istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
istio.io/archive/v1.1/docs/concepts/traffic-management/index.html

722 lines
99 KiB
HTML
Raw Blame History

<!doctype html><html lang=en itemscope itemtype=https://schema.org/WebPage><head><meta charset=utf-8><meta http-equiv=x-ua-compatible content="IE=edge"><meta name=viewport content="width=device-width,initial-scale=1,shrink-to-fit=no"><meta name=theme-color content=#466BB0><meta name=title content="Traffic Management"><meta name=description content="Describes the various Istio features focused on traffic routing and control."><meta name=keywords content=microservices,services,mesh,traffic-management><meta property=og:title content="Traffic Management"><meta property=og:type content=website><meta property=og:description content="Describes the various Istio features focused on traffic routing and control."><meta property=og:url content=/v1.1/docs/concepts/traffic-management/><meta property=og:image content=/v1.1/img/istio-whitelogo-bluebackground-framed.svg><meta property=og:image:alt content="Istio Logo"><meta property=og:image:width content=112><meta property=og:image:height content=150><meta property=og:site_name content=Istio><meta name=twitter:card content=summary><meta name=twitter:site content=@IstioMesh><title>Istioldie 1.1 / Traffic Management</title><script async src="https://www.googletagmanager.com/gtag/js?id=UA-98480406-2"></script><script>window.dataLayer=window.dataLayer||[];function gtag(){dataLayer.push(arguments);}
gtag('js',new Date());gtag('config','UA-98480406-2');</script><link rel=alternate type=application/rss+xml title="Istio Blog" href=/v1.1/feed.xml><link rel="shortcut icon" href=/v1.1/favicons/favicon.ico><link rel=apple-touch-icon href=/v1.1/favicons/apple-touch-icon-180x180.png sizes=180x180><link rel=icon type=image/png href=/v1.1/favicons/favicon-16x16.png sizes=16x16><link rel=icon type=image/png href=/v1.1/favicons/favicon-32x32.png sizes=32x32><link rel=icon type=image/png href=/v1.1/favicons/android-36x36.png sizes=36x36><link rel=icon type=image/png href=/v1.1/favicons/android-48x48.png sizes=48x48><link rel=icon type=image/png href=/v1.1/favicons/android-72x72.png sizes=72x72><link rel=icon type=image/png href=/v1.1/favicons/android-96x96.png sizes=96xW96><link rel=icon type=image/png href=/v1.1/favicons/android-144x144.png sizes=144x144><link rel=icon type=image/png href=/v1.1/favicons/android-192x192.png sizes=192x192><link rel=manifest href=/v1.1/manifest.json><meta name=apple-mobile-web-app-title content=Istio><meta name=application-name content=Istio><link rel=stylesheet href="https://fonts.googleapis.com/css?family=Work+Sans:400|Chivo:400|Work+Sans:500,300,600,300italic,400italic,500italic,600italic|Chivo:500,300,600,300italic,400italic,500italic,600italic"><link rel=stylesheet href=/v1.1/css/all.css></head><body class="language-unknown archive-site"><script src=/v1.1/js/themes_init.min.js></script><script>const branchName="release-1.1";const docTitle="Traffic Management";const iconFile="\/v1.1/img/icons.svg";const buttonCopy='Copy to clipboard';const buttonPrint='Print';const buttonDownload='Download';</script><script src="https://www.google.com/cse/brand?form=search-form" defer></script><script src=/v1.1/js/all.min.js data-manual defer></script><header><nav><a id=brand href=/v1.1/><span class=logo><svg viewBox="0 0 300 300"><circle cx="150" cy="150" r="146" stroke-width="2" /><path d="M65 240H225L125 270z"/><path d="M65 230l60-10V110z"/><path d="M135 220l90 10L135 30z"/></svg></span><span class=name>Istioldie 1.1</span></a><div id=hamburger><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#hamburger"/></svg></div><div id=header-links><span title="Learn how to deploy, use, and operate Istio.">Docs</span>
<a title="Posts about using Istio." href=/v1.1/blog/2019/announcing-1.1.9/>Blog</a>
<a title="A bunch of resources to help you deploy, configure and use Istio." href=/v1.1/help/>Help</a>
<a title="Get a bit more in-depth info about the Istio project." href=/v1.1/about/>About</a><div class=menu><button id=gearDropdownButton class=menu-trigger title="Options and settings" aria-label="Options and Settings" aria-controls=gearDropdownContent><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#gear"/></svg></button><div id=gearDropdownContent class=menu-content aria-labelledby=gearDropdownButton role=menu><a tabindex=-1 role=menuitem lang=en id=switch-lang-en class=active>English</a>
