istio.io/archive/v1.8/docs/reference/config/networking/virtual-service/index.html

1103 lines
145 KiB
HTML
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<!doctype html><html lang=en itemscope itemtype=https://schema.org/WebPage><head><meta charset=utf-8><meta http-equiv=x-ua-compatible content="IE=edge"><meta name=viewport content="width=device-width,initial-scale=1,shrink-to-fit=no"><meta name=theme-color content="#466BB0"><meta name=title content="Virtual Service"><meta name=description content="Configuration affecting label/content routing, sni routing, etc."><meta name=keywords content="microservices,services,mesh"><meta property="og:title" content="Virtual Service"><meta property="og:type" content="website"><meta property="og:description" content="Configuration affecting label/content routing, sni routing, etc."><meta property="og:url" content="/v1.8/docs/reference/config/networking/virtual-service/"><meta property="og:image" content="/v1.8/img/istio-whitelogo-bluebackground-framed.svg"><meta property="og:image:alt" content="Istio Logo"><meta property="og:image:width" content="112"><meta property="og:image:height" content="150"><meta property="og:site_name" content="Istio"><meta name=twitter:card content="summary"><meta name=twitter:site content="@IstioMesh"><title>Istioldie 1.8 / Virtual Service</title><script async src="https://www.googletagmanager.com/gtag/js?id=UA-98480406-2"></script><script>window.dataLayer=window.dataLayer||[];function gtag(){dataLayer.push(arguments);}
gtag('js',new Date());gtag('config','UA-98480406-2');</script><link rel=alternate type=application/rss+xml title="Istio Blog" href=/v1.8/blog/feed.xml><link rel=alternate type=application/rss+xml title="Istio News" href=/v1.8/news/feed.xml><link rel=alternate type=application/rss+xml title="Istio Blog and News" href=/v1.8/feed.xml><link rel="shortcut icon" href=/v1.8/favicons/favicon.ico><link rel=apple-touch-icon href=/v1.8/favicons/apple-touch-icon-180x180.png sizes=180x180><link rel=icon type=image/png href=/v1.8/favicons/favicon-16x16.png sizes=16x16><link rel=icon type=image/png href=/v1.8/favicons/favicon-32x32.png sizes=32x32><link rel=icon type=image/png href=/v1.8/favicons/android-36x36.png sizes=36x36><link rel=icon type=image/png href=/v1.8/favicons/android-48x48.png sizes=48x48><link rel=icon type=image/png href=/v1.8/favicons/android-72x72.png sizes=72x72><link rel=icon type=image/png href=/v1.8/favicons/android-96x96.png sizes=96xW96><link rel=icon type=image/png href=/v1.8/favicons/android-144x144.png sizes=144x144><link rel=icon type=image/png href=/v1.8/favicons/android-192x192.png sizes=192x192><link rel=manifest href=/v1.8/manifest.json><meta name=apple-mobile-web-app-title content="Istio"><meta name=application-name content="Istio"><link rel=stylesheet href="https://fonts.googleapis.com/css?family=Work+Sans:400|Chivo:400|Work+Sans:500,300,600,300italic,400italic,500italic,600italic|Chivo:500,300,600,300italic,400italic,500italic,600italic"><link rel=stylesheet href=/v1.8/css/all.css><script src=/v1.8/js/themes_init.min.js></script></head><body class="language-unknown archive-site"><script>const branchName="release-1.8";const docTitle="Virtual Service";const iconFile="\/v1.8/img/icons.svg";const buttonCopy='Copy to clipboard';const buttonPrint='Print';const buttonDownload='Download';</script><script src="https://www.google.com/cse/brand?form=search-form" defer></script><script src=/v1.8/js/all.min.js data-manual defer></script><header><nav><a id=brand href=/v1.8/><span class=logo><svg viewBox="0 0 300 300"><circle cx="150" cy="150" r="146" stroke-width="2"/><polygon points="65 240 225 240 125 270"/><polygon points="65 230 125 220 125 110"/><polygon points="135 220 225 230 135 30"/></svg></span><span class=name>Istioldie 1.8</span></a><div id=hamburger><svg class="icon hamburger"><use xlink:href="/v1.8/img/icons.svg#hamburger"/></svg></div><div id=header-links><a class=current title="Learn how to deploy, use, and operate Istio." href=/v1.8/docs/>Docs</a>
<a title="Posts about using Istio." href=/v1.8/blog/2020/>Blog<i class=dot data-prefix=/blog></i></a>
<a title="Timely news about the Istio project." href=/v1.8/news/>News<i class=dot data-prefix=/news></i></a>
<a title="Frequently Asked Questions about Istio." href=/v1.8/faq/>FAQ</a>
<a title="Get a bit more in-depth info about the Istio project." href=/v1.8/about/>About</a><div class=menu><button id=gearDropdownButton class=menu-trigger title="Options and settings" aria-label="Options and Settings" aria-controls=gearDropdownContent><svg class="icon gear"><use xlink:href="/v1.8/img/icons.svg#gear"/></svg></button><div id=gearDropdownContent class=menu-content aria-labelledby=gearDropdownButton role=menu><a tabindex=-1 role=menuitem lang=en id=switch-lang-en class=active>English</a>
<a tabindex=-1 role=menuitem lang=zh id=switch-lang-zh>中文</a><div role=separator></div><a tabindex=-1 role=menuitem class=active id=light-theme-item>Light Theme</a>
<a tabindex=-1 role=menuitem id=dark-theme-item>Dark Theme</a><div role=separator></div><a tabindex=-1 role=menuitem id=syntax-coloring-item>Color Examples</a><div role=separator></div><h6>Other versions of this site</h6><a tabindex=-1 role=menuitem onclick="navigateToUrlOrRoot('https://istio.io/docs\/reference\/config\/networking\/virtual-service\/');return false;">Current Release</a>
<a tabindex=-1 role=menuitem onclick="navigateToUrlOrRoot('https://preliminary.istio.io/docs\/reference\/config\/networking\/virtual-service\/');return false;">Next Release</a>
<a tabindex=-1 role=menuitem href=https://istio.io/archive>Older Releases</a></div></div><button id=search-show title="Search this site" aria-label=Search><svg class="icon magnifier"><use xlink:href="/v1.8/img/icons.svg#magnifier"/></svg></button></div><form id=search-form name=cse role=search><input type=hidden name=cx value=002184991200833970123:iwwf17ikgf4>
<input type=hidden name=ie value=utf-8>
<input type=hidden name=hl value=en>
<input type=hidden id=search-page-url value=/v1.8/search>
<input id=search-textbox class=form-control name=q type=search aria-label="Search this site">
<button id=search-close title="Cancel search" type=reset aria-label="Cancel search"><svg class="icon cancel-x"><use xlink:href="/v1.8/img/icons.svg#cancel-x"/></svg></button></form></nav></header><div class=banner-container></div><main class=primary><div id=sidebar-container class="sidebar-container sidebar-offcanvas"><nav id=sidebar aria-label="Section Navigation"><div class=directory><div class=card><button class="header dynamic" id=card17 title="Learn about the different parts of the Istio system and the abstractions it uses." aria-controls=card17-body><svg class="icon concepts"><use xlink:href="/v1.8/img/icons.svg#concepts"/></svg>Concepts</button><div class=body aria-labelledby=card17 role=region id=card17-body><ul role=tree aria-expanded=true class=leaf-section aria-labelledby=card17><li role=none><a role=treeitem title="Introduces Istio, the problems it solves, its high-level architecture, and its design goals." href=/v1.8/docs/concepts/what-is-istio/>What is Istio?</a></li><li role=none><a role=treeitem title="Describes the various Istio features focused on traffic routing and control." href=/v1.8/docs/concepts/traffic-management/>Traffic Management</a></li><li role=none><a role=treeitem title="Describes Istio's authorization and authentication functionality." href=/v1.8/docs/concepts/security/>Security</a></li><li role=none><a role=treeitem title="Describes the telemetry and monitoring features provided by Istio." href=/v1.8/docs/concepts/observability/>Observability</a></li><li role=none><a role=treeitem title="Describes Istio's WebAssembly Plugin system." href=/v1.8/docs/concepts/wasm/>Extensibility</a></li></ul></div></div><div class=card><button class="header dynamic" id=card40 title="Instructions for installing the Istio control plane on Kubernetes." aria-controls=card40-body><svg class="icon setup"><use xlink:href="/v1.8/img/icons.svg#setup"/></svg>Setup</button><div class=body aria-labelledby=card40 role=region id=card40-body><ul role=tree aria-expanded=true aria-labelledby=card40><li role=none><a role=treeitem title="Try Istios features quickly and easily." href=/v1.8/docs/setup/getting-started/>Getting Started</a></li><li role=treeitem aria-label="Platform Setup"><button aria-hidden=true></button><a title="How to prepare various Kubernetes platforms before installing Istio." href=/v1.8/docs/setup/platform-setup/>Platform Setup</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Instructions to setup an Alibaba Cloud Kubernetes cluster for Istio." href=/v1.8/docs/setup/platform-setup/alicloud/>Alibaba Cloud</a></li><li role=none><a role=treeitem title="Instructions to setup an Azure cluster for Istio." href=/v1.8/docs/setup/platform-setup/azure/>Azure</a></li><li role=none><a role=treeitem title="Instructions to setup Docker Desktop for Istio." href=/v1.8/docs/setup/platform-setup/docker/>Docker Desktop</a></li><li role=none><a role=treeitem title="Instructions to setup a Google Kubernetes Engine cluster for Istio." href=/v1.8/docs/setup/platform-setup/gke/>Google Kubernetes Engine</a></li><li role=none><a role=treeitem title="Instructions to setup an IBM Cloud cluster for Istio." href=/v1.8/docs/setup/platform-setup/ibm/>IBM Cloud</a></li><li role=none><a role=treeitem title="Instructions to setup kind for Istio." href=/v1.8/docs/setup/platform-setup/kind/>kind</a></li><li role=none><a role=treeitem title="Instructions to setup Kops for use with Istio." href=/v1.8/docs/setup/platform-setup/kops/>Kops</a></li><li role=none><a role=treeitem title="Instructions to setup a Gardener cluster for Istio." href=/v1.8/docs/setup/platform-setup/gardener/>Kubernetes Gardener</a></li><li role=none><a role=treeitem title="Instructions to setup a KubeSphere Container Platform for Istio." href=/v1.8/docs/setup/platform-setup/kubesphere/>KubeSphere Container Platform</a></li><li role=none><a role=treeitem title="Instructions to setup MicroK8s for use with Istio." href=/v1.8/docs/setup/platform-setup/microk8s/>MicroK8s</a></li><li role=none><a role=treeitem title="Instructions to setup minikube for Istio." href=/v1.8/docs/setup/platform-setup/minikube/>Minikube</a></li><li role=none><a role=treeitem title="Instructions to setup an OpenShift cluster for Istio." href=/v1.8/docs/setup/platform-setup/openshift/>OpenShift</a></li><li role=none><a role=treeitem title="Instructions to setup an OKE cluster for Istio." href=/v1.8/docs/setup/platform-setup/oci/>Oracle Cloud Infrastructure</a></li></ul></li><li role=treeitem aria-label=Install><button aria-hidden=true></button><a title="Choose the guide that best suits your needs and platform." href=/v1.8/docs/setup/install/>Install</a><ul role=group aria-expanded=false><li role=none><a role=treeitem title="Install and customize any Istio configuration profile for in-depth evaluation or production use." href=/v1.8/docs/setup/install/istioctl/>Install with Istioctl</a></li><li role=none><a role=treeitem title="Instructions to install Istio in a Kubernetes cluster using the Istio operator." href=/v1.8/docs/setup/install/operator/>Istio Operator Install</a></li><li role=none><a role=treeitem title="Install and configure Istio for in-depth evaluation." href=/v1.8/docs/setup/install/helm/>Install with Helm</a></li><li role=treeitem aria-label="Install Multicluster"><button aria-hidden=true></button><a title="Install an Istio mesh across multiple Kubernetes clusters." href=/v1.8/docs/setup/install/multicluster/>Install Multicluster</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Initial steps before installing Istio on multiple clusters." href=/v1.8/docs/setup/install/multicluster/before-you-begin/>Before you begin</a></li><li role=none><a role=treeitem title="Install an Istio mesh across multiple primary clusters." href=/v1.8/docs/setup/install/multicluster/multi-primary/>Install Multi-Primary</a></li><li role=none><a role=treeitem title="Install an Istio mesh across primary and remote clusters." href=/v1.8/docs/setup/install/multicluster/primary-remote/>Install Primary-Remote</a></li><li role=none><a role=treeitem title="Install an Istio mesh across multiple primary clusters on different networks." href=/v1.8/docs/setup/install/multicluster/multi-primary_multi-network/>Install Multi-Primary on different networks</a></li><li role=none><a role=treeitem title="Install an Istio mesh across primary and remote clusters on different networks." href=/v1.8/docs/setup/install/multicluster/primary-remote_multi-network/>Install Primary-Remote on different networks</a></li><li role=none><a role=treeitem title="Verify that Istio has been installed properly on multiple clusters." href=/v1.8/docs/setup/install/multicluster/verify/>Verify the installation</a></li></ul></li><li role=none><a role=treeitem title="Deploy Istio and connect a workload running within a virtual machine to it." href=/v1.8/docs/setup/install/virtual-machine/>Virtual Machine Installation</a></li></ul></li><li role=treeitem aria-label=Upgrade><button aria-hidden=true></button><a title="Upgrade, downgrade, and manage Istio accross multiple control plane revisions." href=/v1.8/docs/setup/upgrade/>Upgrade</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Upgrade Istio by first running a canary deployment of a new control plane." href=/v1.8/docs/setup/upgrade/canary/>Canary Upgrades</a></li><li role=none><a role=treeitem title="Upgrade or downgrade Istio in place." href=/v1.8/docs/setup/upgrade/in-place/>In-place Upgrades</a></li><li role=none><a role=treeitem title="Configuring and upgrading Istio with gateways." href=/v1.8/docs/setup/upgrade/gateways/>Managing Gateways with Multiple Revisions [experimental]</a></li></ul></li><li role=treeitem aria-label="More Guides"><button aria-hidden=true></button><a title="More information on additional setup tasks." href=/v1.8/docs/setup/additional-setup/>More Guides</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Describes the built-in Istio installation configuration profiles." href=/v1.8/docs/setup/additional-setup/config-profiles/>Installation Configuration Profiles</a></li><li role=none><a role=treeitem title="Install the Istio sidecar in application pods automatically using the sidecar injector webhook or manually using istioctl CLI." href=/v1.8/docs/setup/additional-setup/sidecar-injection/>Installing the Sidecar</a></li><li role=none><a role=treeitem title="Install and use Istio with the Istio CNI plugin, allowing operators to deploy services with lower privilege." href=/v1.8/docs/setup/additional-setup/cni/>Install Istio with the Istio CNI plugin</a></li><li role=none><a role=treeitem title="Install an external control plane and remote cluster." href=/v1.8/docs/setup/additional-setup/external-controlplane/>Install Istio with an External Control Plane</a></li></ul></li></ul></div></div><div class=card><button class="header dynamic" id=card73 title="How to do single specific targeted activities with the Istio system." aria-controls=card73-body><svg class="icon tasks"><use xlink:href="/v1.8/img/icons.svg#tasks"/></svg>Tasks</button><div class=body aria-labelledby=card73 role=region id=card73-body><ul role=tree aria-expanded=true aria-labelledby=card73><li role=treeitem aria-label="Traffic Management"><button aria-hidden=true></button><a title="Tasks that demonstrate Istio's traffic routing features." href=/v1.8/docs/tasks/traffic-management/>Traffic Management</a><ul role=group aria-expanded=false><li role=none><a role=treeitem title="This task shows you how to configure dynamic request routing to multiple versions of a microservice." href=/v1.8/docs/tasks/traffic-management/request-routing/>Request Routing</a></li><li role=none><a role=treeitem title="This task shows you how to inject faults to test the resiliency of your application." href=/v1.8/docs/tasks/traffic-management/fault-injection/>Fault Injection</a></li><li role=none><a role=treeitem title="Shows you how to migrate traffic from an old to new version of a service." href=/v1.8/docs/tasks/traffic-management/traffic-shifting/>Traffic Shifting</a></li><li role=none><a role=treeitem title="Shows you how to migrate TCP traffic from an old to new version of a TCP service." href=/v1.8/docs/tasks/traffic-management/tcp-traffic-shifting/>TCP Traffic Shifting</a></li><li role=none><a role=treeitem title="This task shows you how to setup request timeouts in Envoy using Istio." href=/v1.8/docs/tasks/traffic-management/request-timeouts/>Request Timeouts</a></li><li role=none><a role=treeitem title="This task shows you how to configure circuit breaking for connections, requests, and outlier detection." href=/v1.8/docs/tasks/traffic-management/circuit-breaking/>Circuit Breaking</a></li><li role=none><a role=treeitem title="This task demonstrates the traffic mirroring/shadowing capabilities of Istio." href=/v1.8/docs/tasks/traffic-management/mirroring/>Mirroring</a></li><li