istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
istio.io/archive/v1.24/blog/2023/waypoint-proxy-made-simple/index.html

133 lines
39 KiB
HTML
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<!doctype html><html lang=en itemscope itemtype=https://schema.org/WebPage><head><meta charset=utf-8><meta http-equiv=X-UA-Compatible content="IE=edge"><meta name=viewport content="width=device-width,initial-scale=1,shrink-to-fit=no"><meta name=theme-color content="#466BB0"><meta name=title content="Istio Ambient Waypoint Proxy Made Simple"><meta name=description content="Introducing the new destination oriented waypoint proxy for simplicity and scalability."><meta name=author content="Lin Sun (Solo.io), John Howard (Google)"><meta name=keywords content="microservices,services,mesh,istio,ambient,waypoint"><meta property="og:title" content="Istio Ambient Waypoint Proxy Made Simple"><meta property="og:type" content="website"><meta property="og:description" content="Introducing the new destination oriented waypoint proxy for simplicity and scalability."><meta property="og:url" content="/v1.24/blog/2023/waypoint-proxy-made-simple/"><meta property="og:image" content="https://raw.githubusercontent.com/istio/istio.io/master/static/img/istio-social.png"><meta property="og:image:alt" content="The Istio sailboat logo"><meta property="og:image:width" content="4096"><meta property="og:image:height" content="2048"><meta property="og:site_name" content="Istio"><meta name=twitter:card content="summary_large_image"><meta name=twitter:site content="@IstioMesh"><title>Istioldie 1.24 / Istio Ambient Waypoint Proxy Made Simple</title>
<script async src="https://www.googletagmanager.com/gtag/js?id=G-5XBWY4YJ1E"></script><script>window.dataLayer=window.dataLayer||[];function gtag(){dataLayer.push(arguments)}gtag("js",new Date),gtag("config","G-5XBWY4YJ1E")</script><link rel=alternate type=application/rss+xml title="Istio Blog" href=/v1.24/blog/feed.xml><link rel=alternate type=application/rss+xml title="Istio News" href=/v1.24/news/feed.xml><link rel=alternate type=application/rss+xml title="Istio Blog and News" href=/v1.24/feed.xml><link rel="shortcut icon" href=/v1.24/favicons/favicon.ico><link rel=apple-touch-icon href=/v1.24/favicons/apple-touch-icon-180x180.png sizes=180x180><link rel=icon type=image/png href=/v1.24/favicons/favicon-16x16.png sizes=16x16><link rel=icon type=image/png href=/v1.24/favicons/favicon-32x32.png sizes=32x32><link rel=icon type=image/png href=/v1.24/favicons/android-36x36.png sizes=36x36><link rel=icon type=image/png href=/v1.24/favicons/android-48x48.png sizes=48x48><link rel=icon type=image/png href=/v1.24/favicons/android-72x72.png sizes=72x72><link rel=icon type=image/png href=/v1.24/favicons/android-96x96.png sizes=96xW96><link rel=icon type=image/png href=/v1.24/favicons/android-144x144.png sizes=144x144><link rel=icon type=image/png href=/v1.24/favicons/android-192x192.png sizes=192x192><link rel=icon type=image/svg+xml href=/v1.24/favicons/favicon.svg><link rel=icon type=image/png href=/v1.24/favicons/favicon.png><link rel=mask-icon href=/v1.24/favicons/safari-pinned-tab.svg color=#466BB0><link rel=manifest href=/v1.24/manifest.json><meta name=apple-mobile-web-app-title content="Istio"><meta name=application-name content="Istio"><meta name=msapplication-config content="/browserconfig.xml"><meta name=msapplication-TileColor content="#466BB0"><meta name=theme-color content="#466BB0"><link rel=stylesheet href=/v1.24/css/style.min.38f1afbdf6f8efdb4fe991ff2a53ca1c801b5c4602dea2963da44df7ceaacfb8.css integrity="sha256-OPGvvfb479tP6ZH/KlPKHIAbXEYC3qKWPaRN986qz7g=" crossorigin=anonymous><link rel=preconnect href=https://fonts.googleapis.com><link rel=preconnect href=https://fonts.gstatic.com crossorigin><link rel=stylesheet href="https://fonts.googleapis.com/css2?family=Barlow:ital,wght@0,400;0,500;0,600;0,700;1,400;1,600&display=swap"><script src=/v1.24/js/themes_init.min.js></script></head><body class="language-unknown archive-site"><script>const branchName="release-1.24",docTitle="Istio Ambient Waypoint Proxy Made Simple",iconFile="/v1.24//img/icons.svg",buttonCopy="Copy to clipboard",buttonPrint="Print",buttonDownload="Download"</script><script src="https://www.google.com/cse/brand?form=search-form" defer></script><script src=/v1.24/js/all.min.js data-manual defer></script><header class=main-navigation><nav class="main-navigation-wrapper container-l"><div class=main-navigation-header><a id=brand href=/v1.24/ aria-label=logotype><span class=logo><svg width="128" height="60" viewBox="0 0 128 60"><path d="M58.434 48.823A.441.441.0 0158.3 48.497V22.583a.444.444.0 01.134-.326.446.446.0 01.327-.134h3.527a.447.447.0 01.325.134.447.447.0 01.134.326v25.914a.443.443.0 