lt;p&gt;The data plane is the part of the mesh that directly controls communication between workload instances.
Istio&amp;rsquo;s data plane uses intelligent &lt;a href="#envoy"&gt;Envoy&lt;/a&gt; proxies deployed as sidecars to mediate and control all
traffic that your mesh services send and receive.&lt;/p&gt;'>data plane</span> traffic) is proxied through Envoy, making
it easy to direct and control traffic around your mesh without making any
changes to your services.</p><p>If youre interested in the details of how the features described in this guide
work, you can find out more about Istios traffic management architecture in the
<a href=#architecture>Architecture</a> section at the end of this document. The rest of
this guide introduces Istios traffic management features.</p><h2 id=introducing-istio-traffic-management>Introducing Istio Traffic Management</h2><p>In order to direct traffic within your mesh, Istio needs to know where all your
endpoints are, and which services they belong to. To populate its own
<span class=term data-title="Service Registry" data-body='&lt;p&gt;Istio maintains an internal service registry containing the set of &lt;a href="#service"&gt;services&lt;/a&gt;,
and their corresponding &lt;a href="#service-endpoint"&gt;service endpoints&lt;/a&gt;, running in a service mesh.
Istio uses the service registry to generate &lt;a href="#envoy"&gt;Envoy&lt;/a&gt; configuration.&lt;/p&gt;
&lt;p&gt;Istio does not provide &lt;a href="https://en.wikipedia.org/wiki/Service_discovery"&gt;service discovery&lt;/a&gt;,
although most services are automatically added to the registry by Pilot
adapters that reflect the discovered services of the underlying platform (Kubernetes, Consul, plain DNS).
Additional services can also be registered manually using a
&lt;a href="/docs/concepts/traffic-management/#service-entries"&gt;&lt;code&gt;ServiceEntry&lt;/code&gt;&lt;/a&gt; configuration.&lt;/p&gt;'>service registry</span>, Istio connects to a service
discovery system. For example, if you&rsquo;ve installed Istio on a Kubernetes cluster,
then Istio automatically detects the services and endpoints in that cluster.</p><p>Using this service registry, the Envoy proxies can then direct traffic to the
relevant services. Most microservice-based applications have multiple instances
of each service workload to handle service traffic, sometimes referred to as a
load balancing pool. By default, the Envoy proxies distribute traffic across
each services load balancing pool using a round-robin model, where requests are
sent to each pool member in turn, returning to the top of the pool once each
service instance has received a request.</p><p>While Istio&rsquo;s basic service discovery and load balancing gives you a working
service mesh, its far from all that Istio can do. In many cases you might want
more fine-grained control over what happens to your mesh traffic.
You might want to direct a particular percentage of traffic to a new version of
a service as part of A/B testing, or apply a different load balancing policy to
traffic for a particular subset of service instances. You might also want to
apply special rules to traffic coming into or out of your mesh, or add an
external dependency of your mesh to the service registry. You can do all this
and more by adding your own traffic configuration to Istio using Istios traffic
management API.</p><p>Like other Istio configuration, the API is specified using Kubernetes custom
resource definitions (<span class=term data-title=CRDs data-body='&lt;p&gt;&lt;a href="https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/"&gt;Custom resource definitions (CRDs)&lt;/a&gt;
are extensions of the default Kubernetes API. Istio uses the Kubernetes CRD API for
configuration, even for non-Kubernetes Istio deployments.&lt;/p&gt;'>CRDs</span>), which you can configure
using YAML, as youll see in the examples.</p><p>The rest of this guide examines each of the traffic management API resources
and what you can do with them. These resources are:</p><ul><li><a href=#virtual-services>Virtual services</a></li><li><a href=#destination-rules>Destination rules</a></li><li><a href=#gateways>Gateways</a></li><li><a href=#service-entries>Service entries</a></li><li><a href=#sidecars>Sidecars</a></li></ul><p>This guide also gives an overview of some of the
<a href=#network-resilience-and-testing>network resilience and testing features</a> that
are built in to the API resources.</p><h2 id=virtual-services>Virtual services</h2><p><a href=/v1.3/docs/reference/config/networking/v1alpha3/virtual-service/#VirtualService>Virtual services</a>,
along with <a href=#destination-rules>destination rules</a>, are the key building blocks of Istios traffic
routing functionality. A virtual service lets you configure how requests are
routed to a service within an Istio service mesh, building on the basic
connectivity and discovery provided by Istio and your platform. Each virtual
service consists of a set of routing rules that are evaluated in order, letting
Istio match each given request to the virtual service to a specific real
destination within the mesh. Your mesh can require multiple virtual services or
none depending on your use case.</p><h3 id=why-use-virtual-services>Why use virtual services?</h3><p>Virtual services play a key role in making Istios traffic management flexible
and powerful. They do this by strongly decoupling where clients send their
requests from the destination workloads that actually implement them. Virtual
services also provide a rich way of specifying different traffic routing rules
for sending traffic to those workloads.</p><p>Why is this so useful? Without virtual services, Envoy distributes
traffic using round-robin load balancing between all service instances, as
described in the introduction. You can improve this behavior with what you know
about the workloads. For example, some might represent a different version. This
can be useful in A/B testing, where you might want to configure traffic routes
based on percentages across different service versions, or to direct
traffic from your internal users to a particular set of instances.</p><p>With a virtual service, you can specify traffic behavior for one or more hostnames.