role=treeitem aria-label=Ingress><button aria-hidden=true></button><a title="Controlling ingress traffic for an Istio service mesh." href=/v1.8/docs/tasks/traffic-management/ingress/>Ingress</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Describes how to configure an Istio gateway to expose a service outside of the service mesh." href=/v1.8/docs/tasks/traffic-management/ingress/ingress-control/>Ingress Gateways</a></li><li role=none><a role=treeitem title="Expose a service outside of the service mesh over TLS or mTLS." href=/v1.8/docs/tasks/traffic-management/ingress/secure-ingress/>Secure Gateways</a></li><li role=none><a role=treeitem title="Describes how to configure SNI passthrough for an ingress gateway." href=/v1.8/docs/tasks/traffic-management/ingress/ingress-sni-passthrough/>Ingress Gateway without TLS Termination</a></li><li role=none><a role=treeitem title="Describes how to configure a Kubernetes Ingress object to expose a service outside of the service mesh." href=/v1.8/docs/tasks/traffic-management/ingress/kubernetes-ingress/>Kubernetes Ingress</a></li><li role=none><a role=treeitem title="Describes how to configure the Kubernetes Service APIs with Istio." href=/v1.8/docs/tasks/traffic-management/ingress/service-apis/>Kubernetes Service APIs [Experimental]</a></li></ul></li><li role=treeitem aria-label=Egress><button aria-hidden=true></button><a title="Controlling egress traffic for an Istio service mesh." href=/v1.8/docs/tasks/traffic-management/egress/>Egress</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Describes how to configure Istio to route traffic from services in the mesh to external services." href=/v1.8/docs/tasks/traffic-management/egress/egress-control/>Accessing External Services</a></li><li role=none><a role=treeitem title="Describes how to configure Istio to perform TLS origination for traffic to external services." href=/v1.8/docs/tasks/traffic-management/egress/egress-tls-origination/>Egress TLS Origination</a></li><li role=none><a role=treeitem title="Describes how to configure Istio to direct traffic to external services through a dedicated gateway." href=/v1.8/docs/tasks/traffic-management/egress/egress-gateway/>Egress Gateways</a></li><li role=none><a role=treeitem title="Describes how to configure an Egress Gateway to perform TLS origination to external services using Secret Discovery Service." href=/v1.8/docs/tasks/traffic-management/egress/egress-gateway-tls-origination-sds/>Egress Gateways with TLS Origination (SDS)</a></li><li role=none><a role=treeitem title="Describes how to configure an Egress Gateway to perform TLS origination to external services using file mount certificates." href=/v1.8/docs/tasks/traffic-management/egress/egress-gateway-tls-origination/>Egress Gateways with TLS Origination (File Mount)</a></li><li role=none><a role=treeitem title="Describes how to enable egress traffic for a set of hosts in a common domain, instead of configuring each and every host separately." href=/v1.8/docs/tasks/traffic-management/egress/wildcard-egress-hosts/>Egress using Wildcard Hosts</a></li><li role=none><a role=treeitem title="Shows how to configure Istio for Kubernetes External Services." href=/v1.8/docs/tasks/traffic-management/egress/egress-kubernetes-services/>Kubernetes Services for Egress Traffic</a></li><li role=none><a role=treeitem title="Describes how to configure Istio to let applications use an external HTTPS proxy." href=/v1.8/docs/tasks/traffic-management/egress/http-proxy/>Using an External HTTPS Proxy</a></li></ul></li></ul></li><li role=treeitem aria-label=Security><button aria-hidden=true></button><a title="Demonstrates how to secure the mesh." href=/v1.8/docs/tasks/security/>Security</a><ul role=group aria-expanded=false><li role=treeitem aria-label="Certificate Management"><button aria-hidden=true></button><a title="Management of the certificates in Istio." href=/v1.8/docs/tasks/security/cert-management/>Certificate Management</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Shows how system administrators can configure Istio's CA with a root certificate, signing certificate and key." href=/v1.8/docs/tasks/security/cert-management/plugin-ca-cert/>Plug in CA Certificates</a></li><li role=none><a role=treeitem title="Shows how to provision and manage DNS certificates in Istio." href=/v1.8/docs/tasks/security/cert-management/dns-cert/>Istio DNS Certificate Management</a></li><li role=none><a role=treeitem title="Shows how to use a Custom Certificate Authority (that integrates with the Kubernetes CSR API) to provision Istio workload certificates." href=/v1.8/docs/tasks/security/cert-management/custom-ca-k8s/>Custom CA Integration using Kubernetes CSR [experimental]</a></li></ul></li><li role=treeitem aria-label=Authentication><button aria-hidden=true></button><a title="Controlling mutual TLS and end-user authentication for mesh services." href=/v1.8/docs/tasks/security/authentication/>Authentication</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Shows you how to use Istio authentication policy to setup mutual TLS and basic end-user authentication." href=/v1.8/docs/tasks/security/authentication/authn-policy/>Authentication Policy</a></li><li role=none><a role=treeitem title="Shows you how to incrementally migrate your Istio services to mutual TLS." href=/v1.8/docs/tasks/security/authentication/mtls-migration/>Mutual TLS Migration</a></li></ul></li><li role=treeitem aria-label=Authorization><button aria-hidden=true></button><a title="Shows how to control access to Istio services." href=/v1.8/docs/tasks/security/authorization/>Authorization</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Shows how to set up access control for HTTP traffic." href=/v1.8/docs/tasks/security/authorization/authz-http/>Authorization for HTTP traffic</a></li><li role=none><a role=treeitem title="How to set up access control for TCP traffic." href=/v1.8/docs/tasks/security/authorization/authz-tcp/>Authorization for TCP traffic</a></li><li role=none><a role=treeitem title="How to set up access control with JWT in Istio." href=/v1.8/docs/tasks/security/authorization/authz-jwt/>Authorization with JWT</a></li><li role=none><a role=treeitem title="Shows how to set up access control to deny traffic explicitly." href=/v1.8/docs/tasks/security/authorization/authz-deny/>Authorization policies with a deny action</a></li><li role=none><a role=treeitem title="How to set up access control on an ingress gateway." href=/v1.8/docs/tasks/security/authorization/authz-ingress/>Authorization on Ingress Gateway</a></li><li role=none><a role=treeitem title="Shows how to migrate from one trust domain to another without changing authorization policy." href=/v1.8/docs/tasks/security/authorization/authz-td-migration/>Authorization Policy Trust Domain Migration</a></li></ul></li></ul></li><li role=treeitem aria-label=Observability><button aria-hidden=true></button><a title="Demonstrates how to collect telemetry information from the mesh." href=/v1.8/docs/tasks/observability/>Observability</a><ul role=group aria-expanded=false><li role=treeitem aria-label=Metrics><button aria-hidden=true></button><a title="Demonstrates the collection and querying of metrics within Istio." href=/v1.8/docs/tasks/observability/metrics/>Metrics</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="This task shows you how to configure Istio to collect metrics for TCP services." href=/v1.8/docs/tasks/observability/metrics/tcp-metrics/>Collecting Metrics for TCP Services</a></li><li role=none><a role=treeitem title="This task shows you how to customize the Istio metrics." href=/v1.8/docs/tasks/observability/metrics/customize-metrics/>Customizing Istio Metrics</a></li><li role=none><a role=treeitem title="This task shows you how to improve telemetry by grouping requests and responses by their type." href=/v1.8/docs/tasks/observability/metrics/classify-metrics/>Classifying Metrics Based on Request or Response (Experimental)</a></li><li role=none><a role=treeitem title="This task shows you how to query for Istio Metrics using Prometheus." href=/v1.8/docs/tasks/observability/metrics/querying-metrics/>Querying Metrics from Prometheus</a></li><li role=none><a role=treeitem title="This task shows you how to setup and use the Istio Dashboard to monitor mesh traffic." href=/v1.8/docs/tasks/observability/metrics/using-istio-dashboard/>Visualizing Metrics with Grafana</a></li></ul></li><li role=treeitem aria-label=Logs><button aria-hidden=true></button><a title="Demonstrates the collection of logs within Istio." href=/v1.8/docs/tasks/observability/logs/>Logs</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="This task shows you how to configure Envoy proxies to print access logs to their standard output." href=/v1.8/docs/tasks/observability/logs/access-log/>Getting Envoy's Access Logs</a></li></ul></li><li role=treeitem aria-label="Distributed Tracing"><button aria-hidden=true></button><a title="This task shows you how to configure Istio-enabled applications to collect trace spans." href=/v1.8/docs/tasks/observability/distributed-tracing/>Distributed Tracing</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Overview of distributed tracing in Istio." href=/v1.8/docs/tasks/observability/distributed-tracing/overview/>Overview</a></li><li role=none><a role=treeitem title="Learn how to configure the proxies to send tracing requests to Zipkin." href=/v1.8/docs/tasks/observability/distributed-tracing/zipkin/>Zipkin</a></li><li role=none><a role=treeitem title="Learn how to configure the proxies to send tracing requests to Jaeger." href=/v1.8/docs/tasks/observability/distributed-tracing/jaeger/>Jaeger</a></li><li role=none><a role=treeitem title="How to configure the proxies to send tracing requests to Lightstep." href=/v1.8/docs/tasks/observability/distributed-tracing/lightstep/>Lightstep</a></li><li role=none><a role=treeitem title="How to configure tracing options (beta/development)." href=/v1.8/docs/tasks/observability/distributed-tracing/configurability/>Configurability (Beta/Development)</a></li></ul></li><li role=none><a role=treeitem title="This task shows you how to visualize your services within an Istio mesh." href=/v1.8/docs/tasks/observability/kiali/>Visualizing Your Mesh</a></li><li role=none><a role=treeitem title="This task shows you how to configure external access to the set of Istio telemetry addons." href=/v1.8/docs/tasks/observability/gateways/>Remotely Accessing Telemetry Addons</a></li></ul></li></ul></div></div><div class=card><button class="header dynamic" id=card94 title="A variety of fully working example uses for Istio that you can experiment with." aria-controls=card94-body><svg class="icon examples"><use xlink:href="/v1.8/img/icons.svg#examples"/></svg>Examples</button><div class=body aria-labelledby=card94 role=region id=card94-body><ul role=tree aria-expanded=true aria-labelledby=card94><li role=none><a role=treeitem title="Deploys a sample application composed of four separate microservices used to demonstrate various Istio features." href=/v1.8/docs/examples/bookinfo/>Bookinfo Application</a></li><li role=treeitem aria-label="Virtual Machines"><button aria-hidden=true></button><a title="Examples that add workloads running on virtual machines to an Istio mesh." href=/v1.8/docs/examples/virtual-machines/>Virtual Machines</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Learn how to add a service running on a virtual machine to your single-network Istio mesh." href=/v1.8/docs/examples/virtual-machines/single-network/>Example Application using Virtual Machines in a Single Network Mesh</a></li><li role=none><a role=treeitem title="Learn how to add a service running on a virtual machine to your multi-network Istio mesh." href=/v1.8/docs/examples/virtual-machines/multi-network/>Virtual Machines in Multi-Network Meshes</a></li><li role=none><a role=treeitem title="Run the Bookinfo application with a MySQL service running on a virtual machine within your mesh." href=/v1.8/docs/examples/virtual-machines/bookinfo/>Bookinfo with a Virtual Machine</a></li></ul></li><li role=treeitem aria-label="Learn Microservices using Kubernetes and Istio"><button aria-hidden=true></button><a title="This modular tutorial provides new users with hands-on experience using Istio for common microservices scenarios, one step at a time." href=/v1.8/docs/examples/microservices-istio/>Learn Microservices using Kubernetes and Istio</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem href=/v1.8/docs/examples/microservices-istio/prereq/>Prerequisites</a></li><li role=none><a role=treeitem href=/v1.8/docs/examples/microservices-istio/setup-kubernetes-cluster/>Setup a Kubernetes Cluster</a></li><li role=none><a role=treeitem href=/v1.8/docs/examples/microservices-istio/setup-local-computer/>Setup a Local Computer</a></li><li role=none><a role=treeitem href=/v1.8/docs/examples/microservices-istio/single/>Run a Microservice Locally</a></li><li role=none><a role=treeitem href=/v1.8/docs/examples/microservices-istio/package-service/>Run ratings in Docker</a></li><li role=none><a role=treeitem href=/v1.8/docs/examples/microservices-istio/bookinfo-kubernetes/>Run Bookinfo with Kubernetes</a></li><li role=none><a role=treeitem href=/v1.8/docs/examples/microservices-istio/production-testing/>Test in production</a></li><li role=none><a role=treeitem href=/v1.8/docs/examples/microservices-istio/add-new-microservice-version/>Add a new version of reviews</a></li><li role=none><a role=treeitem href=/v1.8/docs/examples/microservices-istio/add-istio/>Enable Istio on productpage</a></li><li role=none><a role=treeitem href=/v1.8/docs/examples/microservices-istio/enable-istio-all-microservices/>Enable Istio on all the microservices</a></li><li role=none><a role=treeitem href=/v1.8/docs/examples/microservices-istio/istio-ingress-gateway/>Configure Istio Ingress Gateway</a></li><li role=none><a role=treeitem href=/v1.8/docs/examples/microservices-istio/logs-istio/>Monitoring with Istio</a></li></ul></li></ul></div></div><div class=card><button class="header dynamic" id=card118 title="Concepts, tools, and techniques to deploy and manage an Istio mesh." aria-controls=card118-body><svg class="icon guide"><use xlink:href="/v1.8/img/icons.svg#guide"/></svg>Operations</button><div class=body aria-labelledby=card118 role=region id=card118-body><ul role=tree aria-expanded=true aria-labelledby=card118><li role=treeitem aria-label=Deployment><button aria-hidden=true></button><a title="Requirements, concepts, and considerations for setting up an Istio deployment." href=/v1.8/docs/ops/deployment/>Deployment</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Describes Istio's high-level architecture and design goals." href=/v1.8/docs/ops/deployment/architecture/>Architecture</a></li><li role=none><a role=treeitem title="Describes the options and considerations when configuring your Istio deployment." href=/v1.8/docs/ops/deployment/deployment-models/>Deployment Models</a></li><li role=none><a role=treeitem title="Istio performance and scalability summary." href=/v1.8/docs/ops/deployment/performance-and-scalability/>Performance and Scalability</a></li><li role=none><a role=treeitem title="Requirements of applications deployed in an Istio-enabled cluster." href=/v1.8/docs/ops/deployment/requirements/>Application Requirements</a></li></ul></li><li role=treeitem aria-label=Configuration><button aria-hidden=true></button><a title="Advanced concepts and features for configuring a running Istio mesh." href=/v1.8/docs/ops/configuration/>Configuration</a><ul role=group aria-expanded=false><li role=treeitem aria-label="Mesh Configuration"><button aria-hidden=true></button><a title="Helps you manage the global mesh configuration." href=/v1.8/docs/ops/configuration/mesh/>Mesh Configuration</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Provides a general overview of Istio's use of Kubernetes webhooks and the related issues that can arise." href=/v1.8/docs/ops/configuration/mesh/webhook/>Dynamic Admission Webhooks Overview</a></li><li role=none><a role=treeitem title="Describes how to wait to apply mesh configuration until a resource reaches a given status or readiness." href=/v1.8/docs/ops/configuration/mesh/config-resource-ready/>Wait for Resource Status to Apply Configuration</a></li><li role=none><a role=treeitem title="Describes Istio's use of Kubernetes webhooks for automatic sidecar injection." href=/v1.8/docs/ops/configuration/mesh/injection-concepts/>Automatic Sidecar Injection</a></li><li role=none><a role=treeitem title="Shows how to do health checking for Istio services." href=/v1.8/docs/ops/configuration/mesh/app-health-check/>Health Checking of Istio Services</a></li></ul></li><li role=treeitem aria-label="Traffic Management"><button aria-hidden=true></button><a title="Helps you manage the networking aspects of a running mesh." href=/v1.8/docs/ops/configuration/traffic-management/>Traffic Management</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Information