01-.134.326.444.444.0 01-.325.134h-3.527a.444.444.0 01-.327-.134z"/><path d="m70.969 48.477a6.556 6.556.0 01-2.818-1.955 4.338 4.338.0 01-1-2.78v-.345a.443.443.0 01.134-.326.444.444.0 01.326-.135h3.374a.444.444.0 01.326.135.445.445.0 01.134.326v.077a2.014 2.014.0 001.054 1.667 4.672 4.672.0 002.664.709 4.446 4.446.0 002.492-.633 1.862 1.862.0 00.958-1.591 1.426 1.426.0 00-.786-1.322 12.7 12.7.0 00-2.549-.939l-1.457-.46a21.526 21.526.0 01-3.3-1.227 6.57 6.57.0 01-2.262-1.783 4.435 4.435.0 01-.92-2.894 5.081 5.081.0 012.109-4.275 8.993 8.993.0 015.558-1.591 10.445 10.445.0 014.1.748 6.3 6.3.0 012.722 2.07 5 5 0 01.958 3.009.441.441.0 01-.134.326.441.441.0 01-.325.134h-3.258a.441.441.0 01-.326-.134.443.443.0 01-.134-.326 1.974 1.974.0 00-.978-1.667 4.647 4.647.0 00-2.665-.671 4.741 4.741.0 00-2.435.556 1.724 1.724.0 00-.938 1.553 1.512 1.512.0 00.9 1.4 15.875 15.875.0 003.01 1.055l.843.229a27.368 27.368.0 013.412 1.246 6.67 6.67.0 012.338 1.763 4.387 4.387.0 01.958 2.933 4.988 4.988.0 01-2.146 4.275 9.543 9.543.0 01-5.712 1.552 11.626 11.626.0 01-4.227-.709z"/><path d="m97.039 32.837a.443.443.0 01-.326.135h-3.911a.169.169.0 00-.191.192v9.239a2.951 2.951.0 00.632 2.108 2.7 2.7.0 002.013.652h1.15a.444.444.0 01.325.134.441.441.0 01.134.326v2.875a.471.471.0 01-.459.5l-1.994.039a8 8 0 01-4.524-1.035q-1.495-1.035-1.533-3.91V33.166A.17.17.0 0088.164 32.974H85.978A.441.441.0 0185.652 32.839.441.441.0 0185.518 32.513V29.83a.441.441.0 01.134-.326.444.444.0 01.326-.135h2.186a.169.169.0 00.191-.192v-4.485a.438.438.0 01.134-.326.44.44.0 01.325-.134h3.336a.443.443.0 01.325.134.442.442.0 01.135.326v4.485a.169.169.0 00.191.192h3.911a.446.446.0 01.326.135.446.446.0 01.134.326v2.683a.446.446.0 01-.133.324z"/><path d="m101.694 25.917a2.645 2.645.0 01-.767-1.955 2.65 2.65.0 01.767-1.955 2.65 2.65.0 011.955-.767 2.65 2.65.0 011.955.767 2.652 2.652.0 01.767 1.955 2.647 2.647.0 01-.767 1.955 2.646 2.646.0 01-1.955.767 2.645 2.645.0 01-1.955-.767zm-.211 22.906a.441.441.0 01-.134-.326V29.79a.444.444.0 01.134-.326.446.446.0 01.326-.134h3.527a.446.446.0 01.326.134.445.445.0 01.134.326v18.707a.443.443.0 01-.134.326.443.443.0 01-.326.134h-3.527a.443.443.0 01-.326-.134z"/><path d="m114.019 47.734a8.1 8.1.0 01-3.047-4.255 14.439 14.439.0 01-.652-4.37 14.3 14.3.0 01.614-4.371A7.869 7.869.0 01114 30.56a9.072 9.072.0 015.252-1.5 8.543 8.543.0 015.041 1.5 7.985 7.985.0 013.009 4.14 12.439 12.439.0 01.69 4.37 13.793 13.793.0 01-.651 4.37 8.255 8.255.0 01-3.028 4.275 8.475 8.475.0 01-5.1 1.553 8.754 8.754.0 01-5.194-1.534zm7.629-3.1a4.536 4.536.0 001.476-2.262 11.335 11.335.0 00.383-3.221 10.618 10.618.0 00-.383-3.22 4.169 4.169.0 00-1.457-2.243 4.066 4.066.0 00-2.531-.785 3.942 3.942.0 00-2.453.785 4.376 4.376.0 00-1.5 2.243 11.839 11.839.0 00-.383 3.22 11.84 11.84.0 00.383 3.221 4.222 4.222.0 001.476 2.262 4.075 4.075.0 002.549.8 3.8 3.8.0 002.44-.809z"/><path d="m15.105 32.057v15.565a.059.059.0 01-.049.059L.069 50.25A.06.06.0 01.005 50.167l14.987-33.47a.06.06.0 01.114.025z"/><path d="m17.631 23.087v24.6a.06.06.0 00.053.059l22.449 2.507a.06.06.0 00.061-.084L17.745.032a.06.06.0 00-.114.024z"/><path d="m39.961 52.548-24.833 7.45a.062.062.0 01-.043.0L.079 52.548a.059.059.0 01.026-.113h39.839a.06.06.0 01.017.113z"/></svg></span>
</a><button id=hamburger class=main-navigation-toggle aria-label="Open navigation">
<svg class="icon menu-hamburger"><use xlink:href="/v1.24/img/icons.svg#menu-hamburger"/></svg>
</button>
<button id=menu-close class=main-navigation-toggle aria-label="Close navigation"><svg class="icon menu-close"><use xlink:href="/v1.24/img/icons.svg#menu-close"/></svg></button></div><div id=header-links class=main-navigation-links-wrapper><ul class=main-navigation-links><li class=main-navigation-links-item><a class="main-navigation-links-link has-dropdown"><span>About</span><svg class="icon dropdown-arrow"><use xlink:href="/v1.24/img/icons.svg#dropdown-arrow"/></svg></a><ul class=main-navigation-links-dropdown><li class=main-navigation-links-dropdown-item><a href=/v1.24/about/service-mesh class=main-navigation-links-link>Service mesh</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.24/about/solutions class=main-navigation-links-link>Solutions</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.24/about/case-studies class=main-navigation-links-link>Case studies</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.24/about/ecosystem class=main-navigation-links-link>Ecosystem</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.24/about/deployment class=main-navigation-links-link>Deployment</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.24/about/training class=main-navigation-links-link>Training</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.24/about/faq