You use routing rules in the virtual service that tell Envoy how to send the
virtual services traffic to appropriate destinations. Route destinations can
be versions of the same service or entirely different services.</p><p>A typical use case is to send traffic to different versions of a service,
specified as service subsets. Clients send requests to the virtual service host as if
it was a single entity, and Envoy then routes the traffic to the different
versions depending on the virtual service rules: for example, &ldquo;20% of calls go to
the new version&rdquo; or &ldquo;calls from these users go to version 2&rdquo;. This allows you to,
for instance, create a canary rollout where you gradually increase the
percentage of traffic thats sent to a new service version. The traffic routing
is completely separate from the instance deployment, meaning that the number of
instances implementing the new service version can scale up and down based on
traffic load without referring to traffic routing at all. By contrast, container
orchestration platforms like Kubernetes only support traffic distribution based
on instance scaling, which quickly becomes complex. You can read more about how
virtual services help with canary deployments in <a href=/v1.3/blog/2017/0.1-canary/>Canary Deployments using Istio</a>.</p><p>Virtual services also let you:</p><ul><li>Address multiple application services through a single virtual service. If
your mesh uses Kubernetes, for example, you can configure a virtual service
to handle all services in a specific namespace. Mapping a single
virtual service to multiple &ldquo;real&rdquo; services is particularly useful in
facilitating turning a monolithic application into a composite service built
out of distinct microservices without requiring the consumers of the service
to adapt to the transition. Your routing rules can specify &ldquo;calls to these URIs of
<code>monolith.com</code> go to <code>microservice A</code>&rdquo;, and so on. You can see how this works
in <a href=#more-about-routing-rules>one of our examples below</a>.</li><li>Configure traffic rules in combination with
<a href=/v1.3/docs/concepts/traffic-management/#gateways>gateways</a> to control ingress
and egress traffic.</li></ul><p>In some cases you also need to configure destination rules to use these
features, as these are where you specify your service subsets. Specifying
service subsets and other destination-specific policies in a separate object
lets you reuse these cleanly between virtual services. You can find out more
about destination rules in the next section.</p><h3 id=virtual-service-example>Virtual service example</h3><p>The following virtual service routes
requests to different versions of a service depending on whether the request
comes from a particular user.</p><pre><code class=language-yaml data-expandlinks=true data-repo=istio>apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: reviews
spec:
hosts:
- reviews
http:
- match:
- headers:
end-user:
exact: jason
route:
- destination:
host: reviews
subset: v2
- route:
- destination:
host: reviews
subset: v3
</code></pre><h4 id=the-hosts-field>The hosts field</h4><p>The <code>hosts</code> field lists the virtual services hosts - in other words, the user-addressable
destination or destinations that these routing rules apply to. This is the
address or addresses the client uses when sending requests to the service.</p><pre><code class=language-yaml data-expandlinks=true data-repo=istio>hosts:
- reviews
</code></pre><p>The virtual service hostname can be an IP address, a DNS name, or, depending on
the platform, a short name (such as a Kubernetes service short name) that resolves,
implicitly or explicitly, to a fully qualified domain name (FQDN). You can also
use wildcard (&rdquo;*&rdquo;) prefixes, letting you create a single set of routing rules for
all matching services. Virtual service hosts don&rsquo;t actually have to be part of the
Istio service registry, they are simply virtual destinations. This lets you model
traffic for virtual hosts that don&rsquo;t have routable entries inside the mesh.</p><h4 id=routing-rules>Routing rules</h4><p>The <code>http</code> section contains the virtual services routing rules, describing
match conditions and actions for routing HTTP/1.1, HTTP2, and gRPC traffic sent
to the destination(s) specified in the hosts field (you can also use <code>tcp</code> and
<code>tls</code> sections to configure routing rules for
<a href=/v1.3/docs/reference/config/networking/v1alpha3/virtual-service/#TCPRoute>TCP</a> and
unterminated
<a href=/v1.3/docs/reference/config/networking/v1alpha3/virtual-service/#TLSRoute>TLS</a>
traffic). A routing rule consists of the destination where you want the traffic
to go and zero or more match conditions, depending on your use case.</p><h5 id=match-condition>Match condition</h5><p>The first routing rule in the example has a condition and so begins with the
<code>match</code> field. In this case you want this routing to apply to all requests from
the user &ldquo;jason&rdquo;, so you use the <code>headers</code>, <code>end-user</code>, and <code>exact</code> fields to select
the appropriate requests.</p><pre><code class=language-yaml data-expandlinks=true data-repo=istio>- match:
- headers:
end-user:
exact: jason
</code></pre><h5 id=destination>Destination</h5><p>The route sections <code>destination</code> field specifies the actual destination for
traffic that matches this condition. Unlike the virtual services host(s), the
destinations host must be a real destination that exists in Istios service
registry or Envoy wont know where to send traffic to it. This can be a mesh
service with proxies or a non-mesh service added using a service entry. In this