<a tabindex=-1 role=menuitem lang=zh id=switch-lang-zh>中文</a><div role=separator></div><a tabindex=-1 role=menuitem class=active id=light-theme-item>Light Theme</a>
<a tabindex=-1 role=menuitem id=dark-theme-item>Dark Theme</a><div role=separator></div><a tabindex=-1 role=menuitem id=syntax-coloring-item>Color Examples</a><div role=separator></div><h6>Other versions of this site</h6><a tabindex=-1 role=menuitem onclick="navigateToUrlOrRoot('https://istio.io/docs\/concepts\/traffic-management\/');return false;">Current Release</a>
<a tabindex=-1 role=menuitem onclick="navigateToUrlOrRoot('https://preliminary.istio.io/docs\/concepts\/traffic-management\/');return false;">Next Release</a>
<a tabindex=-1 role=menuitem href=https://archive.istio.io>Older Releases</a></div></div><button id=search-show title="Search this site" aria-label=Search><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#magnifier"/></svg></button></div><form id=search-form name=cse role=search><input type=hidden name=cx value=013699703217164175118:iwwf17ikgf4>
<input type=hidden name=ie value=utf-8>
<input type=hidden name=hl value=en>
<input type=hidden id=search-page-url value=/v1.1/search.html>
<input id=search-textbox class=form-control name=q type=search aria-label="Search this site">
<button id=search-close title="Cancel search" type=reset aria-label="Cancel search"><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#cancel-x"/></svg></button></form></nav></header><main class=primary><div id=sidebar-container class="sidebar-container sidebar-offcanvas"><nav id=sidebar aria-label="Section Navigation"><div class=directory><div class=card><button class="header dynamic" id=card19 title="Learn about the different parts of the Istio system and the abstractions it uses." aria-controls=card19-body><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#concepts"/></svg>Concepts</button><div class="body default" aria-labelledby=card19 role=region id=card19-body><ul role=tree aria-expanded=true class=leaf-section aria-labelledby=card19><li role=none><a role=treeitem title="Introduces Istio, the problems it solves, its high-level architecture and design goals." href=/v1.1/docs/concepts/what-is-istio/>What is Istio?</a></li><li role=none><span role=treeitem class=current title="Describes the various Istio features focused on traffic routing and control.">Traffic Management</span></li><li role=none><a role=treeitem title="Describes Istio's authorization and authentication functionality." href=/v1.1/docs/concepts/security/>Security</a></li><li role=none><a role=treeitem title="Describes the policy enforcement and telemetry mechanisms." href=/v1.1/docs/concepts/policies-and-telemetry/>Policies and Telemetry</a></li><li role=none><a role=treeitem title="Introduces performance and scalability for Istio." href=/v1.1/docs/concepts/performance-and-scalability/>Performance and Scalability</a></li><li role=none><a role=treeitem title="Describes how a service mesh can be configured to include services from more than one cluster." href=/v1.1/docs/concepts/multicluster-deployments/>Multicluster Deployments</a></li></ul></div></div><div class=card><button class="header dynamic" id=card39 title="How to deploy and upgrade Istio in various environments such as Kubernetes and Consul." aria-controls=card39-body><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#setup"/></svg>Setup</button><div class=body aria-labelledby=card39 role=region id=card39-body><ul role=tree aria-expanded=true aria-labelledby=card39><li role=treeitem aria-label=Kubernetes><button aria-hidden=true></button><a title="Instructions for installing the Istio control plane on Kubernetes and adding virtual machines into the mesh." href=/v1.1/docs/setup/kubernetes/>Kubernetes</a><ul role=group aria-expanded=false><li role=treeitem aria-label=Prepare><button aria-hidden=true></button><a title="Getting ready for Istio." href=/v1.1/docs/setup/kubernetes/prepare/>Prepare</a><ul role=group