class=main-navigation-links-link>FAQ</a></li></ul></li><li class=main-navigation-links-item><a href=/v1.24/blog/ class=main-navigation-links-link><span>Blog</span></a></li><li class=main-navigation-links-item><a href=/v1.24/news/ class=main-navigation-links-link><span>News</span></a></li><li class=main-navigation-links-item><a href=/v1.24/get-involved/ class=main-navigation-links-link><span>Get involved</span></a></li><li class=main-navigation-links-item><a href=/v1.24/docs/ class=main-navigation-links-link><span>Documentation</span></a></li></ul><div class=main-navigation-footer><button id=search-show class=search-show title='Search this site' aria-label=Search><svg class="icon magnifier"><use xlink:href="/v1.24/img/icons.svg#magnifier"/></svg></button>
<a href=/v1.24/docs/setup/getting-started class="btn btn--primary" id=try-istio>Try Istio</a></div></div><form id=search-form class=search name=cse role=search><input type=hidden name=cx value=002184991200833970123:iwwf17ikgf4>
<input type=hidden name=ie value=utf-8>
<input type=hidden name=hl value=en>
<input type=hidden id=search-page-url value=/search>
<input id=search-textbox class="search-textbox form-control" name=q type=search aria-label='Search this site' placeholder=Search>
<button id=search-close title='Cancel search' type=reset aria-label='Cancel search'><svg class="icon menu-close"><use xlink:href="/v1.24/img/icons.svg#menu-close"/></svg></button></form></nav></header><div class=banner-container><a href=https://events.linuxfoundation.org/kubecon-cloudnativecon-europe/co-located-events/istio-day/ class=banner data-title="Istio Day Europe-2025-01-31 00:00:00 +0000 UTC" data-period-start=1738281600000 data-period-end=1743465600000 data-max-impressions data-timeout><div class=content><p>Join us for Istio Day Europe, a KubeCon + CloudNativeCon Europe Co-located Event. 01 April 2025, London, England. Register now!</p></div><div class=frame></div></a></div><article class=post itemscope itemtype=http://schema.org/BlogPosting><div class=header-content><h1>Istio Ambient Waypoint Proxy Made Simple</h1><p>Introducing the new destination oriented waypoint proxy for simplicity and scalability.</p></div><p class=post-author>Mar 31, 2023 <span>| </span>By Lin Sun - Solo.io, John Howard - Google</p><div><p>Ambient splits Istios functionality into two distinct layers, a secure overlay layer and a
Layer 7 processing layer. The waypoint proxy is an optional component that is Envoy-based
and handles L7 processing for workloads it manages. Since the <a href=/v1.24/blog/2022/introducing-ambient-mesh/>initial ambient launch</a> in 2022,
we have made significant changes to simplify waypoint configuration, debuggability and scalability.</p><h2 id=architecture-of-waypoint-proxies>Architecture of waypoint proxies</h2><p>Similar to sidecar, the waypoint proxy is also Envoy-based and is dynamically configured by Istio
to serve your applications configuration. What is unique about the waypoint proxy is that it runs either
per-namespace (default) or per-service account. By running outside of the application pod, a waypoint proxy
can install, upgrade, and scale independently from the application, as well as reduce operational costs.</p><figure style=width:100%><div class=wrapper-with-intrinsic-ratio style=padding-bottom:43.82191095547774%><a data-skipendnotes=true href=/v1.24/blog/2023/waypoint-proxy-made-simple/waypoint-architecture.png title="Waypoint architecture"><img class=element-to-stretch src=/v1.24/blog/2023/waypoint-proxy-made-simple/waypoint-architecture.png alt="Waypoint architecture"></a></div><figcaption>Waypoint architecture</figcaption></figure><p>Waypoint proxies are deployed declaratively using Kubernetes Gateway resources or the helpful <code>istioctl</code> command:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ istioctl experimental waypoint generate
apiVersion: gateway.networking.k8s.io/v1beta1
kind: Gateway
metadata:
name: namespace
spec:
gatewayClassName: istio-waypoint
listeners:
- name: mesh
port: 15008
protocol: HBONE</code></pre><p>Istiod will monitor these resources and deploy and manage the corresponding waypoint deployment for users automatically.</p><h2 id=shift-source-proxy-configuration-to-destination-proxy>Shift source proxy configuration to destination proxy</h2><p>In the existing sidecar architecture, most traffic-shaping (for example <a href=/v1.24/docs/tasks/traffic-management/request-routing/>request routing</a> or <a href=/v1.24/docs/tasks/traffic-management/traffic-shifting/>traffic shifting</a> or <a href=/v1.24/docs/tasks/traffic-management/fault-injection/>fault injection</a>) policies are implemented by the source (client) proxy while most security policies are implemented by the destination (server) proxy. This leads to a number of concerns:</p><ul><li>Scaling - each source sidecar needs to know information about every other destination in the mesh. This is a polynomial scaling problem. Worse, if any destination configuration changes, we need to notify all sidecars at once.