case were running on Kubernetes and the host name is a Kubernetes service name:</p><pre><code class=language-yaml data-expandlinks=true data-repo=istio>route:
- destination:
host: reviews
subset: v2
</code></pre><p>Note in this and the other examples on this page, we use a Kubernetes short name for the
destination hosts for simplicity. When this rule is evaluated, Istio adds a domain suffix based
on the namespace of the virtual service that contains the routing rule to get
the fully qualified name for the host. Using short names in our examples
also means that you can copy and try them in any namespace you like.</p><div><aside class="callout warning"><div class=type><svg class="large-icon"><use xlink:href="/v1.3/img/icons.svg#callout-warning"/></svg></div><div class=content>Using short names like this only works if the
destination hosts and the virtual service are actually in the same Kubernetes
namespace. Because using the Kubernetes short name can result in
misconfigurations, we recommend that you specify fully qualified host names in
production environments.</div></aside></div><p>The destination section also specifies which subset of this Kubernetes service
you want requests that match this rules conditions to go to, in this case the
subset named v2. Youll see how you define a service subset in the section on
<a href=#destination-rules>destination rules</a> below.</p><h4 id=routing-rule-precedence>Routing rule precedence</h4><p>Routing rules are <strong>evaluated in sequential order from top to bottom</strong>, with the
first rule in the virtual service definition being given highest priority. In
this case you want anything that doesn&rsquo;t match the first routing rule to go to a
default destination, specified in the second rule. Because of this, the second
rule has no match conditions and just directs traffic to the v3 subset.</p><pre><code class=language-yaml data-expandlinks=true data-repo=istio>- route:
- destination:
host: reviews
subset: v3
</code></pre><p>We recommend providing a default &ldquo;no condition&rdquo; or weight-based rule (described
below) like this as the last rule in each virtual service to ensure that traffic
to the virtual service always has at least one matching route.</p><h3 id=more-about-routing-rules>More about routing rules</h3><p>As you saw above, routing rules are a powerful tool for routing particular
subsets of traffic to particular destinations. You can set match conditions on
traffic ports, header fields, URIs, and more. For example, this virtual service
lets users send traffic to two separate services, ratings and reviews, as if
they were part of a bigger virtual service at <code>http://bookinfo.com/.</code> The
virtual service rules match traffic based on request URIs and direct requests to
the appropriate service.</p><pre><code class=language-yaml data-expandlinks=true data-repo=istio>apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: bookinfo
spec:
hosts:
- bookinfo.com
http:
- match:
- uri:
prefix: /reviews
route:
- destination:
host: reviews
- match:
- uri:
prefix: /ratings
route:
- destination:
host: ratings
...
http:
- match:
sourceLabels:
app: reviews
route:
...
</code></pre><p>For some match conditions, you can also choose to select them using the exact
value, a prefix, or a regex.</p><p>You can add multiple match conditions to the same <code>match</code> block to AND your
conditions, or add multiple match blocks to the same rule to OR your conditions.
You can also have multiple routing rules for any given virtual service. This
lets you make your routing conditions as complex or simple as you like within a
single virtual service. A full list of match condition fields and their possible
values can be found in the
<a href=/v1.3/docs/reference/config/networking/v1alpha3/virtual-service/#HTTPMatchRequest><code>HTTPMatchRequest</code> reference</a>.</p><p>In addition to using match conditions, you can distribute traffic
by percentage &ldquo;weight&rdquo;. This is useful for A/B testing and canary rollouts:</p><pre><code class=language-yaml data-expandlinks=true data-repo=istio>spec:
hosts:
- reviews
http:
- route:
- destination:
host: reviews
subset: v1
weight: 75
- destination:
host: reviews
subset: v2
weight: 25
</code></pre><p>You can also use routing rules to perform some actions on the traffic, for
example:</p><ul><li>Append or remove headers.</li><li>Rewrite the URL.</li><li>Set a <a href=#retries>retry policy</a> for calls to this destination.</li></ul><p>To learn more about the actions available, see the
<a href=/v1.3/docs/reference/config/networking/v1alpha3/virtual-service/#HTTPRoute><code>HTTPRoute</code> reference</a>.</p><h2 id=destination-rules>Destination rules</h2><p>Along with <a href=#virtual-services>virtual services</a>,
<a href=/v1.3/docs/reference/config/networking/v1alpha3/destination-rule/#DestinationRule>destination rules</a>
are a key part of Istios traffic routing functionality. You can think of
virtual services as how you route your traffic <strong>to</strong> a given destination, and
then you use destination rules to configure what happens to traffic <strong>for</strong> that
destination. Destination rules are applied after virtual service routing rules
are evaluated, so they apply to the traffics &ldquo;real&rdquo; destination.</p><p>In particular, you use destination rules to specify named service subsets, such
as grouping all a given services instances by version. You can then use these
service subsets in the routing rules of virtual services to control the
traffic to different instances of your services.</p><p>Destination rules also let you customize Envoys traffic policies when calling
the entire destination service or a particular service subset, such as your
preferred load balancing model, TLS security mode, or circuit breaker settings.