on how to specify protocols." href=/v1.8/docs/ops/configuration/traffic-management/protocol-selection/>Protocol Selection</a></li><li role=none><a role=treeitem title="Information on how to enable and understand Locality Load Balancing." href=/v1.8/docs/ops/configuration/traffic-management/locality-load-balancing/>Locality Load Balancing</a></li><li role=none><a role=treeitem title="How to configure TLS settings to secure network traffic." href=/v1.8/docs/ops/configuration/traffic-management/tls-configuration/>TLS Configuration</a></li><li role=none><a role=treeitem title="How to configure gateway network topology." href=/v1.8/docs/ops/configuration/traffic-management/network-topologies/>Configuring Gateway Network Topology [experimental]</a></li></ul></li><li role=treeitem aria-label=Security><button aria-hidden=true></button><a title="Helps you manage the security aspects of a running mesh." href=/v1.8/docs/ops/configuration/security/>Security</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Use hardened container images to reduce Istio's attack surface." href=/v1.8/docs/ops/configuration/security/harden-docker-images/>Harden Docker Container Images</a></li><li role=none><a role=treeitem title="Learn how to extend the lifetime of the Istio self-signed root certificate." href=/v1.8/docs/ops/configuration/security/root-transition/>Extending Self-Signed Certificate Lifetime</a></li></ul></li><li role=treeitem aria-label=Observability><button aria-hidden=true></button><a title="Helps you manage telemetry collection and visualization in a running mesh." href=/v1.8/docs/ops/configuration/telemetry/>Observability</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Fine-grained control of Envoy statistics." href=/v1.8/docs/ops/configuration/telemetry/envoy-stats/>Envoy Statistics</a></li><li role=none><a role=treeitem title="Configure Prometheus to monitor multicluster Istio." href=/v1.8/docs/ops/configuration/telemetry/monitoring-multicluster-prometheus/>Monitoring Multicluster Istio with Prometheus</a></li></ul></li></ul></li><li role=treeitem aria-label="Best Practices"><button aria-hidden=true></button><a title="Best practices for setting up and managing an Istio service mesh." href=/v1.8/docs/ops/best-practices/>Best Practices</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="General best practices when setting up an Istio service mesh." href=/v1.8/docs/ops/best-practices/deployment/>Deployment Best Practices</a></li><li role=none><a role=treeitem title="Configuration best practices to avoid networking or traffic management issues." href=/v1.8/docs/ops/best-practices/traffic-management/>Traffic Management Best Practices</a></li><li role=none><a role=treeitem title="Best practices for securing applications using Istio." href=/v1.8/docs/ops/best-practices/security/>Security Best Practices</a></li><li role=none><a role=treeitem title="Best practices for observing applications using Istio." href=/v1.8/docs/ops/best-practices/observability/>Observability Best Practices</a></li></ul></li><li role=treeitem aria-label="Common Problems"><button aria-hidden=true></button><a title="Describes how to identify and resolve common problems in Istio." href=/v1.8/docs/ops/common-problems/>Common Problems</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Techniques to address common Istio traffic management and network problems." href=/v1.8/docs/ops/common-problems/network-issues/>Traffic Management Problems</a></li><li role=none><a role=treeitem title="Techniques to address common Istio authentication, authorization, and general security-related problems." href=/v1.8/docs/ops/common-problems/security-issues/>Security Problems</a></li><li role=none><a role=treeitem title="Dealing with telemetry collection issues." href=/v1.8/docs/ops/common-problems/observability-issues/>Observability Problems</a></li><li role=none><a role=treeitem title="Resolve common problems with Istio's use of Kubernetes webhooks for automatic sidecar injection." href=/v1.8/docs/ops/common-problems/injection/>Sidecar Injection Problems</a></li><li role=none><a role=treeitem title="Describes how to resolve configuration validation problems." href=/v1.8/docs/ops/common-problems/validation/>Configuration Validation Problems</a></li></ul></li><li role=treeitem aria-label="Diagnostic Tools"><button aria-hidden=true></button><a title="Tools and techniques to help troubleshoot an Istio mesh." href=/v1.8/docs/ops/diagnostic-tools/>Diagnostic Tools</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Istio includes a supplemental tool that provides debugging and diagnosis for Istio service mesh deployments." href=/v1.8/docs/ops/diagnostic-tools/istioctl/>Using the Istioctl Command-line Tool</a></li><li role=none><a role=treeitem title="Describes tools and techniques to diagnose Envoy configuration issues related to traffic management." href=/v1.8/docs/ops/diagnostic-tools/proxy-cmd/>Debugging Envoy and Istiod</a></li><li role=none><a role=treeitem title="Shows you how to use istioctl describe to verify the configurations of a pod in your mesh." href=/v1.8/docs/ops/diagnostic-tools/istioctl-describe/>Understand your Mesh with Istioctl Describe</a></li><li role=none><a role=treeitem title="Shows you how to use istioctl analyze to identify potential issues with your configuration." href=/v1.8/docs/ops/diagnostic-tools/istioctl-analyze/>Diagnose your Configuration with Istioctl Analyze</a></li><li role=none><a role=treeitem title="Describes how to use ControlZ to get insight into a running istiod component." href=/v1.8/docs/ops/diagnostic-tools/controlz/>Istiod Introspection</a></li><li role=none><a role=treeitem title="Describes how to use component-level logging to get insights into a running component's behavior." href=/v1.8/docs/ops/diagnostic-tools/component-logging/>Component Logging</a></li></ul></li><li role=treeitem aria-label=Integrations><button aria-hidden=true></button><a title="Other softwares that Istio can integrate with to provide additional functionality." href=/v1.8/docs/ops/integrations/>Integrations</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Information on how to integrate with cert-manager." href=/v1.8/docs/ops/integrations/certmanager/>cert-manager</a></li><li role=none><a role=treeitem title="Information on how to integrate with Grafana to set up Istio dashboards." href=/v1.8/docs/ops/integrations/grafana/>Grafana</a></li><li role=none><a role=treeitem title="How to integrate with Jaeger." href=/v1.8/docs/ops/integrations/jaeger/>Jaeger</a></li><li role=none><a role=treeitem title="Information on how to integrate with Kiali." href=/v1.8/docs/ops/integrations/kiali/>Kiali</a></li><li role=none><a role=treeitem title="How to integrate with Prometheus." href=/v1.8/docs/ops/integrations/prometheus/>Prometheus</a></li><li role=none><a role=treeitem title="How to integrate with Zipkin." href=/v1.8/docs/ops/integrations/zipkin/>Zipkin</a></li></ul></li></ul></div></div><div class=card><button class="header dynamic" id=card169 title="Detailed authoritative reference material such as command-line options, configuration options, and API calling parameters." aria-controls=card169-body><svg class="icon reference"><use xlink:href="/v1.8/img/icons.svg#reference"/></svg>Reference</button><div class="body default" aria-labelledby=card169 role=region id=card169-body><ul role=tree aria-expanded=true aria-labelledby=card169><li role=treeitem aria-label=Configuration><button class=show aria-hidden=true></button><a title="Detailed information on configuration options." href=/v1.8/docs/reference/config/>Configuration</a><ul role=group aria-expanded=true><li role=none><a role=treeitem title="Configuration affecting Istio control plane installation version and shape." href=/v1.8/docs/reference/config/istio.operator.v1alpha1/>IstioOperator Options</a></li><li role=none><a role=treeitem title="Configuration affecting the service mesh as a whole." href=/v1.8/docs/reference/config/istio.mesh.v1alpha1/>Global Mesh Options</a></li><li role=none><a role=treeitem title="Describes the structure of messages generated by Istio analyzers." href=/v1.8/docs/reference/config/istio.analysis.v1alpha1/>Analysis Messages</a></li><li role=none><a role=treeitem title="Describes the role of the `status` field in configuration workflow." href=/v1.8/docs/reference/config/config-status/>Configuration Status Field</a></li><li role=treeitem aria-label="Proxy Extensions"><button aria-hidden=true></button><a title="Describes how to configure Istio proxy extensions." href=/v1.8/docs/reference/config/proxy_extensions/>Proxy Extensions</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Configuration for Metadata Exchange Filter." href=/v1.8/docs/reference/config/proxy_extensions/metadata_exchange/>Metadata Exchange Config</a></li><li role=none><a role=treeitem title="Configuration for Stackdriver filter." href=/v1.8/docs/reference/config/proxy_extensions/stackdriver/>Stackdriver Config</a></li><li role=none><a role=treeitem title="Configuration for Attribute Generation plugin." href=/v1.8/docs/reference/config/proxy_extensions/attributegen/>AttributeGen Config</a></li><li role=none><a role=treeitem title="Configuration for AccessLogPolicy Filter." href=/v1.8/docs/reference/config/proxy_extensions/accesslogpolicy/>AccessLogPolicy Config</a></li><li role=none><a role=treeitem title="Configuration for Stats Filter." href=/v1.8/docs/reference/config/proxy_extensions/stats/>Stats Config</a></li><li role=none><a role=treeitem title="How to enable telemetry generation with the Wasm runtime (experimental)." href=/v1.8/docs/reference/config/proxy_extensions/wasm_telemetry/>Wasm-based Telemetry (Experimental)</a></li></ul></li><li role=treeitem aria-label="Traffic Management"><button class=show aria-hidden=true></button><a title="Describes how to configure HTTP/TCP routing features." href=/v1.8/docs/reference/config/networking/>Traffic Management</a><ul role=group aria-expanded=true class=leaf-section><li role=none><a role=treeitem title="Configuration affecting load balancing, outlier detection, etc." href=/v1.8/docs/reference/config/networking/destination-rule/>Destination Rule</a></li><li role=none><a role=treeitem title="Customizing Envoy configuration generated by Istio." href=/v1.8/docs/reference/config/networking/envoy-filter/>Envoy Filter</a></li><li role=none><a role=treeitem title="Configuration affecting edge load balancer." href=/v1.8/docs/reference/config/networking/gateway/>Gateway</a></li><li role=none><a role=treeitem title="Configuration affecting service registry." href=/v1.8/docs/reference/config/networking/service-entry/>Service Entry</a></li><li role=none><a role=treeitem title="Configuration affecting network reachability of a sidecar." href=/v1.8/docs/reference/config/networking/sidecar/>Sidecar</a></li><li role=none><a role=treeitem title="Describes a collection of workload instances." href=/v1.8/docs/reference/config/networking/workload-group/>Workload Group</a></li><li role=none><a role=treeitem title="Configuration affecting VMs onboarded into the mesh." href=/v1.8/docs/reference/config/networking/workload-entry/>Workload Entry</a></li><li role=none><span role=treeitem class=current title="Configuration affecting label/content routing, sni routing, etc.">Virtual Service</span></li></ul></li><li role=treeitem aria-label=Security><button aria-hidden=true></button><a title="Describes how to configure Istio's security features." href=/v1.8/docs/reference/config/security/>Security</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Configuration to validate JWT." href=/v1.8/docs/reference/config/security/jwt/>JWTRule</a></li><li role=none><a role=treeitem title="Peer authentication configuration for workloads." href=/v1.8/docs/reference/config/security/peer_authentication/>PeerAuthentication</a></li><li role=none><a role=treeitem title="Request authentication configuration for workloads." href=/v1.8/docs/reference/config/security/request_authentication/>RequestAuthentication</a></li><li role=none><a role=treeitem title="Configuration for access control on workloads." href=/v1.8/docs/reference/config/security/authorization-policy/>Authorization Policy</a></li><li role=none><a role=treeitem title="Describes the supported conditions in authorization policies." href=/v1.8/docs/reference/config/security/conditions/>Authorization Policy Conditions</a></li></ul></li><li role=treeitem aria-label="Common Types"><button aria-hidden=true></button><a title="Describes common types in Istio API." href=/v1.8/docs/reference/config/type/>Common Types</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Definition of a workload selector." href=/v1.8/docs/reference/config/type/workload-selector/>Workload Selector</a></li></ul></li><li role=none><a role=treeitem title="Istio standard metrics exported by Istio telemetry." href=/v1.8/docs/reference/config/metrics/>Istio Standard Metrics</a></li><li role=none><a role=treeitem title="Resource annotations used by Istio." href=/v1.8/docs/reference/config/annotations/>Resource Annotations</a></li><li role=treeitem aria-label="Configuration Analysis Messages"><button aria-hidden=true></button><a title="Documents the individual error and warning messages produced during configuration analysis." href=/v1.8/docs/reference/config/analysis/>Configuration Analysis Messages</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem href=/v1.8/docs/reference/config/analysis/ist0113/>MTLSPolicyConflict</a></li><li role=none><a role=treeitem href=/v1.8/docs/reference/config/analysis/ist0109/>ConflictingMeshGatewayVirtualServiceHosts</a></li><li role=none><a role=treeitem href=/v1.8/docs/reference/config/analysis/ist0110/>ConflictingSidecarWorkloadSelectors</a></li><li role=none><a role=treeitem href=/v1.8/docs/reference/config/analysis/ist0116/>DeploymentAssociatedToMultipleServices</a></li><li role=none><a role=treeitem href=/v1.8/docs/reference/config/analysis/ist0117/>DeploymentRequiresServiceAssociated</a></li><li role=none><a role=treeitem href=/v1.8/docs/reference/config/analysis/ist0002/>Deprecated</a></li><li role=none><a role=treeitem href=/v1.8/docs/reference/config/analysis/ist0104/>GatewayPortNotOnWorkload</a></li><li role=none><a role=treeitem href=/v1.8/docs/reference/config/analysis/ist0001/>InternalError</a></li><li role=none><a role=treeitem href=/v1.8/docs/reference/config/analysis/ist0125/>InvalidAnnotation</a></li><li role=none><a role=treeitem href=/v1.8/docs/reference/config/analysis/ist0122/>InvalidRegexp</a></li><li role=none><a role=treeitem href=/v1.8/docs/reference/config/analysis/ist0105/>IstioProxyImageMismatch</a></li><li role=none><a role=treeitem href=/v1.8/docs/reference/config/analysis/ist0119/>JwtFailureDueToInvalidServicePortPrefix</a></li><li role=none><a role=treeitem href=/v1.8/docs/reference/config/analysis/ist0107/>MisplacedAnnotation</a></li><li role=none><a role=treeitem href=/v1.8/docs/reference/config/analysis/ist0108/>UnknownAnnotation</a></li><li role=none><a role=treeitem href=/v1.8/docs/reference/config/analysis/ist0111/>MultipleSidecarsWithoutWorkloadSelectors</a></li><li role=none><a role=treeitem href=/v1.8/docs/reference/config/analysis/ist0123/>NamespaceMultipleInjectionLabels</a></li><li role=none><a role=treeitem href=/v1.8/docs/reference/config/analysis/ist0102/>NamespaceNotInjected</a></li><li role=none><a role=treeitem href=/v1.8/docs/reference/config/analysis/ist0127/>NoMatchingWorkloadsFound</a></li><li role=none><a role=treeitem href=/v1.8/docs/reference/config/analysis/ist0128/>NoServerCertificateVerificationDestinationLevel</a></li><li role=none><a role=treeitem href=/v1.8/docs/reference/config/analysis/ist0129/>NoServerCertificateVerificationPortLevel</a></li><li role=none><a role=treeitem href=/v1.8/docs/reference/config/analysis/message-format/>Analyzer Message Format</a></li><li role=none><a role=treeitem href=/v1.8/docs/reference/config/analysis/ist0131/>VirtualServiceIneffectiveMatch</a></li><li role=none><a role=treeitem href=/v1.8/docs/reference/config/analysis/ist0118/>PortNameIsNotUnderNamingConvention</a></li><li role=none><a role=treeitem href=/v1.8/docs/reference/config/analysis/ist0101/>ReferencedResourceNotFound</a></li><li role=none><a role=treeitem href=/v1.8/docs/reference/config/analysis/ist0106/>SchemaValidationError</a></li><li role=none><a role=treeitem href=/v1.8/docs/reference/config/analysis/ist0130/>VirtualServiceUnreachableRule</a></li><li role=none><a role=treeitem href=/v1.8/docs/reference/config/analysis/ist0103/>PodMissingProxy</a></li><li role=none><a role=treeitem href=/v1.8/docs/reference/config/analysis/ist0112/>VirtualServiceDestinationPortSelectorRequired</a></li></ul></li></ul></li><li role=treeitem aria-label=Commands><button aria-hidden=true></button><a title="Describes usage and options of the Istio commands and utilities." href=/v1.8/docs/reference/commands/>Commands</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Istio control interface." href=/v1.8/docs/reference/commands/istioctl/>istioctl</a></li><li role=none><a role=treeitem title="Istio Pilot." href=/v1.8/docs/reference/commands/pilot-discovery/>pilot-discovery</a></li><li role=none><a role=treeitem title="The Istio operator." href=/v1.8/docs/reference/commands/operator/>operator</a></li><li role=none><a role=treeitem title="Istio Pilot agent." href=/v1.8/docs/reference/commands/pilot-agent/>pilot-agent</a></li></ul></li><li role=none><a role=treeitem title="A glossary of common Istio terms." href=/v1.8/docs/reference/glossary/>Glossary</a></li></ul></div></div></div></nav></div><div class=article-container><button tabindex=-1 id=sidebar-toggler title="Toggle the navigation bar"><svg class="icon pull"><use xlink:href="/v1.8/img/icons.svg#pull"/></svg></button><nav aria-label=Breadcrumb><ol><li><a href=/v1.8/ title="Connect, secure, control, and observe services.">Istio</a></li><li><a href=/v1.8/docs/ title="Learn how to deploy, use, and operate Istio.">Docs</a></li><li><a href=/v1.8/docs/reference/ title="Detailed authoritative reference material such as command-line options, configuration options, and API calling parameters.">Reference</a></li><li><a href=/v1.8/docs/reference/config/ title="Detailed information on configuration options.">Configuration</a></li><li><a href=/v1.8/docs/reference/config/networking/ title="Describes how to configure HTTP/TCP routing features.">Traffic Management</a></li><li>Virtual Service</li></ol></nav><article aria-labelledby=title><div class=title-area><div style=width:100%><h1 id=title>Virtual Service</h1><p class=byline><span title="6151 words"><svg class="icon clock"><use xlink:href="/v1.8/img/icons.svg#clock"/></svg><span>&nbsp;</span>29 minute read</span>