</li><li>Debugging - because policy enforcement is split between the client and server sidecars, it can be hard to understand the behavior of the system when troubleshooting.</li><li>Mixed environments - if we have systems where not all clients are part of the mesh, we get inconsistent behavior. For example, a non-mesh client wouldn&rsquo;t respect a canary rollout policy, leading to unexpected traffic distribution.</li><li>Ownership and attribution - ideally a policy written in one namespace should only affect work done by proxies running in the same namespace. However, in this model, it is distributed and enforced by each sidecar. While Istio has designed around this constraint to make this secure, it is still not optimal.</li></ul><p>In ambient, all policies are enforced by the destination waypoint. In many ways, the waypoint acts as a gateway into the namespace (default scope) or service account. Istio enforces that all traffic coming into the namespace goes through the waypoint, which then enforces all policies for that namespace. Because of this, each waypoint only needs to know about configuration for its own namespace.</p><p>The scalability problem, in particular, is a nuisance for users running in large clusters. If we visualize it, we can see just how big an improvement the new architecture is.</p><p>Consider a simple deployment, where we have 2 namespaces, each with 2 (color coded) deployments. The Envoy (XDS) configuration required to program the sidecars is shown as circles:</p><figure style=width:70%><div class=wrapper-with-intrinsic-ratio style=padding-bottom:100.94043887147335%><a data-skipendnotes=true href=/v1.24/blog/2023/waypoint-proxy-made-simple/sidecar-config.png title="Every sidecar has configuration about all other sidecars"><img class=element-to-stretch src=/v1.24/blog/2023/waypoint-proxy-made-simple/sidecar-config.png alt="Every sidecar has configuration about all other sidecars"></a></div><figcaption>Every sidecar has configuration about all other sidecars</figcaption></figure><p>In the sidecar model, we have 4 workloads, each with 4 sets of configuration. If any of those configurations changed, all of them would need to be updated. In total there are 16 configurations distributed.</p><p>In the waypoint architecture, however, the configuration is dramatically simplified:</p><figure style=width:70%><div class=wrapper-with-intrinsic-ratio style=padding-bottom:60%><a data-skipendnotes=true href=/v1.24/blog/2023/waypoint-proxy-made-simple/waypoint-config.png title="Each waypoint only has configuration for its own namespace"><img class=element-to-stretch src=/v1.24/blog/2023/waypoint-proxy-made-simple/waypoint-config.png alt="Each waypoint only has configuration for its own namespace"></a></div><figcaption>Each waypoint only has configuration for its own namespace</figcaption></figure><p>Here, we see a very different story. We have only 2 waypoint proxies, as each one is able to serve the entire namespace, and each one only needs configuration for its own namespace. In total we have 25% of the amount of configuration sent, even for a simple example.</p><p>If we scale each namespace up to 25 deployments with 10 pods each and each waypoint deployment with 2 pods for high availability, the numbers are even more impressive - the waypoint config distribution requires just 0.8% of the configuration distribution of the sidecar, as the table below illustrates!</p><table><thead><tr><th>Config Distribution</th><th>Namespace 1</th><th>Namespace 2</th><th>Total</th></tr></thead><tbody><tr><td>Sidecars</td><td>25 configurations * 250 sidecars</td><td>25 configurations * 250 sidecars</td><td>12500</td></tr><tr><td>Waypoints</td><td>25 configurations * 2 waypoints</td><td>25 configurations * 2 waypoints</td><td>100</td></tr><tr><td>Waypoints / Sidecars</td><td>0.8%</td><td>0.8%</td><td>0.8%</td></tr></tbody></table><p>While we use namespace scoped waypoint proxies to illustrate the simplification above, the simplification is similar
when you apply it to service account waypoint proxies.</p><p>This reduced configuration means lower resource usage (CPU, RAM, and network bandwidth) for both the
control plane and data plane. While users today can see similar improvements with careful usage of
<code>exportTo</code> in their Istio networking resources or of the <a href=/v1.24/docs/reference/config/networking/sidecar/>Sidecar</a> API,