You can see a complete list of destination rule options in the
<a href=/v1.3/docs/reference/config/networking/v1alpha3/destination-rule/>Destination Rule reference</a>.</p><h3 id=load-balancing-options>Load balancing options</h3><p>By default, Istio uses a round-robin load balancing policy, where each service
instance in the instance pool gets a request in turn. Istio also supports the
following models, which you can specify in destination rules for requests to a
particular service or service subset.</p><ul><li>Random: Requests are forwarded at random to instances in the pool.</li><li>Weighted: Requests are forwarded to instances in the pool according to a
specific percentage.</li><li>Least requests: Requests are forwarded to instances with the least number of
requests.</li></ul><p>See the
<a href=https://www.envoyproxy.io/docs/envoy/v1.5.0/intro/arch_overview/load_balancing>Envoy load balancing documentation</a>
for more information about each option.</p><h3 id=destination-rule-example>Destination rule example</h3><p>The following example destination rule configures three different subsets for
the <code>my-svc</code> destination service, with different load balancing policies:</p><pre><code class=language-yaml data-expandlinks=true data-repo=istio>apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: my-destination-rule
spec:
host: my-svc
trafficPolicy:
loadBalancer:
simple: RANDOM
subsets:
- name: v1
labels:
version: v1
- name: v2
labels:
version: v2
trafficPolicy:
loadBalancer:
simple: ROUND_ROBIN
- name: v3
labels:
version: v3
</code></pre><p>Each subset is defined based on one or more <code>labels</code>, which in Kubernetes are
key/value pairs that are attached to objects such as Pods. These labels are
applied in the Kubernetes services deployment as <code>metadata</code> to identify
different versions.</p><p>As well as defining subsets, this destination rule has both a default traffic
policy for all subsets in this destination and a subset-specific policy that
overrides it for just that subset. The default policy, defined above the <code>subsets</code>
field, sets a simple random load balancer for the <code>v1</code> and <code>v3</code> subsets. In the
<code>v2</code> policy, a round-robin load balancer is specified in the corresponding
subsets field.</p><h2 id=gateways>Gateways</h2><p>You use a <a href=/v1.3/docs/reference/config/networking/v1alpha3/gateway/#Gateway>gateway</a> to
manage inbound and outbound traffic for your mesh, letting you specify which
traffic you want to enter or leave the mesh. Gateway configurations are applied
to standalone Envoy proxies that are running at the edge of the mesh, rather
than sidecar Envoy proxies running alongside your service workloads.</p><p>Unlike other mechanisms for controlling traffic entering your systems, such as
the Kubernetes Ingress APIs, Istio gateways let you use the full power and
flexibility of Istios traffic routing. You can do this because Istios Gateway
resource just lets you configure layer 4-6 load balancing properties such as
ports to expose, TLS settings, and so on. Then instead of adding
application-layer traffic routing (L7) to the same API resource, you bind a
regular Istio <a href=#virtual-services>virtual service</a> to the gateway. This lets you
basically manage gateway traffic like any other data plane traffic in an Istio
mesh.</p><p>Gateways are primarily used to manage ingress traffic, but you can also
configure egress gateways. An egress gateway lets you configure a dedicated exit
node for the traffic leaving the mesh, letting you limit which services can or
should access external networks, or to enable
<a href=/v1.3/blog/2019/egress-traffic-control-in-istio-part-1/>secure control of egress traffic</a>
to add security to your mesh, for example. You can also use a gateway to
configure a purely internal proxy.</p><p>Istio provides some preconfigured gateway proxy deployments
(<code>istio-ingressgateway</code> and <code>istio-egressgateway</code>) that you can use - both are
deployed if you use our <a href=/v1.3/docs/setup/install/kubernetes/>demo installation</a>,
while just the ingress gateway is deployed with our
<a href=/v1.3/docs/setup/additional-setup/config-profiles/>default or sds profiles.</a> You
can apply your own gateway configurations to these deployments or deploy and
configure your own gateway proxies.</p><h3 id=gateway-example>Gateway example</h3><p>The following example shows a possible gateway configuration for external HTTPS
ingress traffic:</p><pre><code class=language-yaml data-expandlinks=true data-repo=istio>apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: ext-host-gwy
spec:
selector:
app: my-gateway-controller
servers:
- port:
number: 443
name: https
protocol: HTTPS
hosts:
- ext-host.example.com
tls:
mode: SIMPLE
serverCertificate: /tmp/tls.crt
privateKey: /tmp/tls.key
</code></pre><p>This gateway configuration lets HTTPS traffic from <code>ext-host.example.com</code> into the mesh on
port 443, but doesnt specify any routing for the traffic.</p><p>To specify routing and for the gateway to work as intended, you must also bind
the gateway to a virtual service. You do this using the virtual services
<code>gateways</code> field, as shown in the following example:</p><pre><code class=language-yaml data-expandlinks=true data-repo=istio>apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: virtual-svc
spec:
hosts:
- ext-host.example.com
gateways:
- ext-host-gwy
</code></pre><p>You can then configure the virtual service with routing rules for the external
traffic.</p><h2 id=service-entries>Service entries</h2><p>You use a
<a href=/v1.3/docs/reference/config/networking/v1alpha3/service-entry/#ServiceEntry>service entry</a> to add
an entry to the service registry that Istio maintains internally. After you add
the service entry, the Envoy proxies can send traffic to the service as if it
was a service in your mesh. Configuring service entries allows you to manage
traffic for services running outside of the mesh, including the following tasks:</p><ul><li>Redirect and forward traffic for external destinations, such as APIs
consumed from the web, or traffic to services in legacy infrastructure.</li><li>Define <a href=#retries>retry</a>, <a href=#timeouts>timeout</a>, and
<a href=#fault-injection>fault injection</a> policies for external destinations.</li><li>Add a service running in a Virtual Machine (VM) to the mesh to
<a href=/v1.3/docs/examples/mesh-expansion/single-network/#running-services-on-a-mesh-expansion-machine>expand your mesh</a>.</li><li>Logically add services from a different cluster to the mesh to configure a
<a href=/v1.3/docs/setup/install/multicluster/gateways/#configure-the-example-services>multicluster Istio mesh</a>
on Kubernetes.</li></ul><p>You dont need to add a service entry for every external service that you want