<span>&nbsp;</span>
<span></span></p></div></div><nav class=toc-inlined aria-label="Table of Contents"><div><hr><ol><li role=none aria-label=VirtualService><a href=#VirtualService>VirtualService</a><li role=none aria-label=Destination><a href=#Destination>Destination</a><li role=none aria-label=HTTPRoute><a href=#HTTPRoute>HTTPRoute</a><li role=none aria-label=Delegate><a href=#Delegate>Delegate</a><li role=none aria-label=Headers><a href=#Headers>Headers</a><li role=none aria-label=TLSRoute><a href=#TLSRoute>TLSRoute</a><li role=none aria-label=TCPRoute><a href=#TCPRoute>TCPRoute</a><li role=none aria-label=HTTPMatchRequest><a href=#HTTPMatchRequest>HTTPMatchRequest</a><li role=none aria-label=HTTPRouteDestination><a href=#HTTPRouteDestination>HTTPRouteDestination</a><li role=none aria-label=RouteDestination><a href=#RouteDestination>RouteDestination</a><li role=none aria-label=L4MatchAttributes><a href=#L4MatchAttributes>L4MatchAttributes</a><li role=none aria-label=TLSMatchAttributes><a href=#TLSMatchAttributes>TLSMatchAttributes</a><li role=none aria-label=HTTPRedirect><a href=#HTTPRedirect>HTTPRedirect</a><li role=none aria-label=HTTPRewrite><a href=#HTTPRewrite>HTTPRewrite</a><li role=none aria-label=StringMatch><a href=#StringMatch>StringMatch</a><li role=none aria-label=HTTPRetry><a href=#HTTPRetry>HTTPRetry</a><li role=none aria-label=CorsPolicy><a href=#CorsPolicy>CorsPolicy</a><li role=none aria-label=HTTPFaultInjection><a href=#HTTPFaultInjection>HTTPFaultInjection</a><li role=none aria-label=PortSelector><a href=#PortSelector>PortSelector</a><li role=none aria-label=Percent><a href=#Percent>Percent</a><li role=none aria-label=Headers.HeaderOperations><a href=#Headers-HeaderOperations>Headers.HeaderOperations</a><li role=none aria-label=HTTPFaultInjection.Delay><a href=#HTTPFaultInjection-Delay>HTTPFaultInjection.Delay</a><li role=none aria-label=HTTPFaultInjection.Abort><a href=#HTTPFaultInjection-Abort>HTTPFaultInjection.Abort</a><li role=none aria-label=google.protobuf.UInt32Value><a href=#google-protobuf-UInt32Value>google.protobuf.UInt32Value</a></ol><hr></div></nav><p>Configuration affecting traffic routing. Here are a few terms useful to define
in the context of traffic routing.</p><p><code>Service</code> a unit of application behavior bound to a unique name in a
service registry. Services consist of multiple network <em>endpoints</em>
implemented by workload instances running on pods, containers, VMs etc.</p><p><code>Service versions (a.k.a. subsets)</code> - In a continuous deployment
scenario, for a given service, there can be distinct subsets of
instances running different variants of the application binary. These
variants are not necessarily different API versions. They could be
iterative changes to the same service, deployed in different
environments (prod, staging, dev, etc.). Common scenarios where this
occurs include A/B testing, canary rollouts, etc. The choice of a
particular version can be decided based on various criterion (headers,
url, etc.) and/or by weights assigned to each version. Each service has
a default version consisting of all its instances.</p><p><code>Source</code> - A downstream client calling a service.</p><p><code>Host</code> - The address used by a client when attempting to connect to a
service.</p><p><code>Access model</code> - Applications address only the destination service
(Host) without knowledge of individual service versions (subsets). The
actual choice of the version is determined by the proxy/sidecar, enabling the
application code to decouple itself from the evolution of dependent
services.</p><p>A <code>VirtualService</code> defines a set of traffic routing rules to apply when a host is
addressed. Each routing rule defines matching criteria for traffic of a specific
protocol. If the traffic is matched, then it is sent to a named destination service
(or subset/version of it) defined in the registry.</p><p>The source of traffic can also be matched in a routing rule. This allows routing
to be customized for specific client contexts.</p><p>The following example on Kubernetes, routes all HTTP traffic by default to
pods of the reviews service with label &ldquo;version: v1&rdquo;. In addition,
HTTP requests with path starting with /wpcatalog/ or /consumercatalog/ will
be rewritten to /newcatalog and sent to pods with label &ldquo;version: v2&rdquo;.</p><div id=tabset-docs-reference-config-networking-virtual-service-1 role=tablist class=tabset><div class=tab-strip data-category-name=example><button aria-selected=true data-category-value=v1alpha3 aria-controls=tabset-docs-reference-config-networking-virtual-service-1-0-panel id=tabset-docs-reference-config-networking-virtual-service-1-0-tab role=tab><span>v1alpha3</span>
</button><button tabindex=-1 data-category-value=v1beta1 aria-controls=tabset-docs-reference-config-networking-virtual-service-1-1-panel id=tabset-docs-reference-config-networking-virtual-service-1-1-tab role=tab><span>v1beta1</span></button></div><div class=tab-content><div id=tabset-docs-reference-config-networking-virtual-service-1-0-panel role=tabpanel tabindex=0 aria-labelledby=tabset-docs-reference-config-networking-virtual-service-1-0-tab><pre><code class=language-yaml>apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: reviews-route
spec:
hosts:
- reviews.prod.svc.cluster.local
http:
- name: &quot;reviews-v2-routes&quot;
match:
- uri:
prefix: &quot;/wpcatalog&quot;
- uri:
prefix: &quot;/consumercatalog&quot;
rewrite:
uri: &quot;/newcatalog&quot;
route:
- destination:
host: reviews.prod.svc.cluster.local
subset: v2
- name: &quot;reviews-v1-route&quot;
route:
- destination:
host: reviews.prod.svc.cluster.local
subset: v1
</code></pre></div><div hidden id=tabset-docs-reference-config-networking-virtual-service-1-1-panel role=tabpanel tabindex=0 aria-labelledby=tabset-docs-reference-config-networking-virtual-service-1-1-tab><pre><code class=language-yaml>apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: reviews-route
spec:
hosts:
- reviews.prod.svc.cluster.local
http:
- name: &quot;reviews-v2-routes&quot;
match:
- uri:
prefix: &quot;/wpcatalog&quot;
- uri:
prefix: &quot;/consumercatalog&quot;
rewrite:
uri: &quot;/newcatalog&quot;
route:
- destination:
host: reviews.prod.svc.cluster.local
subset: v2
- name: &quot;reviews-v1-route&quot;
route:
- destination:
host: reviews.prod.svc.cluster.local
subset: v1
</code></pre></div></div></div><p>A subset/version of a route destination is identified with a reference
to a named service subset which must be declared in a corresponding
<code>DestinationRule</code>.</p><div id=tabset-docs-reference-config-networking-virtual-service-2 role=tablist class=tabset><div class=tab-strip data-category-name=example><button aria-selected=true data-category-value=v1alpha3 aria-controls=tabset-docs-reference-config-networking-virtual-service-2-0-panel id=tabset-docs-reference-config-networking-virtual-service-2-0-tab role=tab><span>v1alpha3</span>
</button><button tabindex=-1 data-category-value=v1beta1 aria-controls=tabset-docs-reference-config-networking-virtual-service-2-1-panel id=tabset-docs-reference-config-networking-virtual-service-2-1-tab role=tab><span>v1beta1</span></button></div><div class=tab-content><div id=tabset-docs-reference-config-networking-virtual-service-2-0-panel role=tabpanel tabindex=0 aria-labelledby=tabset-docs-reference-config-networking-virtual-service-2-0-tab><pre><code class=language-yaml>apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: reviews-destination
spec:
host: reviews.prod.svc.cluster.local
subsets:
- name: v1
labels:
version: v1
- name: v2
labels:
version: v2
</code></pre></div><div hidden id=tabset-docs-reference-config-networking-virtual-service-2-1-panel role=tabpanel tabindex=0 aria-labelledby=tabset-docs-reference-config-networking-virtual-service-2-1-tab><pre><code class=language-yaml>apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
name: reviews-destination
spec:
host: reviews.prod.svc.cluster.local
subsets:
- name: v1
labels:
version: v1
- name: v2
labels:
version: v2
</code></pre></div></div></div><h2 id=VirtualService>VirtualService</h2><section><p>Configuration affecting traffic routing.</p><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th><th>Required</th></tr></thead><tbody><tr id=VirtualService-hosts><td><code>hosts</code></td><td><code>string[]</code></td><td><p>The destination hosts to which traffic is being sent. Could
be a DNS name with wildcard prefix or an IP address. Depending on the
platform, short-names can also be used instead of a FQDN (i.e. has no
dots in the name). In such a scenario, the FQDN of the host would be
derived based on the underlying platform.</p><p>A single VirtualService can be used to describe all the traffic
properties of the corresponding hosts, including those for multiple
HTTP and TCP ports. Alternatively, the traffic properties of a host
can be defined using more than one VirtualService, with certain
caveats. Refer to the
<a href=/v1.8/docs/ops/best-practices/traffic-management/#split-virtual-services>Operations Guide</a>
for details.</p><p><em>Note for Kubernetes users</em>: When short names are used (e.g. &ldquo;reviews&rdquo;
instead of &ldquo;reviews.default.svc.cluster.local&rdquo;), Istio will interpret
the short name based on the namespace of the rule, not the service. A
rule in the &ldquo;default&rdquo; namespace containing a host &ldquo;reviews&rdquo; will be
interpreted as &ldquo;reviews.default.svc.cluster.local&rdquo;, irrespective of
the actual namespace associated with the reviews service. <em>To avoid
potential misconfigurations, it is recommended to always use fully
qualified domain names over short names.</em></p><p>The hosts field applies to both HTTP and TCP services. Service inside
the mesh, i.e., those found in the service registry, must always be
referred to using their alphanumeric names. IP addresses are allowed
only for services defined via the Gateway.</p><p><em>Note</em>: It must be empty for a delegate VirtualService.</p></td><td>No</td></tr><tr id=VirtualService-gateways><td><code>gateways</code></td><td><code>string[]</code></td><td><p>The names of gateways and sidecars that should apply these routes.
Gateways in other namespaces may be referred to by
<code>&lt;gateway namespace>/&lt;gateway name></code>; specifying a gateway with no
namespace qualifier is the same as specifying the VirtualService&rsquo;s
namespace. A single VirtualService is used for sidecars inside the mesh as
well as for one or more gateways. The selection condition imposed by this
field can be overridden using the source field in the match conditions
of protocol-specific routes. The reserved word <code>mesh</code> is used to imply
all the sidecars in the mesh. When this field is omitted, the default
gateway (<code>mesh</code>) will be used, which would apply the rule to all
sidecars in the mesh. If a list of gateway names is provided, the
rules will apply only to the gateways. To apply the rules to both
gateways and sidecars, specify <code>mesh</code> as one of the gateway names.</p></td><td>No</td></tr><tr id=VirtualService-http><td><code>http</code></td><td><code><a href=#HTTPRoute>HTTPRoute[]</a></code></td><td><p>An ordered list of route rules for HTTP traffic. HTTP routes will be
applied to platform service ports named &lsquo;http-<em>&rsquo;/&lsquo;http2-</em>&rsquo;/&lsquo;grpc-*&rsquo;, gateway
ports with protocol HTTP/HTTP2/GRPC/ TLS-terminated-HTTPS and service
entry ports using HTTP/HTTP2/GRPC protocols. The first rule matching
an incoming request is used.</p></td><td>No</td></tr><tr id=VirtualService-tls><td><code>tls</code></td><td><code><a href=#TLSRoute>TLSRoute[]</a></code></td><td><p>An ordered list of route rule for non-terminated TLS & HTTPS
traffic. Routing is typically performed using the SNI value presented
by the ClientHello message. TLS routes will be applied to platform
service ports named &lsquo;https-<em>&rsquo;, &lsquo;tls-</em>&rsquo;, unterminated gateway ports using
HTTPS/TLS protocols (i.e. with &ldquo;passthrough&rdquo; TLS mode) and service
entry ports using HTTPS/TLS protocols. The first rule matching an
incoming request is used. NOTE: Traffic &lsquo;https-<em>&rsquo; or &lsquo;tls-</em>&rsquo; ports
without associated virtual service will be treated as opaque TCP
traffic.</p></td><td>No</td></tr><tr id=VirtualService-tcp><td><code>tcp</code></td><td><code><a href=#TCPRoute>TCPRoute[]</a></code></td><td><p>An ordered list of route rules for opaque TCP traffic. TCP routes will
be applied to any port that is not a HTTP or TLS port. The first rule
matching an incoming request is used.</p></td><td>No</td></tr><tr id=VirtualService-export_to><td><code>exportTo</code></td><td><code>string[]</code></td><td><p>A list of namespaces to which this virtual service is exported. Exporting a
virtual service allows it to be used by sidecars and gateways defined in
other namespaces. This feature provides a mechanism for service owners
and mesh administrators to control the visibility of virtual services
across namespace boundaries.</p><p>If no namespaces are specified then the virtual service is exported to all
namespaces by default.</p><p>The value &ldquo;.&rdquo; is reserved and defines an export to the same namespace that
the virtual service is declared in. Similarly the value &ldquo;*&rdquo; is reserved and
defines an export to all namespaces.</p><p>NOTE: in the current release, the <code>exportTo</code> value is restricted to
&ldquo;.&rdquo; or &ldquo;*&rdquo; (i.e., the current namespace or all namespaces).</p></td><td>No</td></tr></tbody></table></section><h2 id=Destination>Destination</h2><section><p>Destination indicates the network addressable service to which the
request/connection will be sent after processing a routing rule. The
destination.host should unambiguously refer to a service in the service
registry. Istio&rsquo;s service registry is composed of all the services found
in the platform&rsquo;s service registry (e.g., Kubernetes services, Consul
services), as well as services declared through the
<a href=/v1.8/docs/reference/config/networking/service-entry/#ServiceEntry>ServiceEntry</a> resource.</p><p><em>Note for Kubernetes users</em>: When short names are used (e.g. &ldquo;reviews&rdquo;
instead of &ldquo;reviews.default.svc.cluster.local&rdquo;), Istio will interpret
the short name based on the namespace of the rule, not the service. A
rule in the &ldquo;default&rdquo; namespace containing a host &ldquo;reviews will be
interpreted as &ldquo;reviews.default.svc.cluster.local&rdquo;, irrespective of the
actual namespace associated with the reviews service. <em>To avoid potential
misconfigurations, it is recommended to always use fully qualified
domain names over short names.</em></p><p>The following Kubernetes example routes all traffic by default to pods
of the reviews service with label &ldquo;version: v1&rdquo; (i.e., subset v1), and
some to subset v2, in a Kubernetes environment.</p><div id=tabset-docs-reference-config-networking-virtual-service-3 role=tablist class=tabset><div class=tab-strip data-category-name=example><button aria-selected=true data-category-value=v1alpha3 aria-controls=tabset-docs-reference-config-networking-virtual-service-3-0-panel id=tabset-docs-reference-config-networking-virtual-service-3-0-tab role=tab><span>v1alpha3</span>