in ambient mode this is no longer required, making scaling a breeze.</p><h2 id=what-if-my-destination-doesnt-have-a-waypoint-proxy>What if my destination doesnt have a waypoint proxy?</h2><p>The design of ambient mode centers around the assumption that most configuration is best implemented by the service producer, rather than the service consumer. However, this isn&rsquo;t always the case - sometimes we need to configure traffic management for destinations we don&rsquo;t control. A common example of this would be connecting to an external service with improved resilience to handle occasional connection issues (e.g., to add a timeout for calls to <code>example.com</code>).</p><p>This is an area under active development in the community, where we design how traffic can be routed to your egress gateway and how you can configure the egress gateway with your desired policies. Look out for future blog posts in this area!</p><h2 id=a-deep-dive-of-waypoint-configuration>A deep-dive of waypoint configuration</h2><p>Assuming you have followed the <a href=/v1.24/docs/ambient/getting-started/>ambient get started guide</a> up to and including the <a href=/v1.24/docs/ambient/getting-started/#control>control traffic section</a>, you have deployed a waypoint proxy for the bookinfo-reviews service account to direct 90% traffic to reviews v1 and 10% traffic to reviews v2.</p><p>Use <code>istioctl</code> to retrieve the listeners for the <code>reviews</code> waypoint proxy:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ istioctl proxy-config listener deploy/bookinfo-reviews-istio-waypoint --waypoint
LISTENER CHAIN MATCH DESTINATION
envoy://connect_originate ALL Cluster: connect_originate
envoy://main_internal inbound-vip|9080||reviews.default.svc.cluster.local-http ip=10.96.104.108 -&gt; port=9080 Inline Route: /*
envoy://main_internal direct-tcp ip=10.244.2.14 -&gt; ANY Cluster: encap
envoy://main_internal direct-tcp ip=10.244.1.6 -&gt; ANY Cluster: encap
envoy://main_internal direct-tcp ip=10.244.2.11 -&gt; ANY Cluster: encap
envoy://main_internal direct-http ip=10.244.2.11 -&gt; application-protocol=&#39;h2c&#39; Cluster: encap
envoy://main_internal direct-http ip=10.244.2.11 -&gt; application-protocol=&#39;http/1.1&#39; Cluster: encap
envoy://main_internal direct-http ip=10.244.2.14 -&gt; application-protocol=&#39;http/1.1&#39; Cluster: encap
envoy://main_internal direct-http ip=10.244.2.14 -&gt; application-protocol=&#39;h2c&#39; Cluster: encap
envoy://main_internal direct-http ip=10.244.1.6 -&gt; application-protocol=&#39;h2c&#39; Cluster: encap
envoy://main_internal direct-http ip=10.244.1.6 -&gt; application-protocol=&#39;http/1.1&#39; Cluster: encap
envoy://connect_terminate default ALL Inline Route:</code></pre><p>For requests arriving on port <code>15008</code>, which by default is Istios inbound <span class=term data-title=HBONE data-body='<p>HBONE (or HTTP-Based Overlay Network Environment) is a secure tunneling protocol used between Istio components.
<a href="/docs/ambient/architecture/hbone/">Learn more about HBONE</a>.</p>
'>HBONE</span> port, the waypoint proxy terminates the HBONE connection and forwards the request to the <code>main_internal</code> listener to enforce any workload policies such as AuthorizationPolicy. If you are not familiar with <a href=https://www.envoyproxy.io/docs/envoy/latest/configuration/other_features/internal_listener>internal listeners</a>, they are Envoy listeners that accepts user space connections without using the system network API. The <code>--waypoint</code> flag added to the <code>istioctl proxy-config</code> command, above, instructs it to show the details of the <code>main_internal</code> listener, its filter chains, chain matches, and destinations.</p><p>Note <code>10.96.104.108</code> is the reviews&rsquo; service VIP and <code>10.244.x.x</code> are the reviews&rsquo; v1/v2/v3 pod IPs, which you can view for your cluster using the <code>kubectl get svc,pod -o wide</code> command. For plain text or HBONE terminated inbound traffic, it will be matched on the service VIP and port 9080 for reviews or by pod IP address and application protocol (either <code>ANY</code>, <code>h2c</code>, or <code>http/1.1</code>).</p><p>Checking out the clusters for the <code>reviews</code> waypoint proxy, you get the <code>main_internal</code> cluster along with a few inbound clusters. Other than the clusters for infrastructure, the only Envoy clusters created are for services and pods running in the same service account. No clusters are created for services or pods running elsewhere.</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ istioctl proxy-config clusters deploy/bookinfo-reviews-istio-waypoint
SERVICE FQDN PORT SUBSET DIRECTION TYPE DESTINATION RULE
agent - - - STATIC
connect_originate - - - ORIGINAL_DST