your mesh services to use. By default, Istio configures the Envoy proxies to
passthrough requests to unknown services. However, you cant use Istio features
to control the traffic to destinations that aren&rsquo;t registered in the mesh.</p><h3 id=service-entry-example>Service entry example</h3><p>The following example mesh-external service entry adds the <code>ext-resource</code>
external dependency to Istios service registry:</p><pre><code class=language-yaml data-expandlinks=true data-repo=istio>apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: svc-entry
spec:
hosts:
- ext-svc.example.com
ports:
- number: 443
name: https
protocol: HTTPS
location: MESH_EXTERNAL
resolution: DNS
</code></pre><p>You specify the external resource using the <code>hosts</code> field. You can qualify it
fully or use a wildcard prefixed domain name.</p><p>You can configure virtual services and destination rules to control traffic to a
service entry in a more granular way, in the same way you configure traffic for
any other service in the mesh. For example, the following destination rule
configures the traffic route to use mutual TLS to secure the connection to the
<code>ext-svc.example.com</code> external service that we configured using the service entry:</p><pre><code class=language-yaml data-expandlinks=true data-repo=istio>apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: ext-res-dr
spec:
host: ext-svc.example.com
trafficPolicy:
tls:
mode: MUTUAL
clientCertificate: /etc/certs/myclientcert.pem
privateKey: /etc/certs/client_private_key.pem
caCertificates: /etc/certs/rootcacerts.pem
</code></pre><p>See the
<a href=/v1.3/docs/reference/config/networking/v1alpha3/service-entry>Service Entry reference</a>
for more possible configuration options.</p><h2 id=sidecars>Sidecars</h2><p>By default, Istio configures every Envoy proxy to accept traffic on all the
ports of its associated workload, and to reach every workload in the mesh when
forwarding traffic. You can use a <a href=/v1.3/docs/reference/config/networking/v1alpha3/sidecar/#Sidecar>sidecar</a> configuration to do the following:</p><ul><li>Fine-tune the set of ports and protocols that an Envoy proxy accepts.</li><li>Limit the set of services that the Envoy proxy can reach.</li></ul><p>You might want to limit sidecar reachability like this in larger applications,
where having every proxy configured to reach every other service in the mesh can
potentially affect mesh performance due to high memory usage.</p><p>You can specify that you want a sidecar configuration to apply to all workloads
in a particular namespace, or choose specific workloads using a
<code>workloadSelector</code>. For example, the following sidecar configuration configures
all services in the <code>bookinfo</code> namespace to only reach services running in the
same namespace and the Istio control plane (currently needed to use Istios
policy and telemetry features):</p><pre><code class=language-yaml data-expandlinks=true data-repo=istio>apiVersion: networking.istio.io/v1alpha3
kind: Sidecar
metadata:
name: default
namespace: bookinfo
spec:
egress:
- hosts:
- &#34;./*&#34;
- &#34;istio-system/*&#34;
</code></pre><p>See the <a href=/v1.3/docs/reference/config/networking/v1alpha3/sidecar/>Sidecar reference</a>
for more details.</p><h2 id=network-resilience-and-testing>Network resilience and testing</h2><p>As well as helping you direct traffic around your mesh, Istio provides opt-in
failure recovery and fault injection features that you can configure dynamically
at runtime. Using these features helps your applications operate reliably,
ensuring that the service mesh can tolerate failing nodes and preventing
localized failures from cascading to other nodes.</p><h3 id=timeouts>Timeouts</h3><p>A timeout is the amount of time that an Envoy proxy should wait for replies from
a given service, ensuring that services dont hang around waiting for replies
indefinitely and that calls succeed or fail within a predictable timeframe. The
default timeout for HTTP requests is 15 seconds, which means that if the service
doesnt respond within 15 seconds, the call fails.</p><p>For some applications and services, Istios default timeout might not be
appropriate. For example, a timeout that is too long could result in excessive
latency from waiting for replies from failing services, while a timeout that is
too short could result in calls failing unnecessarily while waiting for an
operation involving multiple services to return. To find and use your optimal timeout
settings, Istio lets you easily adjust timeouts dynamically on a per-service
basis using <a href=#virtual-services>virtual services</a> without having to edit your
service code. Heres a virtual service that specifies a 10 second timeout for
calls to the v1 subset of the ratings service:</p><pre><code class=language-yaml data-expandlinks=true data-repo=istio>apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: ratings
spec:
hosts:
- ratings
http:
- route:
- destination:
host: ratings
subset: v1
timeout: 10s
</code></pre><h3 id=retries>Retries</h3><p>A retry setting specifies the maximum number of times an Envoy proxy attempts to
connect to a service if the initial call fails. Retries can enhance service
availability and application performance by making sure that calls dont fail
permanently because of transient problems such as a temporarily overloaded
service or network. The interval between retries (25ms+) is variable and
determined automatically by Istio, preventing the called service from being
overwhelmed with requests. By default, the Envoy proxy doesnt attempt to
reconnect to services after a first failure.</p><p>Like timeouts, Istios default retry behavior might not suit your application
needs in terms of latency (too many retries to a failed service can slow things
down) or availability. Also like timeouts, you can adjust your retry settings on
a per-service basis in <a href=#virtual-services>virtual services</a> without having to
touch your service code. You can also further refine your retry behavior by
adding per-retry timeouts, specifying the amount of time you want to wait for
each retry attempt to successfully connect to the service. The following example
configures a maximum of 3 retries to connect to this service subset after an
initial call failure, each with a 2 second timeout.</p><pre><code class=language-yaml data-expandlinks=true data-repo=istio>apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: ratings
spec:
hosts:
- ratings
http:
- route:
- destination:
host: ratings
subset: v1
retries:
attempts: 3
perTryTimeout: 2s
</code></pre><h3 id=circuit-breakers>Circuit breakers</h3><p>Circuit breakers are another useful mechanism Istio provides for creating
resilient microservice-based applications. In a circuit breaker, you set limits