</button><button tabindex=-1 data-category-value=v1beta1 aria-controls=tabset-docs-reference-config-networking-virtual-service-3-1-panel id=tabset-docs-reference-config-networking-virtual-service-3-1-tab role=tab><span>v1beta1</span></button></div><div class=tab-content><div id=tabset-docs-reference-config-networking-virtual-service-3-0-panel role=tabpanel tabindex=0 aria-labelledby=tabset-docs-reference-config-networking-virtual-service-3-0-tab><pre><code class=language-yaml>apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: reviews-route
namespace: foo
spec:
hosts:
- reviews # interpreted as reviews.foo.svc.cluster.local
http:
- match:
- uri:
prefix: &quot;/wpcatalog&quot;
- uri:
prefix: &quot;/consumercatalog&quot;
rewrite:
uri: &quot;/newcatalog&quot;
route:
- destination:
host: reviews # interpreted as reviews.foo.svc.cluster.local
subset: v2
- route:
- destination:
host: reviews # interpreted as reviews.foo.svc.cluster.local
subset: v1
</code></pre></div><div hidden id=tabset-docs-reference-config-networking-virtual-service-3-1-panel role=tabpanel tabindex=0 aria-labelledby=tabset-docs-reference-config-networking-virtual-service-3-1-tab><pre><code class=language-yaml>apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: reviews-route
namespace: foo
spec:
hosts:
- reviews # interpreted as reviews.foo.svc.cluster.local
http:
- match:
- uri:
prefix: &quot;/wpcatalog&quot;
- uri:
prefix: &quot;/consumercatalog&quot;
rewrite:
uri: &quot;/newcatalog&quot;
route:
- destination:
host: reviews # interpreted as reviews.foo.svc.cluster.local
subset: v2
- route:
- destination:
host: reviews # interpreted as reviews.foo.svc.cluster.local
subset: v1
</code></pre></div></div></div><p>And the associated DestinationRule</p><div id=tabset-docs-reference-config-networking-virtual-service-4 role=tablist class=tabset><div class=tab-strip data-category-name=example><button aria-selected=true data-category-value=v1alpha3 aria-controls=tabset-docs-reference-config-networking-virtual-service-4-0-panel id=tabset-docs-reference-config-networking-virtual-service-4-0-tab role=tab><span>v1alpha3</span>
</button><button tabindex=-1 data-category-value=v1beta1 aria-controls=tabset-docs-reference-config-networking-virtual-service-4-1-panel id=tabset-docs-reference-config-networking-virtual-service-4-1-tab role=tab><span>v1beta1</span></button></div><div class=tab-content><div id=tabset-docs-reference-config-networking-virtual-service-4-0-panel role=tabpanel tabindex=0 aria-labelledby=tabset-docs-reference-config-networking-virtual-service-4-0-tab><pre><code class=language-yaml>apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: reviews-destination
namespace: foo
spec:
host: reviews # interpreted as reviews.foo.svc.cluster.local
subsets:
- name: v1
labels:
version: v1
- name: v2
labels:
version: v2
</code></pre></div><div hidden id=tabset-docs-reference-config-networking-virtual-service-4-1-panel role=tabpanel tabindex=0 aria-labelledby=tabset-docs-reference-config-networking-virtual-service-4-1-tab><pre><code class=language-yaml>apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
name: reviews-destination
namespace: foo
spec:
host: reviews # interpreted as reviews.foo.svc.cluster.local
subsets:
- name: v1
labels:
version: v1
- name: v2
labels:
version: v2
</code></pre></div></div></div><p>The following VirtualService sets a timeout of 5s for all calls to
productpage.prod.svc.cluster.local service in Kubernetes. Notice that
there are no subsets defined in this rule. Istio will fetch all
instances of productpage.prod.svc.cluster.local service from the service
registry and populate the sidecar&rsquo;s load balancing pool. Also, notice
that this rule is set in the istio-system namespace but uses the fully
qualified domain name of the productpage service,
productpage.prod.svc.cluster.local. Therefore the rule&rsquo;s namespace does
not have an impact in resolving the name of the productpage service.</p><div id=tabset-docs-reference-config-networking-virtual-service-5 role=tablist class=tabset><div class=tab-strip data-category-name=example><button aria-selected=true data-category-value=v1alpha3 aria-controls=tabset-docs-reference-config-networking-virtual-service-5-0-panel id=tabset-docs-reference-config-networking-virtual-service-5-0-tab role=tab><span>v1alpha3</span>
</button><button tabindex=-1 data-category-value=v1beta1 aria-controls=tabset-docs-reference-config-networking-virtual-service-5-1-panel id=tabset-docs-reference-config-networking-virtual-service-5-1-tab role=tab><span>v1beta1</span></button></div><div class=tab-content><div id=tabset-docs-reference-config-networking-virtual-service-5-0-panel role=tabpanel tabindex=0 aria-labelledby=tabset-docs-reference-config-networking-virtual-service-5-0-tab><pre><code class=language-yaml>apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: my-productpage-rule
namespace: istio-system
spec:
hosts:
- productpage.prod.svc.cluster.local # ignores rule namespace
http:
- timeout: 5s
route:
- destination:
host: productpage.prod.svc.cluster.local
</code></pre></div><div hidden id=tabset-docs-reference-config-networking-virtual-service-5-1-panel role=tabpanel tabindex=0 aria-labelledby=tabset-docs-reference-config-networking-virtual-service-5-1-tab><pre><code class=language-yaml>apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: my-productpage-rule
namespace: istio-system
spec:
hosts:
- productpage.prod.svc.cluster.local # ignores rule namespace
http:
- timeout: 5s
route:
- destination:
host: productpage.prod.svc.cluster.local
</code></pre></div></div></div><p>To control routing for traffic bound to services outside the mesh, external
services must first be added to Istio&rsquo;s internal service registry using the
ServiceEntry resource. VirtualServices can then be defined to control traffic
bound to these external services. For example, the following rules define a
Service for wikipedia.org and set a timeout of 5s for HTTP requests.</p><div id=tabset-docs-reference-config-networking-virtual-service-6 role=tablist class=tabset><div class=tab-strip data-category-name=example><button aria-selected=true data-category-value=v1alpha3 aria-controls=tabset-docs-reference-config-networking-virtual-service-6-0-panel id=tabset-docs-reference-config-networking-virtual-service-6-0-tab role=tab><span>v1alpha3</span>
</button><button tabindex=-1 data-category-value=v1beta1 aria-controls=tabset-docs-reference-config-networking-virtual-service-6-1-panel id=tabset-docs-reference-config-networking-virtual-service-6-1-tab role=tab><span>v1beta1</span></button></div><div class=tab-content><div id=tabset-docs-reference-config-networking-virtual-service-6-0-panel role=tabpanel tabindex=0 aria-labelledby=tabset-docs-reference-config-networking-virtual-service-6-0-tab><pre><code class=language-yaml>apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: external-svc-wikipedia
spec:
hosts:
- wikipedia.org
location: MESH_EXTERNAL
ports:
- number: 80
name: example-http
protocol: HTTP
resolution: DNS
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: my-wiki-rule
spec:
hosts:
- wikipedia.org
http:
- timeout: 5s
route:
- destination:
host: wikipedia.org
</code></pre></div><div hidden id=tabset-docs-reference-config-networking-virtual-service-6-1-panel role=tabpanel tabindex=0 aria-labelledby=tabset-docs-reference-config-networking-virtual-service-6-1-tab><pre><code class=language-yaml>apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
name: external-svc-wikipedia
spec:
hosts:
- wikipedia.org
location: MESH_EXTERNAL
ports:
- number: 80
name: example-http
protocol: HTTP
resolution: DNS
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: my-wiki-rule
spec:
hosts:
- wikipedia.org
http:
- timeout: 5s
route:
- destination:
host: wikipedia.org
</code></pre></div></div></div><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th><th>Required</th></tr></thead><tbody><tr id=Destination-host><td><code>host</code></td><td><code>string</code></td><td><p>The name of a service from the service registry. Service
names are looked up from the platform&rsquo;s service registry (e.g.,
Kubernetes services, Consul services, etc.) and from the hosts
declared by <a href=/v1.8/docs/reference/config/networking/service-entry/#ServiceEntry>ServiceEntry</a>. Traffic forwarded to
destinations that are not found in either of the two, will be dropped.</p><p><em>Note for Kubernetes users</em>: When short names are used (e.g. &ldquo;reviews&rdquo;
instead of &ldquo;reviews.default.svc.cluster.local&rdquo;), Istio will interpret
the short name based on the namespace of the rule, not the service. A
rule in the &ldquo;default&rdquo; namespace containing a host &ldquo;reviews will be
interpreted as &ldquo;reviews.default.svc.cluster.local&rdquo;, irrespective of
the actual namespace associated with the reviews service. To avoid
potential misconfiguration, it is recommended to always use fully
qualified domain names over short names.</p></td><td>Yes</td></tr><tr id=Destination-subset><td><code>subset</code></td><td><code>string</code></td><td><p>The name of a subset within the service. Applicable only to services
within the mesh. The subset must be defined in a corresponding
DestinationRule.</p></td><td>No</td></tr><tr id=Destination-port><td><code>port</code></td><td><code><a href=#PortSelector>PortSelector</a></code></td><td><p>Specifies the port on the host that is being addressed. If a service
exposes only a single port it is not required to explicitly select the
port.</p></td><td>No</td></tr></tbody></table></section><h2 id=HTTPRoute>HTTPRoute</h2><section><p>Describes match conditions and actions for routing HTTP/1.1, HTTP2, and
gRPC traffic. See VirtualService for usage examples.</p><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th><th>Required</th></tr></thead><tbody><tr id=HTTPRoute-name><td><code>name</code></td><td><code>string</code></td><td><p>The name assigned to the route for debugging purposes. The
route&rsquo;s name will be concatenated with the match&rsquo;s name and will
be logged in the access logs for requests matching this
route/match.</p></td><td>No</td></tr><tr id=HTTPRoute-match><td><code>match</code></td><td><code><a href=#HTTPMatchRequest>HTTPMatchRequest[]</a></code></td><td><p>Match conditions to be satisfied for the rule to be
activated. All conditions inside a single match block have AND
semantics, while the list of match blocks have OR semantics. The rule
is matched if any one of the match blocks succeed.</p></td><td>No</td></tr><tr id=HTTPRoute-route><td><code>route</code></td><td><code><a href=#HTTPRouteDestination>HTTPRouteDestination[]</a></code></td><td><p>A HTTP rule can either redirect or forward (default) traffic. The
forwarding target can be one of several versions of a service (see
glossary in beginning of document). Weights associated with the
service version determine the proportion of traffic it receives.</p></td><td>No</td></tr><tr id=HTTPRoute-redirect><td><code>redirect</code></td><td><code><a href=#HTTPRedirect>HTTPRedirect</a></code></td><td><p>A HTTP rule can either redirect or forward (default) traffic. If
traffic passthrough option is specified in the rule,
route/redirect will be ignored. The redirect primitive can be used to
send a HTTP 301 redirect to a different URI or Authority.</p></td><td>No</td></tr><tr id=HTTPRoute-delegate><td><code>delegate</code></td><td><code><a href=#Delegate>Delegate</a></code></td><td><p>Delegate is used to specify the particular VirtualService which
can be used to define delegate HTTPRoute.
It can be set only when <code>Route</code> and <code>Redirect</code> are empty, and the route rules of the
delegate VirtualService will be merged with that in the current one.
<strong>NOTE</strong>:
1. Only one level delegation is supported.
2. The delegate&rsquo;s HTTPMatchRequest must be a strict subset of the root&rsquo;s,
otherwise there is a conflict and the HTTPRoute will not take effect.</p></td><td>No</td></tr><tr id=HTTPRoute-rewrite><td><code>rewrite</code></td><td><code><a href=#HTTPRewrite>HTTPRewrite</a></code></td><td><p>Rewrite HTTP URIs and Authority headers. Rewrite cannot be used with
Redirect primitive. Rewrite will be performed before forwarding.</p></td><td>No</td></tr><tr id=HTTPRoute-timeout><td><code>timeout</code></td><td><code><a href=https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#duration>Duration</a></code></td><td><p>Timeout for HTTP requests, default is disabled.</p></td><td>No</td></tr><tr id=HTTPRoute-retries><td><code>retries</code></td><td><code><a href=#HTTPRetry>HTTPRetry</a></code></td><td><p>Retry policy for HTTP requests.</p></td><td>No</td></tr><tr id=HTTPRoute-fault><td><code>fault</code></td><td><code><a href=#HTTPFaultInjection>HTTPFaultInjection</a></code></td><td><p>Fault injection policy to apply on HTTP traffic at the client side.
Note that timeouts or retries will not be enabled when faults are
enabled on the client side.</p></td><td>No</td></tr><tr id=HTTPRoute-mirror><td><code>mirror</code></td><td><code><a href=#Destination>Destination</a></code></td><td><p>Mirror HTTP traffic to a another destination in addition to forwarding
the requests to the intended destination. Mirrored traffic is on a
best effort basis where the sidecar/gateway will not wait for the
mirrored cluster to respond before returning the response from the
original destination. Statistics will be generated for the mirrored
destination.</p></td><td>No</td></tr><tr id=HTTPRoute-mirror_percentage><td><code>mirrorPercentage</code></td><td><code><a href=#Percent>Percent</a></code></td><td><p>Percentage of the traffic to be mirrored by the <code>mirror</code> field.
If this field is absent, all the traffic (100%) will be mirrored.
Max value is 100.</p></td><td>No</td></tr><tr id=HTTPRoute-cors_policy><td><code>corsPolicy</code></td><td><code><a href=#CorsPolicy>CorsPolicy</a></code></td><td><p>Cross-Origin Resource Sharing policy (CORS). Refer to
<a href=https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS>CORS</a>
for further details about cross origin resource sharing.</p></td><td>No</td></tr><tr id=HTTPRoute-headers><td><code>headers</code></td><td><code><a href=#Headers>Headers</a></code></td><td><p>Header manipulation rules</p></td><td>No</td></tr><tr id=HTTPRoute-mirror_percent class=deprecated><td><code>mirrorPercent</code></td><td><code><a href=#google-protobuf-UInt32Value>UInt32Value</a></code></td><td><p>Percentage of the traffic to be mirrored by the <code>mirror</code> field.
Use of integer <code>mirror_percent</code> value is deprecated. Use the
double <code>mirror_percentage</code> field instead</p></td><td>No</td></tr></tbody></table></section><h2 id=Delegate>Delegate</h2><section><p>Describes the delegate VirtualService.
The following routing rules forward the traffic to <code>/productpage</code> by a delegate VirtualService named <code>productpage</code>,
forward the traffic to <code>/reviews</code> by a delegate VirtualService named <code>reviews</code>.</p><pre><code class=language-yaml>apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: bookinfo
spec:
hosts:
- &quot;bookinfo.com&quot;
gateways:
- mygateway
http:
- match:
- uri:
prefix: &quot;/productpage&quot;
delegate:
name: productpage
namespace: nsA
- match:
- uri:
prefix: &quot;/reviews&quot;
delegate:
name: reviews
namespace: nsB
</code></pre><pre><code class=language-yaml>apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: productpage
namespace: nsA
spec:
http:
- match:
- uri:
prefix: &quot;/productpage/v1/&quot;
route:
- destination:
host: productpage-v1.nsA.svc.cluster.local
- route:
- destination:
host: productpage.nsA.svc.cluster.local
</code></pre><pre><code class=language-yaml>apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: reviews
namespace: nsB
spec:
http:
- route:
- destination:
host: reviews.nsB.svc.cluster.local
</code></pre><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th><th>Required</th></tr></thead><tbody><tr id=Delegate-name><td><code>name</code></td><td><code>string</code></td><td><p>Name specifies the name of the delegate VirtualService.</p></td><td>No</td></tr><tr id=Delegate-namespace><td><code>namespace</code></td><td><code>string</code></td><td><p>Namespace specifies the namespace where the delegate VirtualService resides.
By default, it is same to the root&rsquo;s.</p></td><td>No</td></tr></tbody></table></section><h2 id=Headers>Headers</h2><section><p>Message headers can be manipulated when Envoy forwards requests to,
or responses from, a destination service. Header manipulation rules can
be specified for a specific route destination or for all destinations.
The following VirtualService adds a <code>test</code> header with the value <code>true</code>
to requests that are routed to any <code>reviews</code> service destination.