encap - - - STATIC
kubernetes.default.svc.cluster.local 443 tcp inbound-vip EDS
main_internal - - - STATIC
prometheus_stats - - - STATIC
reviews.default.svc.cluster.local 9080 http inbound-vip EDS
reviews.default.svc.cluster.local 9080 http/v1 inbound-vip EDS
reviews.default.svc.cluster.local 9080 http/v2 inbound-vip EDS
reviews.default.svc.cluster.local 9080 http/v3 inbound-vip EDS
sds-grpc - - - STATIC
xds-grpc - - - STATIC
zipkin - - - STRICT_DNS</code></pre><p>Note that there are no <code>outbound</code> clusters in the list, which you can confirm using <code>istioctl proxy-config cluster deploy/bookinfo-reviews-istio-waypoint --direction outbound</code>! What&rsquo;s nice is that you didnt need to configure <code>exportTo</code> on any other bookinfo services (for example, the <code>productpage</code> or <code>ratings</code> services). In other words, the <code>reviews</code> waypoint is not made aware of any unnecessary clusters, without any extra manual configuration from you.</p><p>Display the list of routes for the <code>reviews</code> waypoint proxy:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ istioctl proxy-config routes deploy/bookinfo-reviews-istio-waypoint
NAME DOMAINS MATCH VIRTUAL SERVICE
encap * /*
inbound-vip|9080|http|reviews.default.svc.cluster.local * /* reviews.default
default</code></pre><p>Recall that you didnt configure any Sidecar resources or <code>exportTo</code> configuration on your Istio networking resources. You did, however, deploy the <code>bookinfo-productpage</code> route to configure an ingress gateway to route to <code>productpage</code> but the <code>reviews</code> waypoint has not been made aware of any such irrelevant routes.</p><p>Displaying the detailed information for the <code>inbound-vip|9080|http|reviews.default.svc.cluster.local</code> route, youll see the weight-based routing configuration directing 90% of the traffic to <code>reviews</code> v1 and 10% of the traffic to <code>reviews</code> v2, along with some of Istios default retry and timeout configurations. This confirms the traffic and resiliency policies are shifted from the source to destination oriented waypoint as discussed earlier.</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ istioctl proxy-config routes deploy/bookinfo-reviews-istio-waypoint --name &#34;inbound-vip|9080|http|reviews.default.svc.cluster.local&#34; -o yaml
- name: inbound-vip|9080|http|reviews.default.svc.cluster.local
validateClusters: false
virtualHosts:
- domains:
- &#39;*&#39;
name: inbound|http|9080
routes:
- decorator:
operation: reviews:9080/*
match:
prefix: /
metadata:
filterMetadata:
istio:
config: /apis/networking.istio.io/v1alpha3/namespaces/default/virtual-service/reviews
route:
maxGrpcTimeout: 0s
retryPolicy:
hostSelectionRetryMaxAttempts: &#34;5&#34;
numRetries: 2
retriableStatusCodes:
- 503
retryHostPredicate:
- name: envoy.retry_host_predicates.previous_hosts
typedConfig:
&#39;@type&#39;: type.googleapis.com/envoy.extensions.retry.host.previous_hosts.v3.PreviousHostsPredicate
retryOn: connect-failure,refused-stream,unavailable,cancelled,retriable-status-codes
timeout: 0s
weightedClusters:
clusters:
- name: inbound-vip|9080|http/v1|reviews.default.svc.cluster.local
weight: 90
- name: inbound-vip|9080|http/v2|reviews.default.svc.cluster.local
weight: 10</code></pre><p>Check out the endpoints for <code>reviews</code> waypoint proxy:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ istioctl proxy-config endpoints deploy/bookinfo-reviews-istio-waypoint
ENDPOINT STATUS OUTLIER CHECK CLUSTER
127.0.0.1:15000 HEALTHY OK prometheus_stats
127.0.0.1:15020 HEALTHY OK agent
envoy://connect_originate/ HEALTHY OK encap
envoy://connect_originate/10.244.1.6:9080 HEALTHY OK inbound-vip|9080|http/v2|reviews.default.svc.cluster.local
envoy://connect_originate/10.244.1.6:9080 HEALTHY OK inbound-vip|9080|http|reviews.default.svc.cluster.local
envoy://connect_originate/10.244.2.11:9080 HEALTHY OK inbound-vip|9080|http/v1|reviews.default.svc.cluster.local
envoy://connect_originate/10.244.2.11:9080 HEALTHY OK inbound-vip|9080|http|reviews.default.svc.cluster.local
envoy://connect_originate/10.244.2.14:9080 HEALTHY OK inbound-vip|9080|http/v3|reviews.default.svc.cluster.local
envoy://connect_originate/10.244.2.14:9080 HEALTHY OK inbound-vip|9080|http|reviews.default.svc.cluster.local
envoy://main_internal/ HEALTHY OK main_internal
unix://./etc/istio/proxy/XDS HEALTHY OK xds-grpc