for calls to individual hosts within a service, such as the number of concurrent
connections or how many times calls to this host have failed. Once that limit
has been reached the circuit breaker &ldquo;trips&rdquo; and stops further connections to
that host. Using a circuit breaker pattern enables fast failure rather than
clients trying to connect to an overloaded or failing host.</p><p>As circuit breaking applies to &ldquo;real&rdquo; mesh destinations in a load balancing
pool, you configure circuit breaker thresholds in
<a href=#destination-rules>destination rules</a>, with the settings applying to each
individual host in the service. The following example limits the number of
concurrent connections for the <code>reviews</code> service workloads of the v1 subset to
100:</p><pre><code class=language-yaml data-expandlinks=true data-repo=istio>apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: reviews
spec:
host: reviews
subsets:
- name: v1
labels:
version: v1
trafficPolicy:
connectionPool:
tcp:
maxConnections: 100
</code></pre><p>You can find out more about creating circuit breakers in
<a href=/v1.3/docs/tasks/traffic-management/circuit-breaking/>Circuit Breaking</a>.</p><h3 id=fault-injection>Fault injection</h3><p>After youve configured your network, including failure recovery policies, you
can use Istios fault injection mechanisms to test the failure recovery capacity
of your application as a whole. Fault injection is a testing method that
introduces errors into a system to ensure that it can withstand and recover from
error conditions. Using fault injection can be particularly useful to ensure
that your failure recovery policies arent incompatible or too restrictive,
potentially resulting in critical services being unavailable.</p><p>Unlike other mechanisms for introducing errors such as delaying packets or
killing pods at the network layer, Istio lets you inject faults at the
application layer. This lets you inject more relevant failures, such as HTTP
error codes, to get more relevant results.</p><p>You can inject two types of faults, both configured using a
<a href=#virtual-services>virtual service</a>:</p><ul><li>Delays: Delays are timing failures. They mimic increased network latency or
an overloaded upstream service.</li><li>Aborts: Aborts are crash failures. They mimic failures in upstream services.
Aborts usually manifest in the form of HTTP error codes or TCP connection
failures.</li></ul><p>For example, this virtual service introduces a 5 second delay for 1 out of every 1000
requests to the <code>ratings</code> service.</p><pre><code class=language-yaml data-expandlinks=true data-repo=istio>apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: ratings
spec:
hosts:
- ratings
http:
- fault:
delay:
percentage:
value: 0.1
fixedDelay: 5s
route:
- destination:
host: ratings
subset: v1
</code></pre><p>For detailed instructions on how to configure delays and aborts, see
<a href=/v1.3/docs/tasks/traffic-management/fault-injection/>Fault Injection</a>.</p><h3 id=working-with-your-applications>Working with your applications</h3><p>Istio failure recovery features are completely transparent to the
application. Applications dont know if an Envoy sidecar proxy is handling
failures for a called service before returning a response. This means that
if you are also setting failure recovery policies in your application code
you need to keep in mind that both work independently, and therefore might
conflict. For example, suppose you can have two timeouts, one configured in
a virtual service and another in the application. The application sets a 2
second timeout for an API call to a service. However, you configured a 3
second timeout with 1 retry in your virtual service. In this case, the
applications timeout kicks in first, so your Envoy timeout and retry
attempt has no effect.</p><p>While Istio failure recovery features improve the reliability and
availability of services in the mesh, applications must handle the failure
or errors and take appropriate fallback actions. For example, when all
instances in a load balancing pool have failed, Envoy returns an <code>HTTP 503</code>
code. The application must implement any fallback logic needed to handle the
<code>HTTP 503</code> error code..</p><h2 id=architecture>Architecture</h2><p>Istio&rsquo;s traffic management model relies on the following two components:</p><ul><li><span class=term data-title=Pilot data-body='&lt;p&gt;The Istio component that programs the &lt;a href="#envoy"&gt;Envoy&lt;/a&gt; proxies, responsible for service discovery, load balancing, and routing.&lt;/p&gt;'>Pilot</span>, the core traffic management component.</li><li><span class=term data-title=Envoy data-body='&lt;p&gt;The high-performance proxy that Istio uses to mediate inbound and outbound traffic for all &lt;a href="#service"&gt;services&lt;/a&gt; in the
&lt;a href="#service-mesh"&gt;service mesh&lt;/a&gt;. &lt;a href="https://envoyproxy.github.io/envoy/"&gt;Learn more about Envoy&lt;/a&gt;.&lt;/p&gt;'>Envoy</span> proxies, which enforce configurations and
policies set through Pilot.</li></ul><p>These components enable the following Istio traffic management features:</p><ul><li>Service discovery</li><li>Load balancing</li><li>Traffic routing and control</li></ul><h3 id=pilot>Pilot: Core traffic management</h3><p>The following diagram shows the Pilot architecture:</p><figure style=width:40%><div class=wrapper-with-intrinsic-ratio style=padding-bottom:81.71843049208707%><a data-skipendnotes=true href=/v1.3/docs/concepts/traffic-management/./pilot-arch.svg title="Pilot architecture"><img class=element-to-stretch src=/v1.3/docs/concepts/traffic-management/./pilot-arch.svg alt="Pilot architecture"></a></div><figcaption>Pilot architecture</figcaption></figure><p>As the diagram illustrates, Pilot maintains an <strong>abstract model</strong> of all the
services in the mesh. <strong>Platform-specific adapters</strong> in Pilot translate the
abstract model appropriately for your platform. For example, the Kubernetes
adapter implements controllers to watch the Kubernetes API server for changes to
pod registration information and service resources. The Kubernetes adapter
translates this data for the abstract model.</p><p>Pilot uses the abstract model to generate appropriate Envoy-specific
configurations to let Envoy proxies know about one another in the mesh through
the <a href=https://www.envoyproxy.io/docs/envoy/latest/api/api>Envoy API</a>.</p><p>You can use Istio&rsquo;s <a href=#introducing-istio-traffic-management>Traffic Management API</a> to instruct Pilot to refine the
Envoy configuration to exercise more granular control over the traffic in your
service mesh.</p><h3 id=envoy-proxies>Envoy proxies</h3><p>Traffic in Istio is categorized as data plane traffic and control plane traffic.