It also removes the <code>foo</code> response header, but only from responses
coming from the <code>v1</code> subset (version) of the <code>reviews</code> service.</p><div id=tabset-docs-reference-config-networking-virtual-service-7 role=tablist class=tabset><div class=tab-strip data-category-name=example><button aria-selected=true data-category-value=v1alpha3 aria-controls=tabset-docs-reference-config-networking-virtual-service-7-0-panel id=tabset-docs-reference-config-networking-virtual-service-7-0-tab role=tab><span>v1alpha3</span>
</button><button tabindex=-1 data-category-value=v1beta1 aria-controls=tabset-docs-reference-config-networking-virtual-service-7-1-panel id=tabset-docs-reference-config-networking-virtual-service-7-1-tab role=tab><span>v1beta1</span></button></div><div class=tab-content><div id=tabset-docs-reference-config-networking-virtual-service-7-0-panel role=tabpanel tabindex=0 aria-labelledby=tabset-docs-reference-config-networking-virtual-service-7-0-tab><pre><code class=language-yaml>apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: reviews-route
spec:
hosts:
- reviews.prod.svc.cluster.local
http:
- headers:
request:
set:
test: true
route:
- destination:
host: reviews.prod.svc.cluster.local
subset: v2
weight: 25
- destination:
host: reviews.prod.svc.cluster.local
subset: v1
headers:
response:
remove:
- foo
weight: 75
</code></pre></div><div hidden id=tabset-docs-reference-config-networking-virtual-service-7-1-panel role=tabpanel tabindex=0 aria-labelledby=tabset-docs-reference-config-networking-virtual-service-7-1-tab><pre><code class=language-yaml>apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: reviews-route
spec:
hosts:
- reviews.prod.svc.cluster.local
http:
- headers:
request:
set:
test: true
route:
- destination:
host: reviews.prod.svc.cluster.local
subset: v2
weight: 25
- destination:
host: reviews.prod.svc.cluster.local
subset: v1
headers:
response:
remove:
- foo
weight: 75
</code></pre></div></div></div><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th><th>Required</th></tr></thead><tbody><tr id=Headers-request><td><code>request</code></td><td><code><a href=#Headers-HeaderOperations>HeaderOperations</a></code></td><td><p>Header manipulation rules to apply before forwarding a request
to the destination service</p></td><td>No</td></tr><tr id=Headers-response><td><code>response</code></td><td><code><a href=#Headers-HeaderOperations>HeaderOperations</a></code></td><td><p>Header manipulation rules to apply before returning a response
to the caller</p></td><td>No</td></tr></tbody></table></section><h2 id=TLSRoute>TLSRoute</h2><section><p>Describes match conditions and actions for routing unterminated TLS
traffic (TLS/HTTPS) The following routing rule forwards unterminated TLS
traffic arriving at port 443 of gateway called &ldquo;mygateway&rdquo; to internal
services in the mesh based on the SNI value.</p><div id=tabset-docs-reference-config-networking-virtual-service-8 role=tablist class=tabset><div class=tab-strip data-category-name=example><button aria-selected=true data-category-value=v1alpha3 aria-controls=tabset-docs-reference-config-networking-virtual-service-8-0-panel id=tabset-docs-reference-config-networking-virtual-service-8-0-tab role=tab><span>v1alpha3</span>
</button><button tabindex=-1 data-category-value=v1beta1 aria-controls=tabset-docs-reference-config-networking-virtual-service-8-1-panel id=tabset-docs-reference-config-networking-virtual-service-8-1-tab role=tab><span>v1beta1</span></button></div><div class=tab-content><div id=tabset-docs-reference-config-networking-virtual-service-8-0-panel role=tabpanel tabindex=0 aria-labelledby=tabset-docs-reference-config-networking-virtual-service-8-0-tab><pre><code class=language-yaml>apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: bookinfo-sni
spec:
hosts:
- &quot;*.bookinfo.com&quot;
gateways:
- mygateway
tls:
- match:
- port: 443
sniHosts:
- login.bookinfo.com
route:
- destination:
host: login.prod.svc.cluster.local
- match:
- port: 443
sniHosts:
- reviews.bookinfo.com
route:
- destination:
host: reviews.prod.svc.cluster.local
</code></pre></div><div hidden id=tabset-docs-reference-config-networking-virtual-service-8-1-panel role=tabpanel tabindex=0 aria-labelledby=tabset-docs-reference-config-networking-virtual-service-8-1-tab><pre><code class=language-yaml>apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: bookinfo-sni
spec:
hosts:
- &quot;*.bookinfo.com&quot;
gateways:
- mygateway
tls:
- match:
- port: 443
sniHosts:
- login.bookinfo.com
route:
- destination:
host: login.prod.svc.cluster.local
- match:
- port: 443
sniHosts:
- reviews.bookinfo.com
route:
- destination:
host: reviews.prod.svc.cluster.local
</code></pre></div></div></div><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th><th>Required</th></tr></thead><tbody><tr id=TLSRoute-match><td><code>match</code></td><td><code><a href=#TLSMatchAttributes>TLSMatchAttributes[]</a></code></td><td><p>Match conditions to be satisfied for the rule to be
activated. All conditions inside a single match block have AND
semantics, while the list of match blocks have OR semantics. The rule
is matched if any one of the match blocks succeed.</p></td><td>Yes</td></tr><tr id=TLSRoute-route><td><code>route</code></td><td><code><a href=#RouteDestination>RouteDestination[]</a></code></td><td><p>The destination to which the connection should be forwarded to.</p></td><td>No</td></tr></tbody></table></section><h2 id=TCPRoute>TCPRoute</h2><section><p>Describes match conditions and actions for routing TCP traffic. The
following routing rule forwards traffic arriving at port 27017 for
mongo.prod.svc.cluster.local to another Mongo server on port 5555.</p><div id=tabset-docs-reference-config-networking-virtual-service-9 role=tablist class=tabset><div class=tab-strip data-category-name=example><button aria-selected=true data-category-value=v1alpha3 aria-controls=tabset-docs-reference-config-networking-virtual-service-9-0-panel id=tabset-docs-reference-config-networking-virtual-service-9-0-tab role=tab><span>v1alpha3</span>
</button><button tabindex=-1 data-category-value=v1beta1 aria-controls=tabset-docs-reference-config-networking-virtual-service-9-1-panel id=tabset-docs-reference-config-networking-virtual-service-9-1-tab role=tab><span>v1beta1</span></button></div><div class=tab-content><div id=tabset-docs-reference-config-networking-virtual-service-9-0-panel role=tabpanel tabindex=0 aria-labelledby=tabset-docs-reference-config-networking-virtual-service-9-0-tab><pre><code class=language-yaml>apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: bookinfo-mongo
spec:
hosts:
- mongo.prod.svc.cluster.local
tcp:
- match:
- port: 27017
route:
- destination:
host: mongo.backup.svc.cluster.local
port:
number: 5555
</code></pre></div><div hidden id=tabset-docs-reference-config-networking-virtual-service-9-1-panel role=tabpanel tabindex=0 aria-labelledby=tabset-docs-reference-config-networking-virtual-service-9-1-tab><pre><code class=language-yaml>apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: bookinfo-mongo
spec:
hosts:
- mongo.prod.svc.cluster.local
tcp:
- match:
- port: 27017
route:
- destination:
host: mongo.backup.svc.cluster.local
port:
number: 5555
</code></pre></div></div></div><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th><th>Required</th></tr></thead><tbody><tr id=TCPRoute-match><td><code>match</code></td><td><code><a href=#L4MatchAttributes>L4MatchAttributes[]</a></code></td><td><p>Match conditions to be satisfied for the rule to be
activated. All conditions inside a single match block have AND
semantics, while the list of match blocks have OR semantics. The rule
is matched if any one of the match blocks succeed.</p></td><td>No</td></tr><tr id=TCPRoute-route><td><code>route</code></td><td><code><a href=#RouteDestination>RouteDestination[]</a></code></td><td><p>The destination to which the connection should be forwarded to.</p></td><td>No</td></tr></tbody></table></section><h2 id=HTTPMatchRequest>HTTPMatchRequest</h2><section><p>HttpMatchRequest specifies a set of criterion to be met in order for the
rule to be applied to the HTTP request. For example, the following
restricts the rule to match only requests where the URL path
starts with /ratings/v2/ and the request contains a custom <code>end-user</code> header
with value <code>jason</code>.</p><div id=tabset-docs-reference-config-networking-virtual-service-10 role=tablist class=tabset><div class=tab-strip data-category-name=example><button aria-selected=true data-category-value=v1alpha3 aria-controls=tabset-docs-reference-config-networking-virtual-service-10-0-panel id=tabset-docs-reference-config-networking-virtual-service-10-0-tab role=tab><span>v1alpha3</span>
</button><button tabindex=-1 data-category-value=v1beta1 aria-controls=tabset-docs-reference-config-networking-virtual-service-10-1-panel id=tabset-docs-reference-config-networking-virtual-service-10-1-tab role=tab><span>v1beta1</span></button></div><div class=tab-content><div id=tabset-docs-reference-config-networking-virtual-service-10-0-panel role=tabpanel tabindex=0 aria-labelledby=tabset-docs-reference-config-networking-virtual-service-10-0-tab><pre><code class=language-yaml>apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: ratings-route
spec:
hosts:
- ratings.prod.svc.cluster.local
http:
- match:
- headers:
end-user:
exact: jason
uri:
prefix: &quot;/ratings/v2/&quot;
ignoreUriCase: true
route:
- destination:
host: ratings.prod.svc.cluster.local
</code></pre></div><div hidden id=tabset-docs-reference-config-networking-virtual-service-10-1-panel role=tabpanel tabindex=0 aria-labelledby=tabset-docs-reference-config-networking-virtual-service-10-1-tab><pre><code class=language-yaml>apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: ratings-route
spec:
hosts:
- ratings.prod.svc.cluster.local
http:
- match:
- headers:
end-user:
exact: jason
uri:
prefix: &quot;/ratings/v2/&quot;
ignoreUriCase: true
route:
- destination:
host: ratings.prod.svc.cluster.local
</code></pre></div></div></div><p>HTTPMatchRequest CANNOT be empty.
<strong>Note:</strong> No regex string match can be set when delegate VirtualService is specified.</p><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th><th>Required</th></tr></thead><tbody><tr id=HTTPMatchRequest-name><td><code>name</code></td><td><code>string</code></td><td><p>The name assigned to a match. The match&rsquo;s name will be
concatenated with the parent route&rsquo;s name and will be logged in
the access logs for requests matching this route.</p></td><td>No</td></tr><tr id=HTTPMatchRequest-uri><td><code>uri</code></td><td><code><a href=#StringMatch>StringMatch</a></code></td><td><p>URI to match
values are case-sensitive and formatted as follows:</p><ul><li><p><code>exact: "value"</code> for exact string match</p></li><li><p><code>prefix: "value"</code> for prefix-based match</p></li><li><p><code>regex: "value"</code> for ECMAscript style regex-based match</p></li></ul><p><strong>Note:</strong> Case-insensitive matching could be enabled via the
<code>ignore_uri_case</code> flag.</p></td><td>No</td></tr><tr id=HTTPMatchRequest-scheme><td><code>scheme</code></td><td><code><a href=#StringMatch>StringMatch</a></code></td><td><p>URI Scheme
values are case-sensitive and formatted as follows:</p><ul><li><p><code>exact: "value"</code> for exact string match</p></li><li><p><code>prefix: "value"</code> for prefix-based match</p></li><li><p><code>regex: "value"</code> for ECMAscript style regex-based match</p></li></ul></td><td>No</td></tr><tr id=HTTPMatchRequest-method><td><code>method</code></td><td><code><a href=#StringMatch>StringMatch</a></code></td><td><p>HTTP Method
values are case-sensitive and formatted as follows:</p><ul><li><p><code>exact: "value"</code> for exact string match</p></li><li><p><code>prefix: "value"</code> for prefix-based match</p></li><li><p><code>regex: "value"</code> for ECMAscript style regex-based match</p></li></ul></td><td>No</td></tr><tr id=HTTPMatchRequest-authority><td><code>authority</code></td><td><code><a href=#StringMatch>StringMatch</a></code></td><td><p>HTTP Authority
values are case-sensitive and formatted as follows:</p><ul><li><p><code>exact: "value"</code> for exact string match</p></li><li><p><code>prefix: "value"</code> for prefix-based match</p></li><li><p><code>regex: "value"</code> for ECMAscript style regex-based match</p></li></ul></td><td>No</td></tr><tr id=HTTPMatchRequest-headers><td><code>headers</code></td><td><code>map&lt;string,&nbsp;<a href=#StringMatch>StringMatch</a>></code></td><td><p>The header keys must be lowercase and use hyphen as the separator,
e.g. <em>x-request-id</em>.</p><p>Header values are case-sensitive and formatted as follows:</p><ul><li><p><code>exact: "value"</code> for exact string match</p></li><li><p><code>prefix: "value"</code> for prefix-based match</p></li><li><p><code>regex: "value"</code> for ECMAscript style regex-based match</p></li></ul><p>If the value is empty and only the name of header is specfied, presence of the header is checked.
<strong>Note:</strong> The keys <code>uri</code>, <code>scheme</code>, <code>method</code>, and <code>authority</code> will be ignored.</p></td><td>No</td></tr><tr id=HTTPMatchRequest-port><td><code>port</code></td><td><code>uint32</code></td><td><p>Specifies the ports on the host that is being addressed. Many services
only expose a single port or label ports with the protocols they support,
in these cases it is not required to explicitly select the port.</p></td><td>No</td></tr><tr id=HTTPMatchRequest-source_labels><td><code>sourceLabels</code></td><td><code>map&lt;string,&nbsp;string></code></td><td><p>One or more labels that constrain the applicability of a rule to
workloads with the given labels. If the VirtualService has a list of
gateways specified in the top-level <code>gateways</code> field, it must include the reserved gateway
<code>mesh</code> for this field to be applicable.</p></td><td>No</td></tr><tr id=HTTPMatchRequest-gateways><td><code>gateways</code></td><td><code>string[]</code></td><td><p>Names of gateways where the rule should be applied. Gateway names
in the top-level <code>gateways</code> field of the VirtualService (if any) are overridden. The gateway
match is independent of sourceLabels.</p></td><td>No</td></tr><tr id=HTTPMatchRequest-query_params><td><code>queryParams</code></td><td><code>map&lt;string,&nbsp;<a href=#StringMatch>StringMatch</a>></code></td><td><p>Query parameters for matching.</p><p>Ex:
- For a query parameter like &ldquo;?key=true&rdquo;, the map key would be &ldquo;key&rdquo; and
the string match could be defined as <code>exact: "true"</code>.
- For a query parameter like &ldquo;?key&rdquo;, the map key would be &ldquo;key&rdquo; and the
string match could be defined as <code>exact: ""</code>.
- For a query parameter like &ldquo;?key=123&rdquo;, the map key would be &ldquo;key&rdquo; and the
string match could be defined as <code>regex: "\d+$"</code>. Note that this
configuration will only match values like &ldquo;123&rdquo; but not &ldquo;a123&rdquo; or &ldquo;123a&rdquo;.</p><p><strong>Note:</strong> <code>prefix</code> matching is currently not supported.</p></td><td>No</td></tr><tr id=HTTPMatchRequest-ignore_uri_case><td><code>ignoreUriCase</code></td><td><code>bool</code></td><td><p>Flag to specify whether the URI matching should be case-insensitive.</p><p><strong>Note:</strong> The case will be ignored only in the case of <code>exact</code> and <code>prefix</code>
URI matches.</p></td><td>No</td></tr><tr id=HTTPMatchRequest-without_headers><td><code>withoutHeaders</code></td><td><code>map&lt;string,&nbsp;<a href=#StringMatch>StringMatch</a>></code></td><td><p>withoutHeader has the same syntax with the header, but has opposite meaning.
If a header is matched with a matching rule among withoutHeader, the traffic becomes not matched one.</p></td><td>No</td></tr><tr id=HTTPMatchRequest-source_namespace><td><code>sourceNamespace</code></td><td><code>string</code></td><td><p>Source namespace constraining the applicability of a rule to workloads in that namespace.
If the VirtualService has a list of gateways specified in the top-level <code>gateways</code> field,
it must include the reserved gateway <code>mesh</code> for this field to be applicable.</p></td><td>No</td></tr></tbody></table></section><h2 id=HTTPRouteDestination>HTTPRouteDestination</h2><section><p>Each routing rule is associated with one or more service versions (see
glossary in beginning of document). Weights associated with the version
determine the proportion of traffic it receives. For example, the
following rule will route 25% of traffic for the &ldquo;reviews&rdquo; service to
instances with the &ldquo;v2&rdquo; tag and the remaining traffic (i.e., 75%) to
&ldquo;v1&rdquo;.</p><div id=tabset-docs-reference-config-networking-virtual-service-11 role=tablist class=tabset><div class=tab-strip data-category-name=example><button aria-selected=true data-category-value=v1alpha3 aria-controls=tabset-docs-reference-config-networking-virtual-service-11-0-panel id=tabset-docs-reference-config-networking-virtual-service-11-0-tab role=tab><span>v1alpha3</span>
</button><button tabindex=-1 data-category-value=v1beta1 aria-controls=tabset-docs-reference-config-networking-virtual-service-11-1-panel id=tabset-docs-reference-config-networking-virtual-service-11-1-tab role=tab><span>v1beta1</span></button></div><div class=tab-content><div id=tabset-docs-reference-config-networking-virtual-service-11-0-panel role=tabpanel tabindex=0 aria-labelledby=tabset-docs-reference-config-networking-virtual-service-11-0-tab><pre><code class=language-yaml>apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: reviews-route
spec:
hosts:
- reviews.prod.svc.cluster.local
http:
- route:
- destination:
host: reviews.prod.svc.cluster.local
subset: v2
weight: 25
- destination:
host: reviews.prod.svc.cluster.local
subset: v1
weight: 75
</code></pre></div><div hidden id=tabset-docs-reference-config-networking-virtual-service-11-1-panel role=tabpanel tabindex=0 aria-labelledby=tabset-docs-reference-config-networking-virtual-service-11-1-tab><pre><code class=language-yaml>apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: reviews-route
spec:
hosts:
- reviews.prod.svc.cluster.local
http:
- route:
- destination:
host: reviews.prod.svc.cluster.local
subset: v2
weight: 25
- destination:
host: reviews.prod.svc.cluster.local
subset: v1
weight: 75
</code></pre></div></div></div><p>And the associated DestinationRule</p><div id=tabset-docs-reference-config-networking-virtual-service-12 role=tablist class=tabset><div class=tab-strip data-category-name=example><button aria-selected=true data-category-value=v1alpha3 aria-controls=tabset-docs-reference-config-networking-virtual-service-12-0-panel id=tabset-docs-reference-config-networking-virtual-service-12-0-tab role=tab><span>v1alpha3</span>
</button><button tabindex=-1 data-category-value=v1beta1 aria-controls=tabset-docs-reference-config-networking-virtual-service-12-1-panel id=tabset-docs-reference-config-networking-virtual-service-12-1-tab role=tab><span>v1beta1</span></button></div><div class=tab-content><div id=tabset-docs-reference-config-networking-virtual-service-12-0-panel role=tabpanel tabindex=0 aria-labelledby=tabset-docs-reference-config-networking-virtual-service-12-0-tab><pre><code class=language-yaml>apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: reviews-destination
spec:
host: reviews.prod.svc.cluster.local
subsets:
- name: v1
labels:
version: v1
- name: v2
labels:
version: v2
</code></pre></div><div hidden id=tabset-docs-reference-config-networking-virtual-service-12-1-panel role=tabpanel tabindex=0 aria-labelledby=tabset-docs-reference-config-networking-virtual-service-12-1-tab><pre><code class=language-yaml>apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
name: reviews-destination
spec:
host: reviews.prod.svc.cluster.local
subsets:
- name: v1
labels:
version: v1
- name: v2
labels:
version: v2
</code></pre></div></div></div><p>Traffic can also be split across two entirely different services without
having to define new subsets. For example, the following rule forwards 25% of
traffic to reviews.com to dev.reviews.com</p><div id=tabset-docs-reference-config-networking-virtual-service-13 role=tablist class=tabset><div class=tab-strip data-category-name=example><button aria-selected=true data-category-value=v1alpha3 aria-controls=tabset-docs-reference-config-networking-virtual-service-13-0-panel id=tabset-docs-reference-config-networking-virtual-service-13-0-tab role=tab><span>v1alpha3</span>
</button><button tabindex=-1 data-category-value=v1beta1 aria-controls=tabset-docs-reference-config-networking-virtual-service-13-1-panel id=tabset-docs-reference-config-networking-virtual-service-13-1-tab role=tab><span>v1beta1</span></button></div><div class=tab-content><div id=tabset-docs-reference-config-networking-virtual-service-13-0-panel role=tabpanel tabindex=0 aria-labelledby=tabset-docs-reference-config-networking-virtual-service-13-0-tab><pre><code class=language-yaml>apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: reviews-route-two-domains
spec:
hosts:
- reviews.com
http:
- route:
- destination:
host: dev.reviews.com
weight: 25
- destination:
host: reviews.com
weight: 75
</code></pre></div><div hidden id=tabset-docs-reference-config-networking-virtual-service-13-1-panel role=tabpanel tabindex=0 aria-labelledby=tabset-docs-reference-config-networking-virtual-service-13-1-tab><pre><code class=language-yaml>apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: reviews-route-two-domains
spec:
hosts:
- reviews.com
http:
- route:
- destination:
host: dev.reviews.com
weight: 25
- destination:
host: reviews.com
weight: 75
</code></pre></div></div></div><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th><th>Required</th></tr></thead><tbody><tr id=HTTPRouteDestination-destination><td><code>destination</code></td><td><code><a href=#Destination>Destination</a></code></td><td><p>Destination uniquely identifies the instances of a service
to which the request/connection should be forwarded to.</p></td><td>Yes</td></tr><tr id=HTTPRouteDestination-weight><td><code>weight</code></td><td><code>int32</code></td><td><p>The proportion of traffic to be forwarded to the service
version. (0-100). Sum of weights across destinations SHOULD BE == 100.