aria-expanded=false><li role=none><a role=treeitem title="Prepare your Kubernetes pods and services to run in an Istio-enabled cluster." href=/v1.1/docs/setup/kubernetes/prepare/requirements/>Pods and Services</a></li><li role=treeitem aria-label="Platform Setup"><button aria-hidden=true></button><a title="How to prepare various Kubernetes platforms before installing Istio." href=/v1.1/docs/setup/kubernetes/prepare/platform-setup/>Platform Setup</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Instructions to setup an Alibaba Cloud Kubernetes cluster for Istio." href=/v1.1/docs/setup/kubernetes/prepare/platform-setup/alicloud/>Alibaba Cloud</a></li><li role=none><a role=treeitem title="Instructions to setup an Azure cluster for Istio." href=/v1.1/docs/setup/kubernetes/prepare/platform-setup/azure/>Azure</a></li><li role=none><a role=treeitem title="Instructions to setup Docker For Desktop for use with Istio." href=/v1.1/docs/setup/kubernetes/prepare/platform-setup/docker/>Docker For Desktop</a></li><li role=none><a role=treeitem title="Instructions to setup a Google Kubernetes Engine cluster for Istio." href=/v1.1/docs/setup/kubernetes/prepare/platform-setup/gke/>Google Kubernetes Engine</a></li><li role=none><a role=treeitem title="Instructions to setup an IBM Cloud cluster for Istio." href=/v1.1/docs/setup/kubernetes/prepare/platform-setup/ibm/>IBM Cloud</a></li><li role=none><a role=treeitem title="Instructions to setup Minikube for use with Istio." href=/v1.1/docs/setup/kubernetes/prepare/platform-setup/minikube/>Minikube</a></li><li role=none><a role=treeitem title="Instructions to setup an OpenShift cluster for Istio." href=/v1.1/docs/setup/kubernetes/prepare/platform-setup/openshift/>OpenShift</a></li><li role=none><a role=treeitem title="Instructions to setup an OKE cluster for Istio." href=/v1.1/docs/setup/kubernetes/prepare/platform-setup/oci/>Oracle Cloud Infrastructure</a></li></ul></li></ul></li><li role=none><a role=treeitem title="Download the Istio release and prepare for installation." href=/v1.1/docs/setup/kubernetes/download/>Download</a></li><li role=treeitem aria-label=Install><button aria-hidden=true></button><a title="Choose the flows that best suit your needs and platform." href=/v1.1/docs/setup/kubernetes/install/>Install</a><ul role=group aria-expanded=false><li role=none><a role=treeitem title="Instructions to install and configure an Istio mesh in a Kubernetes cluster for evaluation." href=/v1.1/docs/setup/kubernetes/install/kubernetes/>Quick Start Evaluation Install</a></li><li role=none><a role=treeitem title="Instructions to install Istio using a Helm chart." href=/v1.1/docs/setup/kubernetes/install/helm/>Customizable Install with Helm</a></li><li role=treeitem aria-label="Multicluster Installation"><button aria-hidden=true></button><a title="Configure an Istio mesh spanning multiple Kubernetes clusters." href=/v1.1/docs/setup/kubernetes/install/multicluster/>Multicluster Installation</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Install an Istio mesh across multiple Kubernetes clusters using Istio Gateway to reach remote pods." href=/v1.1/docs/setup/kubernetes/install/multicluster/gateways/>Gateway Connectivity</a></li><li role=none><a role=treeitem title="Install an Istio mesh across multiple Kubernetes clusters with direct network access to remote pods." href=/v1.1/docs/setup/kubernetes/install/multicluster/vpn/>VPN Connectivity</a></li></ul></li><li role=treeitem aria-label="Platform-specific Instructions"><button aria-hidden=true></button><a title="Additional installation flows for the supported Kubernetes platforms." href=/v1.1/docs/setup/kubernetes/install/platform/>Platform-specific Instructions</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Instructions to install Istio using the Alibaba Cloud Kubernetes Container Service." href=/v1.1/docs/setup/kubernetes/install/platform/alicloud/>Alibaba Cloud</a></li><li role=none><a role=treeitem title="Instructions to install Istio using the Google Kubernetes Engine (GKE)." href=/v1.1/docs/setup/kubernetes/install/platform/gke/>Google Kubernetes Engine</a></li><li role=none><a role=treeitem title="Instructions to install Istio using IBM Cloud