Data plane traffic refers to the messages that the business logic of the workloads
send and receive. Control plane traffic refers to configuration and control messages sent
between Istio components to program the behavior of the mesh. Traffic management
in Istio refers exclusively to data plane traffic.</p><p>Envoy proxies are the only Istio components that interact with data plane
traffic. Envoy proxies route the data plane traffic across the mesh and enforce
the configurations and traffic rules without the services having to be aware of
them. Envoy proxies mediate all inbound and outbound traffic for all services in
the mesh. Envoy proxies are deployed as sidecars to services, logically
augmenting the services with traffic management features:</p><ul><li>service discovery and load balancing</li><li>traffic routing and configuration</li><li>network resilience and testing</li></ul><p>Some of the features and tasks enabled by Envoy proxies include:</p><ul><li><p>Traffic control features: enforce fine-grained traffic control with rich
routing rules for HTTP, gRPC, WebSocket, and TCP traffic.</p></li><li><p>Network resiliency features: setup retries, failovers, circuit breakers, and
fault injection.</p></li><li><p>Security and authentication features: enforce security policies and enforce
access control and rate limiting defined through the configuration API.</p></li></ul><h4 id=discovery>Service discovery and load balancing</h4><p>Istio service discovery leverages the service discovery features provided by
platforms like Kubernetes for container-based applications. Service discovery
works in a similar way regardless of what platform you&rsquo;re using:</p><ol><li><p>The platform starts a new instance of a service which notifies its platform
adapter.</p></li><li><p>The platform adapter registers the instance with the Pilot abstract model.</p></li><li><p><strong>Pilot</strong> distributes traffic rules and configurations to the Envoy proxies
to account for the change.</p></li></ol><p>The following diagram shows how the platform adapters and Envoy proxies
interact.</p><figure style=width:40%><div class=wrapper-with-intrinsic-ratio style=padding-bottom:66.80625964293587%><a data-skipendnotes=true href=/v1.3/docs/concepts/traffic-management/./discovery.svg title="Service discovery"><img class=element-to-stretch src=/v1.3/docs/concepts/traffic-management/./discovery.svg alt="Service discovery"></a></div><figcaption>Service discovery</figcaption></figure><p>Because the service discovery feature is platform-independent, a service mesh
can include services across multiple platforms.</p><p>Using the abstract model, Pilot configures the Envoy proxies to perform load
balancing for service requests, replacing any underlying platform-specific load
balancing feature. In the absence of more specific routing rules, Envoy will
distribute the traffic across the instances in the calling service&rsquo;s load
balancing pool, according to the Pilot abstract model and load balancer
configuration.</p><nav id=see-also><h2>See also</h2><div class=see-also><div class=entry><p class=link><a data-skipendnotes=true href=/v1.3/blog/2019/proxy/>Istio as a Proxy for External Services</a></p><p class=desc>Configure Istio ingress gateway to act as a proxy for external services.</p></div><div class=entry><p class=link><a data-skipendnotes=true href=/v1.3/blog/2019/egress-traffic-control-in-istio-part-3/>Secure Control of Egress Traffic in Istio, part 3</a></p><p class=desc>Comparison of alternative solutions to control egress traffic including performance considerations.</p></div><div class=entry><p class=link><a data-skipendnotes=true href=/v1.3/blog/2019/egress-traffic-control-in-istio-part-2/>Secure Control of Egress Traffic in Istio, part 2</a></p><p class=desc>Use Istio Egress Traffic Control to prevent attacks involving egress traffic.</p></div><div class=entry><p class=link><a data-skipendnotes=true href=/v1.3/blog/2019/egress-traffic-control-in-istio-part-1/>Secure Control of Egress Traffic in Istio, part 1</a></p><p class=desc>Attacks involving egress traffic and requirements for egress traffic control.</p></div><div class=entry><p class=link><a data-skipendnotes=true href=/v1.3/blog/2019/multicluster-version-routing/>Version Routing in a Multicluster Service Mesh</a></p><p class=desc>Configuring Istio route rules in a multicluster service mesh.</p></div><div class=entry><p class=link><a data-skipendnotes=true href=/v1.3/blog/2019/data-plane-setup/>Demystifying Istio&#39;s Sidecar Injection Model</a></p><p class=desc>De-mystify how Istio manages to plugin its data-plane components into an existing deployment.</p></div></div></nav></article><nav class=pagenav><div class=left><a title="Introduces Istio, the problems it solves, its high-level architecture and design goals." href=/v1.3/docs/concepts/what-is-istio/><svg class="icon"><use xlink:href="/v1.3/img/icons.svg#left-arrow"/></svg>What is Istio?</a></div><div class=right><a title="Describes Istio's authorization and authentication functionality." href=/v1.3/docs/concepts/security/>Policies and Security<svg class="icon"><use xlink:href="/v1.3/img/icons.svg#right-arrow"/></svg></a></div></nav><div id=endnotes-container aria-hidden=true><h2>Links</h2><ol id=endnotes></ol></div></div><div class=toc-container><nav class=toc aria-label="Table of Contents"><div id=toc><ol><li role=none aria-label="Introducing Istio Traffic Management"><a href=#introducing-istio-traffic-management>Introducing Istio Traffic Management</a><li role=none aria-label="Virtual services"><a href=#virtual-services>Virtual services</a><ol><li role=none aria-label="Why use virtual services?"