unix://./var/run/secrets/workload-spiffe-uds/socket HEALTHY OK sds-grpc</code></pre><p>Note that you dont get any endpoints related to any services other than reviews, even though you have a few other services in the <code>default</code> and <code>istio-system</code> namespace.</p><h2 id=wrapping-up>Wrapping up</h2><p>We are very excited about the waypoint simplification focusing on destination oriented waypoint proxies. This is another significant step towards simplifying Istios usability, scalability and debuggability which are top priorities on Istios roadmap. Follow our <a href=/v1.24/docs/ambient/getting-started/>getting started guide</a> to try the ambient alpha build today and experience the simplified waypoint proxy!</p></div><div class=share-social><div class=heading>Share this post</div><div class=share-buttons><a href="https://www.linkedin.com/shareArticle?mini=true&url=%2fv1.24%2fblog%2f2023%2fwaypoint-proxy-made-simple%2f" target=_blank><img class=share-icon src=/v1.24/img/social/linkedin.svg alt="Share to LinkedIn">
</a><a href="https://twitter.com/intent/tweet?text=Istio%20Ambient%20Waypoint%20Proxy%20Made%20Simple&url=%2fv1.24%2fblog%2f2023%2fwaypoint-proxy-made-simple%2f" target=_blank><img class=share-icon src=/v1.24/img/social/twitterx.svg alt="Share to X">
</a><a href="https://www.facebook.com/sharer/sharer.php?u=%2fv1.24%2fblog%2f2023%2fwaypoint-proxy-made-simple%2f" target=_blank><img class=share-icon src=/v1.24/img/social/facebook.svg alt="Share to Facebook"></a></div></div><nav class=pagenav><div class=left><a title="Security from Layer 3 to Layer 7 with Istio and more." href=/v1.24/blog/2023/network-security-splunk/ class=next-link><svg class="icon left-arrow"><use xlink:href="/v1.24/img/icons.svg#left-arrow"/></svg>Comprehensive Network Security at Splunk</a></div><div class=right><a title="An alternative approach to redirecting application pod traffic to the per-node ztunnel." href=/v1.24/blog/2023/ambient-ebpf-redirection/ class=next-link>Using eBPF for traffic redirection in Istio ambient mode<svg class="icon right-arrow"><use xlink:href="/v1.24/img/icons.svg#right-arrow"/></svg></a></div></nav></article><footer class=footer><div class="footer-wrapper container-l"><div class="user-links footer-links"><a class=channel title='GitHub is where development takes place on Istio code' href=https://github.com/istio/community aria-label=GitHub><svg class="icon github"><use xlink:href="/v1.24/img/icons.svg#github"/></svg>
</a><a class=channel title="Access our team drive if you'd like to take a look at the Istio technical design documents" href=https://groups.google.com/forum/#!forum/istio-team-drive-access aria-label="team drive"><svg class="icon drive"><use xlink:href="/v1.24/img/icons.svg#drive"/></svg>
</a><a class=channel title='Interactively discuss issues with the Istio community on Slack' href=https://slack.istio.io aria-label=slack><svg class="icon slack"><use xlink:href="/v1.24/img/icons.svg#slack"/></svg>
</a><a class=channel title='Stack Overflow is where you can ask questions and find curated answers on deploying, configuring, and using Istio' href=https://stackoverflow.com/questions/tagged/istio aria-label="Stack Overflow"><svg class="icon stackoverflow"><use xlink:href="/v1.24/img/icons.svg#stackoverflow"/></svg>
</a><a class=channel title='Follow us on LinkedIn to get the latest news' href=https://www.linkedin.com/company/istio/ aria-label=LinkedIn><svg class="icon linkedin"><use xlink:href="/v1.24/img/icons.svg#linkedin"/></svg>
</a><a class=channel title='Follow us on Twitter to get the latest news' href=https://twitter.com/IstioMesh aria-label=Twitter><svg class="icon twitter"><use xlink:href="/v1.24/img/icons.svg#twitter"/></svg>
</a><a class=channel title='Follow us on Bluesky to get the latest news' href=https://bsky.app/profile/istio.io aria-label=Bluesky><svg class="icon bluesky"><use xlink:href="/v1.24/img/icons.svg#bluesky"/></svg>
</a><a class=channel title='Follow us on Mastodon to get the latest news' href=https://mastodon.social/@istio aria-label=Mastodon rel=me><svg class="icon mastodon"><use xlink:href="/v1.24/img/icons.svg#mastodon"/></svg></a></div><hr class=footer-separator role=separator><div class="info footer-info"><a class=logo href=/v1.24/ aria-label=logotype><svg width="128" height="60" viewBox="0 0 128 60"><path d="M58.434 48.823A.441.441.0 0158.3 48.497V22.583a.444.444.0 01.134-.326.446.446.0 01.327-.134h3.527a.447.447.0 01.325.134.447.447.0 01.134.326v25.914a.443.443.0 01-.134.326.444.444.0 01-.325.134h-3.527a.444.444.0 01-.327-.134z"/><path d="m70.969 48.477a6.556 6.556.0 01-2.818-1.955 4.338 4.338.0 01-1-2.78v-.345a.443.443.0 01.134-.326.444.444.0 01.326-.135h3.374a.444.444.0 01.326.135.445.445.0 01.134.326v.077a2.014 2.014.0 001.054 1.667 4.672 4.672.0 002.664.709 4.446 4.446.0 002.492-.633 1.862 1.862.0 00.958-1.591 1.426 1.426.0 00-.786-1.322 12.7 12.7.0 00-2.549-.939l-1.457-.46a21.526 21.526.0 01-3.3-1.227 6.57 6.57.0 01-2.262-1.783 4.435 4.435.0 01-.92-2.894 5.081 5.081.0 012.109-4.275 8.993 8.993.0 