Public or IBM Cloud Private." href=/v1.1/docs/setup/kubernetes/install/platform/ibm/>IBM Cloud</a></li></ul></li></ul></li><li role=treeitem aria-label=Upgrade><button aria-hidden=true></button><a title="Information on upgrading Istio." href=/v1.1/docs/setup/kubernetes/upgrade/>Upgrade</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Important changes operators must understand before upgrading to Istio 1.1." href=/v1.1/docs/setup/kubernetes/upgrade/notice/>1.1 Upgrade Notice</a></li><li role=none><a role=treeitem title="Upgrade the Istio control plane and data plane independently." href=/v1.1/docs/setup/kubernetes/upgrade/steps/>Upgrade Steps</a></li></ul></li><li role=treeitem aria-label="More Guides"><button aria-hidden=true></button><a title="More information on additional setup tasks." href=/v1.1/docs/setup/kubernetes/additional-setup/>More Guides</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Describes the built-in Istio installation configuration profiles." href=/v1.1/docs/setup/kubernetes/additional-setup/config-profiles/>Installation Configuration Profiles</a></li><li role=none><a role=treeitem title="Install the Istio sidecar in application pods automatically using the sidecar injector webhook or manually using istioctl CLI." href=/v1.1/docs/setup/kubernetes/additional-setup/sidecar-injection/>Installing the Sidecar</a></li><li role=none><a role=treeitem title="Install and use Istio with the Istio CNI plugin, allowing operators to deploy services with lower privilege." href=/v1.1/docs/setup/kubernetes/additional-setup/cni/>Install Istio with the Istio CNI plugin</a></li><li role=none><a role=treeitem title="Integrate VMs and bare metal hosts into an Istio mesh deployed on Kubernetes." href=/v1.1/docs/setup/kubernetes/additional-setup/mesh-expansion/>Mesh Expansion</a></li></ul></li></ul></li><li role=treeitem aria-label="Nomad &amp; Consul"><button aria-hidden=true></button><a title="Instructions for installing the Istio control plane in a Consul based environment, with or without Nomad." href=/v1.1/docs/setup/consul/>Nomad &amp; Consul</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Quick Start instructions to setup the Istio service mesh with Docker Compose." href=/v1.1/docs/setup/consul/quick-start/>Quick Start on Docker</a></li><li role=none><a role=treeitem title="Instructions for installing the Istio control plane in a Consul-based environment, with or without Nomad." href=/v1.1/docs/setup/consul/install/>Installation</a></li></ul></li></ul></div></div><div class=card><button class="header dynamic" id=card57 title="How to do single specific targeted activities with the Istio system." aria-controls=card57-body><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#tasks"/></svg>Tasks</button><div class=body aria-labelledby=card57 role=region id=card57-body><ul role=tree aria-expanded=true aria-labelledby=card57><li role=treeitem aria-label="Traffic Management"><button aria-hidden=true></button><a title="Tasks that demonstrate Istio's traffic routing features." href=/v1.1/docs/tasks/traffic-management/>Traffic Management</a><ul role=group aria-expanded=false><li role=none><a role=treeitem title="This task shows you how to configure dynamic request routing to multiple versions of a microservice." href=/v1.1/docs/tasks/traffic-management/request-routing/>Configuring Request Routing</a></li><li role=none><a role=treeitem title="This task shows you how to inject faults to test the resiliency of your application." href=/v1.1/docs/tasks/traffic-management/fault-injection/>Fault Injection</a></li><li role=none><a role=treeitem title="Shows you how to migrate traffic from an old to new version of a service." href=/v1.1/docs/tasks/traffic-management/traffic-shifting/>Traffic Shifting</a></li><li role=none><a role=treeitem title="Shows you how to migrate TCP traffic from an old to new version of a TCP service." href=/v1.1/docs/tasks/traffic-management/tcp-traffic-shifting/>TCP Traffic Shifting</a></li><li role=none><a role=treeitem title="This task shows you how to setup request timeouts in Envoy using Istio." href=/v1.1/docs/tasks/traffic-management/request-timeouts/>Setting Request Timeouts</a></li><li role=none><a role=treeitem