><a href=#why-use-virtual-services>Why use virtual services?</a><li role=none aria-label="Virtual service example"><a href=#virtual-service-example>Virtual service example</a><ol><li role=none aria-label="The hosts field"><a href=#the-hosts-field>The hosts field</a><li role=none aria-label="Routing rules"><a href=#routing-rules>Routing rules</a><ol><li role=none aria-label="Match condition"><a href=#match-condition>Match condition</a><li role=none aria-label=Destination><a href=#destination>Destination</a></ol></li><li role=none aria-label="Routing rule precedence"><a href=#routing-rule-precedence>Routing rule precedence</a></ol></li><li role=none aria-label="More about routing rules"><a href=#more-about-routing-rules>More about routing rules</a></ol></li><li role=none aria-label="Destination rules"><a href=#destination-rules>Destination rules</a><ol><li role=none aria-label="Load balancing options"><a href=#load-balancing-options>Load balancing options</a><li role=none aria-label="Destination rule example"><a href=#destination-rule-example>Destination rule example</a></ol></li><li role=none aria-label=Gateways><a href=#gateways>Gateways</a><ol><li role=none aria-label="Gateway example"><a href=#gateway-example>Gateway example</a></ol></li><li role=none aria-label="Service entries"><a href=#service-entries>Service entries</a><ol><li role=none aria-label="Service entry example"><a href=#service-entry-example>Service entry example</a></ol></li><li role=none aria-label=Sidecars><a href=#sidecars>Sidecars</a><li role=none aria-label="Network resilience and testing"><a href=#network-resilience-and-testing>Network resilience and testing</a><ol><li role=none aria-label=Timeouts><a href=#timeouts>Timeouts</a><li role=none aria-label=Retries><a href=#retries>Retries</a><li role=none aria-label="Circuit breakers"><a href=#circuit-breakers>Circuit breakers</a><li role=none aria-label="Fault injection"><a href=#fault-injection>Fault injection</a><li role=none aria-label="Working with your applications"><a href=#working-with-your-applications>Working with your applications</a></ol></li><li role=none aria-label=Architecture><a href=#architecture>Architecture</a><ol><li role=none aria-label="Pilot: Core traffic management"><a href=#pilot>Pilot: Core traffic management</a><li role=none aria-label="Envoy proxies"><a href=#envoy-proxies>Envoy proxies</a><ol><li role=none aria-label="Service discovery and load balancing"><a href=#discovery>Service discovery and load balancing</a></ol></li></ol></li><li role=none aria-label="See also"><a href=#see-also>See also</a></li></ol></div></nav></div></main><footer><div class=user-links><a class=channel title="Go download Istio 1.3.5 now" href=/v1.3/docs/setup#downloading-the-release aria-label="Download Istio"><span>download</span><svg class="icon"><use xlink:href="/v1.3/img/icons.svg#download"/></svg>
</a><a class=channel title="Join the Istio discussion board to participate in discussions and get help troubleshooting problems" href=https://discuss.istio.io aria-label="Istio discussion board"><span>discuss</span><svg class="icon"><use xlink:href="/v1.3/img/icons.svg#discourse"/></svg></a>
<a class=channel title="Stack Overflow is where you can ask questions and find curated answers on deploying, configuring, and using Istio" href=https://stackoverflow.com/questions/tagged/istio aria-label="Stack Overflow"><span>stack overflow</span><svg class="icon"><use xlink:href="/v1.3/img/icons.svg#stackoverflow"/></svg></a>
<a class=channel title="Interactively discuss issues with the Istio community on Slack" href=https://istio.slack.com aria-label=slack><span>slack</span><svg class="icon"><use xlink:href="/v1.3/img/icons.svg#slack"/></svg></a>
<a class=channel title="Follow us on Twitter to get the latest news" href=https://twitter.com/IstioMesh aria-label=Twitter><span>twitter</span><svg class="icon"><use xlink:href="/v1.3/img/icons.svg#twitter"/></svg></a><div class=tag>for everyone</div></div><div class=info><p class=copyright>Istio Archive
1.3.5<br>&copy; 2019 Istio Authors, <a href=https://policies.google.com/privacy>Privacy Policy</a><br>Archived on November 14, 2019</p></div><div class=dev-links><a class=channel title="GitHub is where development takes place on Istio code" href=https://github.com/istio/community aria-label=GitHub><span>github</span><svg class="icon"><use xlink:href="/v1.3/img/icons.svg#github"/></svg></a>
<a class=channel title="Access our team drive if you'd like to take a look at the Istio technical design documents" href=https://groups.google.com/forum/#!forum/istio-team-drive-access aria-label="team drive"><span>drive</span><svg class="icon"><use xlink:href="/v1.3/img/icons.svg#drive"/></svg></a>
<a class=channel title="If you'd like to contribute to the Istio project, consider participating in our working groups" href=https://github.com/istio/community/blob/master/WORKING-GROUPS.md aria-label="working groups"><span>working groups</span><svg class="icon"><use xlink:href="/v1.3/img/icons.svg#working-groups"/></svg></a><div class=tag>for developers</div></div></footer><script src=https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.14.7/umd/popper.min.js defer></script><div id=scroll-to-top-container aria-hidden=true><button id=scroll-to-top title="Back to top"><svg class="icon"><use xlink:href="/v1.3/img/icons.svg#top"/></svg></button></div></body></html>
Reference in New Issue View Git Blame Copy Permalink