If there is only one destination in a rule, the weight value is assumed to
be 100.</p></td><td>No</td></tr><tr id=HTTPRouteDestination-headers><td><code>headers</code></td><td><code><a href=#Headers>Headers</a></code></td><td><p>Header manipulation rules</p></td><td>No</td></tr></tbody></table></section><h2 id=RouteDestination>RouteDestination</h2><section><p>L4 routing rule weighted destination.</p><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th><th>Required</th></tr></thead><tbody><tr id=RouteDestination-destination><td><code>destination</code></td><td><code><a href=#Destination>Destination</a></code></td><td><p>Destination uniquely identifies the instances of a service
to which the request/connection should be forwarded to.</p></td><td>Yes</td></tr><tr id=RouteDestination-weight><td><code>weight</code></td><td><code>int32</code></td><td><p>The proportion of traffic to be forwarded to the service
version. If there is only one destination in a rule, all traffic will be
routed to it irrespective of the weight.</p></td><td>No</td></tr></tbody></table></section><h2 id=L4MatchAttributes>L4MatchAttributes</h2><section><p>L4 connection match attributes. Note that L4 connection matching support
is incomplete.</p><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th><th>Required</th></tr></thead><tbody><tr id=L4MatchAttributes-destination_subnets><td><code>destinationSubnets</code></td><td><code>string[]</code></td><td><p>IPv4 or IPv6 ip addresses of destination with optional subnet. E.g.,
a.b.c.d/xx form or just a.b.c.d.</p></td><td>No</td></tr><tr id=L4MatchAttributes-port><td><code>port</code></td><td><code>uint32</code></td><td><p>Specifies the port on the host that is being addressed. Many services
only expose a single port or label ports with the protocols they support,
in these cases it is not required to explicitly select the port.</p></td><td>No</td></tr><tr id=L4MatchAttributes-source_labels><td><code>sourceLabels</code></td><td><code>map&lt;string,&nbsp;string></code></td><td><p>One or more labels that constrain the applicability of a rule to
workloads with the given labels. If the VirtualService has a list of
gateways specified in the top-level <code>gateways</code> field, it should include the reserved gateway
<code>mesh</code> in order for this field to be applicable.</p></td><td>No</td></tr><tr id=L4MatchAttributes-gateways><td><code>gateways</code></td><td><code>string[]</code></td><td><p>Names of gateways where the rule should be applied. Gateway names
in the top-level <code>gateways</code> field of the VirtualService (if any) are overridden. The gateway
match is independent of sourceLabels.</p></td><td>No</td></tr><tr id=L4MatchAttributes-source_namespace><td><code>sourceNamespace</code></td><td><code>string</code></td><td><p>Source namespace constraining the applicability of a rule to workloads in that namespace.
If the VirtualService has a list of gateways specified in the top-level <code>gateways</code> field,
it must include the reserved gateway <code>mesh</code> for this field to be applicable.</p></td><td>No</td></tr></tbody></table></section><h2 id=TLSMatchAttributes>TLSMatchAttributes</h2><section><p>TLS connection match attributes.</p><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th><th>Required</th></tr></thead><tbody><tr id=TLSMatchAttributes-sni_hosts><td><code>sniHosts</code></td><td><code>string[]</code></td><td><p>SNI (server name indicator) to match on. Wildcard prefixes
can be used in the SNI value, e.g., *.com will match foo.example.com
as well as example.com. An SNI value must be a subset (i.e., fall
within the domain) of the corresponding virtual serivce&rsquo;s hosts.</p></td><td>Yes</td></tr><tr id=TLSMatchAttributes-destination_subnets><td><code>destinationSubnets</code></td><td><code>string[]</code></td><td><p>IPv4 or IPv6 ip addresses of destination with optional subnet. E.g.,
a.b.c.d/xx form or just a.b.c.d.</p></td><td>No</td></tr><tr id=TLSMatchAttributes-port><td><code>port</code></td><td><code>uint32</code></td><td><p>Specifies the port on the host that is being addressed. Many services
only expose a single port or label ports with the protocols they
support, in these cases it is not required to explicitly select the
port.</p></td><td>No</td></tr><tr id=TLSMatchAttributes-source_labels><td><code>sourceLabels</code></td><td><code>map&lt;string,&nbsp;string></code></td><td><p>One or more labels that constrain the applicability of a rule to
workloads with the given labels. If the VirtualService has a list of
gateways specified in the top-level <code>gateways</code> field, it should include the reserved gateway
<code>mesh</code> in order for this field to be applicable.</p></td><td>No</td></tr><tr id=TLSMatchAttributes-gateways><td><code>gateways</code></td><td><code>string[]</code></td><td><p>Names of gateways where the rule should be applied. Gateway names
in the top-level <code>gateways</code> field of the VirtualService (if any) are overridden. The gateway
match is independent of sourceLabels.</p></td><td>No</td></tr><tr id=TLSMatchAttributes-source_namespace><td><code>sourceNamespace</code></td><td><code>string</code></td><td><p>Source namespace constraining the applicability of a rule to workloads in that namespace.
If the VirtualService has a list of gateways specified in the top-level <code>gateways</code> field,
it must include the reserved gateway <code>mesh</code> for this field to be applicable.</p></td><td>No</td></tr></tbody></table></section><h2 id=HTTPRedirect>HTTPRedirect</h2><section><p>HTTPRedirect can be used to send a 301 redirect response to the caller,
where the Authority/Host and the URI in the response can be swapped with
the specified values. For example, the following rule redirects
requests for /v1/getProductRatings API on the ratings service to
/v1/bookRatings provided by the bookratings service.</p><div id=tabset-docs-reference-config-networking-virtual-service-14 role=tablist class=tabset><div class=tab-strip data-category-name=example><button aria-selected=true data-category-value=v1alpha3 aria-controls=tabset-docs-reference-config-networking-virtual-service-14-0-panel id=tabset-docs-reference-config-networking-virtual-service-14-0-tab role=tab><span>v1alpha3</span>
</button><button tabindex=-1 data-category-value=v1beta1 aria-controls=tabset-docs-reference-config-networking-virtual-service-14-1-panel id=tabset-docs-reference-config-networking-virtual-service-14-1-tab role=tab><span>v1beta1</span></button></div><div class=tab-content><div id=tabset-docs-reference-config-networking-virtual-service-14-0-panel role=tabpanel tabindex=0 aria-labelledby=tabset-docs-reference-config-networking-virtual-service-14-0-tab><pre><code class=language-yaml>apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: ratings-route
spec:
hosts:
- ratings.prod.svc.cluster.local
http:
- match:
- uri:
exact: /v1/getProductRatings
redirect:
uri: /v1/bookRatings
authority: newratings.default.svc.cluster.local
...
</code></pre></div><div hidden id=tabset-docs-reference-config-networking-virtual-service-14-1-panel role=tabpanel tabindex=0 aria-labelledby=tabset-docs-reference-config-networking-virtual-service-14-1-tab><pre><code class=language-yaml>apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: ratings-route
spec:
hosts:
- ratings.prod.svc.cluster.local
http:
- match:
- uri:
exact: /v1/getProductRatings
redirect:
uri: /v1/bookRatings
authority: newratings.default.svc.cluster.local
...
</code></pre></div></div></div><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th><th>Required</th></tr></thead><tbody><tr id=HTTPRedirect-uri><td><code>uri</code></td><td><code>string</code></td><td><p>On a redirect, overwrite the Path portion of the URL with this
value. Note that the entire path will be replaced, irrespective of the
request URI being matched as an exact path or prefix.</p></td><td>No</td></tr><tr id=HTTPRedirect-authority><td><code>authority</code></td><td><code>string</code></td><td><p>On a redirect, overwrite the Authority/Host portion of the URL with
this value.</p></td><td>No</td></tr><tr id=HTTPRedirect-redirect_code><td><code>redirectCode</code></td><td><code>uint32</code></td><td><p>On a redirect, Specifies the HTTP status code to use in the redirect
response. The default response code is MOVED_PERMANENTLY (301).</p></td><td>No</td></tr></tbody></table></section><h2 id=HTTPRewrite>HTTPRewrite</h2><section><p>HTTPRewrite can be used to rewrite specific parts of a HTTP request
before forwarding the request to the destination. Rewrite primitive can
be used only with HTTPRouteDestination. The following example
demonstrates how to rewrite the URL prefix for api call (/ratings) to
ratings service before making the actual API call.</p><div id=tabset-docs-reference-config-networking-virtual-service-15 role=tablist class=tabset><div class=tab-strip data-category-name=example><button aria-selected=true data-category-value=v1alpha3 aria-controls=tabset-docs-reference-config-networking-virtual-service-15-0-panel id=tabset-docs-reference-config-networking-virtual-service-15-0-tab role=tab><span>v1alpha3</span>
</button><button tabindex=-1 data-category-value=v1beta1 aria-controls=tabset-docs-reference-config-networking-virtual-service-15-1-panel id=tabset-docs-reference-config-networking-virtual-service-15-1-tab role=tab><span>v1beta1</span></button></div><div class=tab-content><div id=tabset-docs-reference-config-networking-virtual-service-15-0-panel role=tabpanel tabindex=0 aria-labelledby=tabset-docs-reference-config-networking-virtual-service-15-0-tab><pre><code class=language-yaml>apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: ratings-route
spec:
hosts:
- ratings.prod.svc.cluster.local
http:
- match:
- uri:
prefix: /ratings
rewrite:
uri: /v1/bookRatings
route:
- destination:
host: ratings.prod.svc.cluster.local
subset: v1
</code></pre></div><div hidden id=tabset-docs-reference-config-networking-virtual-service-15-1-panel role=tabpanel tabindex=0 aria-labelledby=tabset-docs-reference-config-networking-virtual-service-15-1-tab><pre><code class=language-yaml>apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: ratings-route
spec:
hosts:
- ratings.prod.svc.cluster.local
http:
- match:
- uri:
prefix: /ratings
rewrite:
uri: /v1/bookRatings
route:
- destination:
host: ratings.prod.svc.cluster.local
subset: v1
</code></pre></div></div></div><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th><th>Required</th></tr></thead><tbody><tr id=HTTPRewrite-uri><td><code>uri</code></td><td><code>string</code></td><td><p>rewrite the path (or the prefix) portion of the URI with this
value. If the original URI was matched based on prefix, the value
provided in this field will replace the corresponding matched prefix.</p></td><td>No</td></tr><tr id=HTTPRewrite-authority><td><code>authority</code></td><td><code>string</code></td><td><p>rewrite the Authority/Host header with this value.</p></td><td>No</td></tr></tbody></table></section><h2 id=StringMatch>StringMatch</h2><section><p>Describes how to match a given string in HTTP headers. Match is
case-sensitive.</p><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th><th>Required</th></tr></thead><tbody><tr id=StringMatch-exact class="oneof oneof-start"><td><code>exact</code></td><td><code>string (oneof)</code></td><td><p>exact string match</p></td><td>No</td></tr><tr id=StringMatch-prefix class=oneof><td><code>prefix</code></td><td><code>string (oneof)</code></td><td><p>prefix-based match</p></td><td>No</td></tr><tr id=StringMatch-regex class=oneof><td><code>regex</code></td><td><code>string (oneof)</code></td><td><p>RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).</p></td><td>No</td></tr></tbody></table></section><h2 id=HTTPRetry>HTTPRetry</h2><section><p>Describes the retry policy to use when a HTTP request fails. For
example, the following rule sets the maximum number of retries to 3 when
calling ratings:v1 service, with a 2s timeout per retry attempt.</p><div id=tabset-docs-reference-config-networking-virtual-service-16 role=tablist class=tabset><div class=tab-strip data-category-name=example><button aria-selected=true data-category-value=v1alpha3 aria-controls=tabset-docs-reference-config-networking-virtual-service-16-0-panel id=tabset-docs-reference-config-networking-virtual-service-16-0-tab role=tab><span>v1alpha3</span>
</button><button tabindex=-1 data-category-value=v1beta1 aria-controls=tabset-docs-reference-config-networking-virtual-service-16-1-panel id=tabset-docs-reference-config-networking-virtual-service-16-1-tab role=tab><span>v1beta1</span></button></div><div class=tab-content><div id=tabset-docs-reference-config-networking-virtual-service-16-0-panel role=tabpanel tabindex=0 aria-labelledby=tabset-docs-reference-config-networking-virtual-service-16-0-tab><pre><code class=language-yaml>apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: ratings-route
spec:
hosts:
- ratings.prod.svc.cluster.local
http:
- route:
- destination:
host: ratings.prod.svc.cluster.local
subset: v1
retries:
attempts: 3
perTryTimeout: 2s
retryOn: gateway-error,connect-failure,refused-stream
</code></pre></div><div hidden id=tabset-docs-reference-config-networking-virtual-service-16-1-panel role=tabpanel tabindex=0 aria-labelledby=tabset-docs-reference-config-networking-virtual-service-16-1-tab><pre><code class=language-yaml>apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: ratings-route
spec:
hosts:
- ratings.prod.svc.cluster.local
http:
- route:
- destination:
host: ratings.prod.svc.cluster.local
subset: v1
retries:
attempts: 3
perTryTimeout: 2s
retryOn: gateway-error,connect-failure,refused-stream
</code></pre></div></div></div><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th><th>Required</th></tr></thead><tbody><tr id=HTTPRetry-attempts><td><code>attempts</code></td><td><code>int32</code></td><td><p>Number of retries to be allowed for a given request. The interval
between retries will be determined automatically (25ms+). When request
<code>timeout</code> of the <a href=/v1.8/docs/reference/config/networking/virtual-service/#HTTPRoute>HTTP route</a>
or <code>per_try_timeout</code> is configured, the actual number of retries attempted also depends on
the specified request <code>timeout</code> and <code>per_try_timeout</code> values.</p></td><td>Yes</td></tr><tr id=HTTPRetry-per_try_timeout><td><code>perTryTimeout</code></td><td><code><a href=https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#duration>Duration</a></code></td><td><p>Timeout per retry attempt for a given request. format: 1h/1m/1s/1ms. MUST BE >=1ms.
Default is same value as request
<code>timeout</code> of the <a href=/v1.8/docs/reference/config/networking/virtual-service/#HTTPRoute>HTTP route</a>,
which means no timeout.</p></td><td>No</td></tr><tr id=HTTPRetry-retry_on><td><code>retryOn</code></td><td><code>string</code></td><td><p>Specifies the conditions under which retry takes place.
One or more policies can be specified using a , delimited list.
See the <a href=https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#x-envoy-retry-on>retry policies</a>
and <a href=https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#x-envoy-retry-grpc-on>gRPC retry policies</a> for more details.</p></td><td>No</td></tr><tr id=HTTPRetry-retry_remote_localities><td><code>retryRemoteLocalities</code></td><td><code><a href=https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#boolvalue>BoolValue</a></code></td><td><p>Flag to specify whether the retries should retry to other localities.
See the <a href=https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/http/http_connection_management#retry-plugin-configuration>retry plugin configuration</a> for more details.</p></td><td>No</td></tr></tbody></table></section><h2 id=CorsPolicy>CorsPolicy</h2><section><p>Describes the Cross-Origin Resource Sharing (CORS) policy, for a given
service. Refer to <a href=https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS>CORS</a>
for further details about cross origin resource sharing. For example,
the following rule restricts cross origin requests to those originating
from example.com domain using HTTP POST/GET, and sets the
<code>Access-Control-Allow-Credentials</code> header to false. In addition, it only
exposes <code>X-Foo-bar</code> header and sets an expiry period of 1 day.</p><div id=tabset-docs-reference-config-networking-virtual-service-17 role=tablist class=tabset><div class=tab-strip data-category-name=example><button aria-selected=true data-category-value=v1alpha3 aria-controls=tabset-docs-reference-config-networking-virtual-service-17-0-panel id=tabset-docs-reference-config-networking-virtual-service-17-0-tab role=tab><span>v1alpha3</span>
</button><button tabindex=-1 data-category-value=v1beta1 aria-controls=tabset-docs-reference-config-networking-virtual-service-17-1-panel id=tabset-docs-reference-config-networking-virtual-service-17-1-tab role=tab><span>v1beta1</span></button></div><div class=tab-content><div id=tabset-docs-reference-config-networking-virtual-service-17-0-panel role=tabpanel tabindex=0 aria-labelledby=tabset-docs-reference-config-networking-virtual-service-17-0-tab><pre><code class=language-yaml>apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: ratings-route
spec:
hosts:
- ratings.prod.svc.cluster.local
http:
- route:
- destination:
host: ratings.prod.svc.cluster.local
subset: v1
corsPolicy:
allowOrigins:
- exact: https://example.com
allowMethods:
- POST
- GET
allowCredentials: false
allowHeaders:
- X-Foo-Bar
maxAge: &quot;24h&quot;
</code></pre></div><div hidden id=tabset-docs-reference-config-networking-virtual-service-17-1-panel role=tabpanel tabindex=0 aria-labelledby=tabset-docs-reference-config-networking-virtual-service-17-1-tab><pre><code class=language-yaml>apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: ratings-route
spec:
hosts:
- ratings.prod.svc.cluster.local
http:
- route:
- destination:
host: ratings.prod.svc.cluster.local
subset: v1
corsPolicy:
allowOrigins:
- exact: https://example.com
allowMethods:
- POST
- GET
allowCredentials: false
allowHeaders:
- X-Foo-Bar
maxAge: &quot;24h&quot;
</code></pre></div></div></div><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th><th>Required</th></tr></thead><tbody><tr id=CorsPolicy-allow_origins><td><code>allowOrigins</code></td><td><code><a href=#StringMatch>StringMatch[]</a></code></td><td><p>String patterns that match allowed origins.