title="Describes how to configure Istio to expose a service outside of the service mesh." href=/v1.1/docs/tasks/traffic-management/ingress/>Control Ingress Traffic</a></li><li role=treeitem aria-label="Securing Ingress Gateway"><button aria-hidden=true></button><a title="Secure ingress gateway controllers using various approaches." href=/v1.1/docs/tasks/traffic-management/secure-ingress/>Securing Ingress Gateway</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Expose a service outside of the service mesh over TLS or mTLS." href=/v1.1/docs/tasks/traffic-management/secure-ingress/mount/>Securing Gateways with HTTPS With a File Mount-Based Approach</a></li><li role=none><a role=treeitem title="Describes how to configure Istio to expose a service outside of the service mesh, over TLS or Mutual TLS, using secret discovery service." href=/v1.1/docs/tasks/traffic-management/secure-ingress/sds/>Securing Gateways with HTTPS Using Secret Discovery Service</a></li></ul></li><li role=none><a role=treeitem title="Describes how to configure Istio to route traffic from services in the mesh to external services." href=/v1.1/docs/tasks/traffic-management/egress/>Control Egress Traffic</a></li><li role=none><a role=treeitem title="This task shows you how to configure circuit breaking for connections, requests, and outlier detection." href=/v1.1/docs/tasks/traffic-management/circuit-breaking/>Circuit Breaking</a></li><li role=none><a role=treeitem title="This task demonstrates the traffic mirroring/shadowing capabilities of Istio." href=/v1.1/docs/tasks/traffic-management/mirroring/>Mirroring</a></li></ul></li><li role=treeitem aria-label=Security><button aria-hidden=true></button><a title="Demonstrates how to secure the mesh." href=/v1.1/docs/tasks/security/>Security</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Shows you how to use Istio authentication policy to setup mutual TLS and basic end-user authentication." href=/v1.1/docs/tasks/security/authn-policy/>Authentication Policy</a></li><li role=none><a role=treeitem title="Shows how to set up role-based access control for HTTP services." href=/v1.1/docs/tasks/security/authz-http/>Authorization for HTTP Services</a></li><li role=none><a role=treeitem title="Shows how to set up role-based access control for TCP services." href=/v1.1/docs/tasks/security/authz-tcp/>Authorization for TCP Services</a></li><li role=none><a role=treeitem title="Tutorial on how to configure the groups-base authorization and configure the authorization of list-typed claims in Istio." href=/v1.1/docs/tasks/security/rbac-groups/>Authorization for groups and list claims</a></li><li role=none><a role=treeitem title="Shows how to use Authorization permissive mode." href=/v1.1/docs/tasks/security/authz-permissive/>Authorization permissive mode</a></li><li role=none><a role=treeitem title="This task shows you how to integrate a Vault Certificate Authority with Istio for mutual TLS." href=/v1.1/docs/tasks/security/vault-ca/>Istio Vault CA Integration</a></li><li role=none><a role=treeitem title="Shows you how to verify and test Istio's automatic mutual TLS authentication." href=/v1.1/docs/tasks/security/mutual-tls/>Mutual TLS Deep-Dive</a></li><li role=none><a role=treeitem title="Shows how operators can configure Citadel with existing root certificate, signing certificate and key." href=/v1.1/docs/tasks/security/plugin-ca-cert/>Plugging in External CA Key and Certificate</a></li><li role=none><a role=treeitem title="Shows how to enable Citadel health checking with Kubernetes." href=/v1.1/docs/tasks/security/health-check/>Citadel Health Checking</a></li><li role=none><a role=treeitem title="Shows how to enable SDS (secret discovery service) for Istio identity provisioning." href=/v1.1/docs/tasks/security/auth-sds/>Provisioning Identity through SDS</a></li><li role=none><a role=treeitem title="Shows you how to incrementally migrate your Istio services to mutual TLS." href=/v1.1/docs/tasks/security/mtls-migration/>Mutual TLS Migration</a></li><li role=none><a role=treeitem title="Shows how to enable mutual TLS on HTTPS services." href=/v1.1/docs/tasks/security/https-overlay/>Mutual TLS over HTTPS</a></li></ul></li><li role=treeitem