015.558-1.591 10.445 10.445.0 014.1.748 6.3 6.3.0 012.722 2.07 5 5 0 01.958 3.009.441.441.0 01-.134.326.441.441.0 01-.325.134h-3.258a.441.441.0 01-.326-.134.443.443.0 01-.134-.326 1.974 1.974.0 00-.978-1.667 4.647 4.647.0 00-2.665-.671 4.741 4.741.0 00-2.435.556 1.724 1.724.0 00-.938 1.553 1.512 1.512.0 00.9 1.4 15.875 15.875.0 003.01 1.055l.843.229a27.368 27.368.0 013.412 1.246 6.67 6.67.0 012.338 1.763 4.387 4.387.0 01.958 2.933 4.988 4.988.0 01-2.146 4.275 9.543 9.543.0 01-5.712 1.552 11.626 11.626.0 01-4.227-.709z"/><path d="m97.039 32.837a.443.443.0 01-.326.135h-3.911a.169.169.0 00-.191.192v9.239a2.951 2.951.0 00.632 2.108 2.7 2.7.0 002.013.652h1.15a.444.444.0 01.325.134.441.441.0 01.134.326v2.875a.471.471.0 01-.459.5l-1.994.039a8 8 0 01-4.524-1.035q-1.495-1.035-1.533-3.91V33.166A.17.17.0 0088.164 32.974H85.978A.441.441.0 0185.652 32.839.441.441.0 0185.518 32.513V29.83a.441.441.0 01.134-.326.444.444.0 01.326-.135h2.186a.169.169.0 00.191-.192v-4.485a.438.438.0 01.134-.326.44.44.0 01.325-.134h3.336a.443.443.0 01.325.134.442.442.0 01.135.326v4.485a.169.169.0 00.191.192h3.911a.446.446.0 01.326.135.446.446.0 01.134.326v2.683a.446.446.0 01-.133.324z"/><path d="m101.694 25.917a2.645 2.645.0 01-.767-1.955 2.65 2.65.0 01.767-1.955 2.65 2.65.0 011.955-.767 2.65 2.65.0 011.955.767 2.652 2.652.0 01.767 1.955 2.647 2.647.0 01-.767 1.955 2.646 2.646.0 01-1.955.767 2.645 2.645.0 01-1.955-.767zm-.211 22.906a.441.441.0 01-.134-.326V29.79a.444.444.0 01.134-.326.446.446.0 01.326-.134h3.527a.446.446.0 01.326.134.445.445.0 01.134.326v18.707a.443.443.0 01-.134.326.443.443.0 01-.326.134h-3.527a.443.443.0 01-.326-.134z"/><path d="m114.019 47.734a8.1 8.1.0 01-3.047-4.255 14.439 14.439.0 01-.652-4.37 14.3 14.3.0 01.614-4.371A7.869 7.869.0 01114 30.56a9.072 9.072.0 015.252-1.5 8.543 8.543.0 015.041 1.5 7.985 7.985.0 013.009 4.14 12.439 12.439.0 01.69 4.37 13.793 13.793.0 01-.651 4.37 8.255 8.255.0 01-3.028 4.275 8.475 8.475.0 01-5.1 1.553 8.754 8.754.0 01-5.194-1.534zm7.629-3.1a4.536 4.536.0 001.476-2.262 11.335 11.335.0 00.383-3.221 10.618 10.618.0 00-.383-3.22 4.169 4.169.0 00-1.457-2.243 4.066 4.066.0 00-2.531-.785 3.942 3.942.0 00-2.453.785 4.376 4.376.0 00-1.5 2.243 11.839 11.839.0 00-.383 3.22 11.84 11.84.0 00.383 3.221 4.222 4.222.0 001.476 2.262 4.075 4.075.0 002.549.8 3.8 3.8.0 002.44-.809z"/><path d="m15.105 32.057v15.565a.059.059.0 01-.049.059L.069 50.25A.06.06.0 01.005 50.167l14.987-33.47a.06.06.0 01.114.025z"/><path d="m17.631 23.087v24.6a.06.06.0 00.053.059l22.449 2.507a.06.06.0 00.061-.084L17.745.032a.06.06.0 00-.114.024z"/><path d="m39.961 52.548-24.833 7.45a.062.062.0 01-.043.0L.079 52.548a.059.059.0 01.026-.113h39.839a.06.06.0 01.017.113z"/></svg></a><div class=footer-languages><a tabindex=-1 lang=en id=switch-lang-en class="footer-languages-item active"><svg class="icon tick"><use xlink:href="/v1.24/img/icons.svg#tick"/></svg>
English
</a><a tabindex=-1 lang=zh id=switch-lang-zh class=footer-languages-item>中文
</a><a tabindex=-1 lang=uk id=switch-lang-uk class=footer-languages-item>Українська</a></div></div><ul class=footer-policies><li class=footer-policies-item><a class=footer-policies-link href=https://www.linuxfoundation.org/legal/terms>Terms and Conditions
</a>|
<a class=footer-policies-link href=https://www.linuxfoundation.org/legal/privacy-policy>Privacy policy
</a>|
<a class=footer-policies-link href=https://www.linuxfoundation.org/legal/trademark-usage>Trademarks
</a>|
<a class=footer-policies-link href=https://github.com/istio/istio.io/edit/release-1.24/content/en/blog/2023/waypoint-proxy-made-simple/index.md>Edit this Page on GitHub</a></li></ul><div class=footer-base><span class=footer-base-copyright>&copy; 2024 the Istio Authors.</span>
<span class=footer-base-version>Version
Archive
1.24.3</span><ul class=footer-base-releases><li class=footer-base-releases-item><a tabindex=-1 class=footer-base-releases-link onclick='return navigateToUrlOrRoot("https://istio.io/blog/2023/waypoint-proxy-made-simple/"),!1'>current release</a></li><li class=footer-base-releases-item><a tabindex=-1 class=footer-base-releases-link onclick='return navigateToUrlOrRoot("https://preliminary.istio.io/blog/2023/waypoint-proxy-made-simple/"),!1'>next release</a></li><li class=footer-base-releases-item><a tabindex=-1 class=footer-base-releases-link href=https://istio.io/archive>older releases</a></li></ul></div></div></footer><script src=https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.14.7/umd/popper.min.js defer></script><div id=scroll-to-top-container aria-hidden=true><button id=scroll-to-top title='Back to top' tabindex=-1><svg class="icon top"><use xlink:href="/v1.24/img/icons.svg#top"/></svg></button></div></body></html>
Reference in New Issue View Git Blame Copy Permalink