An origin is allowed if any of the string matchers match.
If a match is found, then the outgoing Access-Control-Allow-Origin would be set to the origin as provided by the client.</p></td><td>No</td></tr><tr id=CorsPolicy-allow_methods><td><code>allowMethods</code></td><td><code>string[]</code></td><td><p>List of HTTP methods allowed to access the resource. The content will
be serialized into the Access-Control-Allow-Methods header.</p></td><td>No</td></tr><tr id=CorsPolicy-allow_headers><td><code>allowHeaders</code></td><td><code>string[]</code></td><td><p>List of HTTP headers that can be used when requesting the
resource. Serialized to Access-Control-Allow-Headers header.</p></td><td>No</td></tr><tr id=CorsPolicy-expose_headers><td><code>exposeHeaders</code></td><td><code>string[]</code></td><td><p>A list of HTTP headers that the browsers are allowed to
access. Serialized into Access-Control-Expose-Headers header.</p></td><td>No</td></tr><tr id=CorsPolicy-max_age><td><code>maxAge</code></td><td><code><a href=https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#duration>Duration</a></code></td><td><p>Specifies how long the results of a preflight request can be
cached. Translates to the <code>Access-Control-Max-Age</code> header.</p></td><td>No</td></tr><tr id=CorsPolicy-allow_credentials><td><code>allowCredentials</code></td><td><code><a href=https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#boolvalue>BoolValue</a></code></td><td><p>Indicates whether the caller is allowed to send the actual request
(not the preflight) using credentials. Translates to
<code>Access-Control-Allow-Credentials</code> header.</p></td><td>No</td></tr></tbody></table></section><h2 id=HTTPFaultInjection>HTTPFaultInjection</h2><section><p>HTTPFaultInjection can be used to specify one or more faults to inject
while forwarding HTTP requests to the destination specified in a route.
Fault specification is part of a VirtualService rule. Faults include
aborting the Http request from downstream service, and/or delaying
proxying of requests. A fault rule MUST HAVE delay or abort or both.</p><p><em>Note:</em> Delay and abort faults are independent of one another, even if
both are specified simultaneously.</p><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th><th>Required</th></tr></thead><tbody><tr id=HTTPFaultInjection-delay><td><code>delay</code></td><td><code><a href=#HTTPFaultInjection-Delay>Delay</a></code></td><td><p>Delay requests before forwarding, emulating various failures such as
network issues, overloaded upstream service, etc.</p></td><td>No</td></tr><tr id=HTTPFaultInjection-abort><td><code>abort</code></td><td><code><a href=#HTTPFaultInjection-Abort>Abort</a></code></td><td><p>Abort Http request attempts and return error codes back to downstream
service, giving the impression that the upstream service is faulty.</p></td><td>No</td></tr></tbody></table></section><h2 id=PortSelector>PortSelector</h2><section><p>PortSelector specifies the number of a port to be used for
matching or selection for final routing.</p><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th><th>Required</th></tr></thead><tbody><tr id=PortSelector-number><td><code>number</code></td><td><code>uint32</code></td><td><p>Valid port number</p></td><td>No</td></tr></tbody></table></section><h2 id=Percent>Percent</h2><section><p>Percent specifies a percentage in the range of [0.0, 100.0].</p><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th><th>Required</th></tr></thead><tbody><tr id=Percent-value><td><code>value</code></td><td><code>double</code></td><td></td><td>No</td></tr></tbody></table></section><h2 id=Headers-HeaderOperations>Headers.HeaderOperations</h2><section><p>HeaderOperations Describes the header manipulations to apply</p><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th><th>Required</th></tr></thead><tbody><tr id=Headers-HeaderOperations-set><td><code>set</code></td><td><code>map&lt;string,&nbsp;string></code></td><td><p>Overwrite the headers specified by key with the given values</p></td><td>No</td></tr><tr id=Headers-HeaderOperations-add><td><code>add</code></td><td><code>map&lt;string,&nbsp;string></code></td><td><p>Append the given values to the headers specified by keys
(will create a comma-separated list of values)</p></td><td>No</td></tr><tr id=Headers-HeaderOperations-remove><td><code>remove</code></td><td><code>string[]</code></td><td><p>Remove a the specified headers</p></td><td>No</td></tr></tbody></table></section><h2 id=HTTPFaultInjection-Delay>HTTPFaultInjection.Delay</h2><section><p>Delay specification is used to inject latency into the request
forwarding path. The following example will introduce a 5 second delay
in 1 out of every 1000 requests to the &ldquo;v1&rdquo; version of the &ldquo;reviews&rdquo;
service from all pods with label env: prod</p><div id=tabset-docs-reference-config-networking-virtual-service-18 role=tablist class=tabset><div class=tab-strip data-category-name=example><button aria-selected=true data-category-value=v1alpha3 aria-controls=tabset-docs-reference-config-networking-virtual-service-18-0-panel id=tabset-docs-reference-config-networking-virtual-service-18-0-tab role=tab><span>v1alpha3</span>
</button><button tabindex=-1 data-category-value=v1beta1 aria-controls=tabset-docs-reference-config-networking-virtual-service-18-1-panel id=tabset-docs-reference-config-networking-virtual-service-18-1-tab role=tab><span>v1beta1</span></button></div><div class=tab-content><div id=tabset-docs-reference-config-networking-virtual-service-18-0-panel role=tabpanel tabindex=0 aria-labelledby=tabset-docs-reference-config-networking-virtual-service-18-0-tab><pre><code class=language-yaml>apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: reviews-route
spec:
hosts:
- reviews.prod.svc.cluster.local
http:
- match:
- sourceLabels:
env: prod
route:
- destination:
host: reviews.prod.svc.cluster.local
subset: v1
fault:
delay:
percentage:
value: 0.1
fixedDelay: 5s
</code></pre></div><div hidden id=tabset-docs-reference-config-networking-virtual-service-18-1-panel role=tabpanel tabindex=0 aria-labelledby=tabset-docs-reference-config-networking-virtual-service-18-1-tab><pre><code class=language-yaml>apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: reviews-route
spec:
hosts:
- reviews.prod.svc.cluster.local
http:
- match:
- sourceLabels:
env: prod
route:
- destination:
host: reviews.prod.svc.cluster.local
subset: v1
fault:
delay:
percentage:
value: 0.1
fixedDelay: 5s
</code></pre></div></div></div><p>The <em>fixedDelay</em> field is used to indicate the amount of delay in seconds.
The optional <em>percentage</em> field can be used to only delay a certain
percentage of requests. If left unspecified, all request will be delayed.</p><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th><th>Required</th></tr></thead><tbody><tr id=HTTPFaultInjection-Delay-fixed_delay class="oneof oneof-start"><td><code>fixedDelay</code></td><td><code><a href=https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#duration>Duration (oneof)</a></code></td><td><p>Add a fixed delay before forwarding the request. Format:
1h/1m/1s/1ms. MUST be >=1ms.</p></td><td>Yes</td></tr><tr id=HTTPFaultInjection-Delay-percentage><td><code>percentage</code></td><td><code><a href=#Percent>Percent</a></code></td><td><p>Percentage of requests on which the delay will be injected.</p></td><td>No</td></tr><tr id=HTTPFaultInjection-Delay-percent class=deprecated><td><code>percent</code></td><td><code>int32</code></td><td><p>Percentage of requests on which the delay will be injected (0-100).
Use of integer <code>percent</code> value is deprecated. Use the double <code>percentage</code>
field instead.</p></td><td>No</td></tr></tbody></table></section><h2 id=HTTPFaultInjection-Abort>HTTPFaultInjection.Abort</h2><section><p>Abort specification is used to prematurely abort a request with a
pre-specified error code. The following example will return an HTTP 400
error code for 1 out of every 1000 requests to the &ldquo;ratings&rdquo; service &ldquo;v1&rdquo;.</p><div id=tabset-docs-reference-config-networking-virtual-service-19 role=tablist class=tabset><div class=tab-strip data-category-name=example><button aria-selected=true data-category-value=v1alpha3 aria-controls=tabset-docs-reference-config-networking-virtual-service-19-0-panel id=tabset-docs-reference-config-networking-virtual-service-19-0-tab role=tab><span>v1alpha3</span>
</button><button tabindex=-1 data-category-value=v1beta1 aria-controls=tabset-docs-reference-config-networking-virtual-service-19-1-panel id=tabset-docs-reference-config-networking-virtual-service-19-1-tab role=tab><span>v1beta1</span></button></div><div class=tab-content><div id=tabset-docs-reference-config-networking-virtual-service-19-0-panel role=tabpanel tabindex=0 aria-labelledby=tabset-docs-reference-config-networking-virtual-service-19-0-tab><pre><code class=language-yaml>apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: ratings-route
spec:
hosts:
- ratings.prod.svc.cluster.local
http:
- route:
- destination:
host: ratings.prod.svc.cluster.local
subset: v1
fault:
abort:
percentage:
value: 0.1
httpStatus: 400
</code></pre></div><div hidden id=tabset-docs-reference-config-networking-virtual-service-19-1-panel role=tabpanel tabindex=0 aria-labelledby=tabset-docs-reference-config-networking-virtual-service-19-1-tab><pre><code class=language-yaml>apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: ratings-route
spec:
hosts:
- ratings.prod.svc.cluster.local
http:
- route:
- destination:
host: ratings.prod.svc.cluster.local
subset: v1
fault:
abort:
percentage:
value: 0.1
httpStatus: 400
</code></pre></div></div></div><p>The <em>httpStatus</em> field is used to indicate the HTTP status code to
return to the caller. The optional <em>percentage</em> field can be used to only
abort a certain percentage of requests. If not specified, all requests are
aborted.</p><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th><th>Required</th></tr></thead><tbody><tr id=HTTPFaultInjection-Abort-http_status class="oneof oneof-start"><td><code>httpStatus</code></td><td><code>int32 (oneof)</code></td><td><p>HTTP status code to use to abort the Http request.</p></td><td>Yes</td></tr><tr id=HTTPFaultInjection-Abort-percentage><td><code>percentage</code></td><td><code><a href=#Percent>Percent</a></code></td><td><p>Percentage of requests to be aborted with the error code provided.</p></td><td>No</td></tr></tbody></table></section><h2 id=google-protobuf-UInt32Value>google.protobuf.UInt32Value</h2><section><p>Wrapper message for <code>uint32</code>.</p><p>The JSON representation for <code>UInt32Value</code> is JSON number.</p><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th><th>Required</th></tr></thead><tbody><tr id=google-protobuf-UInt32Value-value><td><code>value</code></td><td><code>uint32</code></td><td><p>The uint32 value.</p></td><td>No</td></tr></tbody></table></section></article><nav class=pagenav><div class=left><a title="Configuration affecting network reachability of a sidecar." href=/v1.8/docs/reference/config/networking/sidecar/><svg class="icon left-arrow"><use xlink:href="/v1.8/img/icons.svg#left-arrow"/></svg>Sidecar</a></div><div class=right><a title="Configuration affecting VMs onboarded into the mesh." href=/v1.8/docs/reference/config/networking/workload-entry/>Workload Entry<svg class="icon right-arrow"><use xlink:href="/v1.8/img/icons.svg#right-arrow"/></svg></a></div></nav><div id=feedback><div id=feedback-initial>Was this information useful?<br><button class="btn feedback" onclick="sendFeedback('en',1)">Yes</button>
<button class="btn feedback" onclick="sendFeedback('en',0)">No</button></div><div id=feedback-comment>Do you have any suggestions for improvement?<br><br><input id=feedback-textbox type=text placeholder="Help us improve..." data-lang=en></div><div id=feedback-thankyou>Thanks for your feedback!</div></div><div id=endnotes-container aria-hidden=true><h2>Links</h2><ol id=endnotes></ol></div></div><div class=toc-container><nav class=toc aria-label="Table of Contents"><div id=toc><ol><li role=none aria-label=VirtualService><a href=#VirtualService>VirtualService</a><li role=none aria-label=Destination><a href=#Destination>Destination</a><li role=none aria-label=HTTPRoute><a href=#HTTPRoute>HTTPRoute</a><li role=none aria-label=Delegate><a href=#Delegate>Delegate</a><li role=none aria-label=Headers><a href=#Headers>Headers</a><li role=none aria-label=TLSRoute><a href=#TLSRoute>TLSRoute</a><li role=none aria-label=TCPRoute><a href=#TCPRoute>TCPRoute</a><li role=none aria-label=HTTPMatchRequest><a href=#HTTPMatchRequest>HTTPMatchRequest</a><li role=none aria-label=HTTPRouteDestination><a href=#HTTPRouteDestination>HTTPRouteDestination</a><li role=none aria-label=RouteDestination><a href=#RouteDestination>RouteDestination</a><li role=none aria-label=L4MatchAttributes><a href=#L4MatchAttributes>L4MatchAttributes</a><li role=none aria-label=TLSMatchAttributes><a href=#TLSMatchAttributes>TLSMatchAttributes</a><li role=none aria-label=HTTPRedirect><a href=#HTTPRedirect>HTTPRedirect</a><li role=none aria-label=HTTPRewrite><a href=#HTTPRewrite>HTTPRewrite</a><li role=none aria-label=StringMatch><a href=#StringMatch>StringMatch</a><li role=none aria-label=HTTPRetry><a href=#HTTPRetry>HTTPRetry</a><li role=none aria-label=CorsPolicy><a href=#CorsPolicy>CorsPolicy</a><li role=none aria-label=HTTPFaultInjection><a href=#HTTPFaultInjection>HTTPFaultInjection</a><li role=none aria-label=PortSelector><a href=#PortSelector>PortSelector</a><li role=none aria-label=Percent><a href=#Percent>Percent</a><li role=none aria-label=Headers.HeaderOperations><a href=#Headers-HeaderOperations>Headers.HeaderOperations</a><li role=none aria-label=HTTPFaultInjection.Delay><a href=#HTTPFaultInjection-Delay>HTTPFaultInjection.Delay</a><li role=none aria-label=HTTPFaultInjection.Abort><a href=#HTTPFaultInjection-Abort>HTTPFaultInjection.Abort</a><li role=none aria-label=google.protobuf.UInt32Value><a href=#google-protobuf-UInt32Value>google.protobuf.UInt32Value</a></ol></div></nav></div></main><footer><div class=user-links><a class=channel title="Go download Istio 1.8.3 now" href=/v1.8/docs/setup/getting-started/#download aria-label="Download Istio"><span>download</span><svg class="icon download"><use xlink:href="/v1.8/img/icons.svg#download"/></svg>
</a><a class=channel title="Join the Istio discussion board to participate in discussions and get help troubleshooting problems" href=https://discuss.istio.io aria-label="Istio discussion board"><span>discuss</span><svg class="icon discourse"><use xlink:href="/v1.8/img/icons.svg#discourse"/></svg></a>
<a class=channel title="Stack Overflow is where you can ask questions and find curated answers on deploying, configuring, and using Istio" href=https://stackoverflow.com/questions/tagged/istio aria-label="Stack Overflow"><span>stack overflow</span><svg class="icon stackoverflow"><use xlink:href="/v1.8/img/icons.svg#stackoverflow"/></svg></a>
<a class=channel title="Interactively discuss issues with the Istio community on Slack" href=https://slack.istio.io aria-label=slack><span>slack</span><svg class="icon slack"><use xlink:href="/v1.8/img/icons.svg#slack"/></svg></a>
<a class=channel title="Follow us on Twitter to get the latest news" href=https://twitter.com/IstioMesh aria-label=Twitter><span>twitter</span><svg class="icon twitter"><use xlink:href="/v1.8/img/icons.svg#twitter"/></svg></a><div class=tag>for everyone</div></div><div class=info><p class=copyright>Istio Archive
1.8.3<br>&copy; 2020 Istio Authors, <a href=https://policies.google.com/privacy>Privacy Policy</a><br>Archived on February 9, 2021</p></div><div class=dev-links><a class=channel title="GitHub is where development takes place on Istio code" href=https://github.com/istio/community aria-label=GitHub><span>github</span><svg class="icon github"><use xlink:href="/v1.8/img/icons.svg#github"/></svg></a>
<a class=channel title="Access our team drive if you'd like to take a look at the Istio technical design documents" href=https://groups.google.com/forum/#!forum/istio-team-drive-access aria-label="team drive"><span>drive</span><svg class="icon drive"><use xlink:href="/v1.8/img/icons.svg#drive"/></svg></a>
<a class=channel title="If you'd like to contribute to the Istio project, consider participating in our working groups" href=https://github.com/istio/community/blob/master/WORKING-GROUPS.md aria-label="working groups"><span>working groups</span><svg class="icon working-groups"><use xlink:href="/v1.8/img/icons.svg#working-groups"/></svg></a><div class=tag>for developers</div></div></footer><div id=scroll-to-top-container aria-hidden=true><button id=scroll-to-top title="Back to top"><svg class="icon top"><use xlink:href="/v1.8/img/icons.svg#top"/></svg></button></div></body></html>