aria-label=Policies><button aria-hidden=true></button><a title="Demonstrates policy enforcement features." href=/v1.1/docs/tasks/policy-enforcement/>Policies</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="This task shows you how to enable Istio policy enforcement." href=/v1.1/docs/tasks/policy-enforcement/enabling-policy/>Enabling Policy Enforcement</a></li><li role=none><a role=treeitem title="This task shows you how to use Istio to dynamically limit the traffic to a service." href=/v1.1/docs/tasks/policy-enforcement/rate-limiting/>Enabling Rate Limits</a></li><li role=none><a role=treeitem title="Shows how to modify request headers and routing using policy adapters." href=/v1.1/docs/tasks/policy-enforcement/control-headers/>Control Headers and Routing</a></li><li role=none><a role=treeitem title="Shows how to control access to a service using simple denials or white/black listing." href=/v1.1/docs/tasks/policy-enforcement/denial-and-list/>Denials and White/Black Listing</a></li></ul></li><li role=treeitem aria-label=Telemetry><button aria-hidden=true></button><a title="Demonstrates how to collect telemetry information from the mesh." href=/v1.1/docs/tasks/telemetry/>Telemetry</a><ul role=group aria-expanded=false><li role=treeitem aria-label=Metrics><button aria-hidden=true></button><a title="Demonstrates the configuration, collection, and processing of Istio mesh metrics." href=/v1.1/docs/tasks/telemetry/metrics/>Metrics</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="This task shows you how to configure Istio to collect and customize metrics." href=/v1.1/docs/tasks/telemetry/metrics/collecting-metrics/>Collecting Metrics</a></li><li role=none><a role=treeitem title="This task shows you how to configure Istio to collect metrics for TCP services." href=/v1.1/docs/tasks/telemetry/metrics/tcp-metrics/>Collecting Metrics for TCP services</a></li><li role=none><a role=treeitem title="This task shows you how to query for Istio Metrics using Prometheus." href=/v1.1/docs/tasks/telemetry/metrics/querying-metrics/>Querying Metrics from Prometheus</a></li><li role=none><a role=treeitem title="This task shows you how to setup and use the Istio Dashboard to monitor mesh traffic." href=/v1.1/docs/tasks/telemetry/metrics/using-istio-dashboard/>Visualizing Metrics with Grafana</a></li></ul></li><li role=treeitem aria-label=Logs><button aria-hidden=true></button><a title="Demonstrates the configuration, collection, and processing of Istio mesh logs." href=/v1.1/docs/tasks/telemetry/logs/>Logs</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="This task shows you how to configure Istio to collect and customize logs." href=/v1.1/docs/tasks/telemetry/logs/collecting-logs/>Collecting Logs</a></li><li role=none><a role=treeitem title="This task shows you how to configure Envoy proxies to print access log to their standard output." href=/v1.1/docs/tasks/telemetry/logs/access-log/>Getting Envoy&#39;s Access Logs</a></li><li role=none><a role=treeitem title="This task shows you how to configure Istio to log to a Fluentd daemon." href=/v1.1/docs/tasks/telemetry/logs/fluentd/>Logging with Fluentd</a></li></ul></li><li role=treeitem aria-label="Distributed Tracing"><button aria-hidden=true></button><a title="This task shows you how to configure Istio-enabled applications to collect trace spans." href=/v1.1/docs/tasks/telemetry/distributed-tracing/>Distributed Tracing</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Overview of distributed tracing in Istio." href=/v1.1/docs/tasks/telemetry/distributed-tracing/overview/>Overview</a></li><li role=none><a role=treeitem title="Learn how to configure the proxies to send tracing requests to Jaeger." href=/v1.1/docs/tasks/telemetry/distributed-tracing/jaeger/>Jaeger</a></li><li role=none><a role=treeitem title="Learn how to configure the proxies to send tracing requests to Zipkin." href=/v1.1/docs/tasks/telemetry/distributed-tracing/zipkin/>Zipkin</a></li><li role=none><a role=treeitem title="How to configure the proxies to send tracing requests to LightStep." href=/v1.1/docs/tasks/telemetry/distributed-tracing/lightstep/>LightStep</a></li></ul></li><li role=none><a role=treeitem title="This task shows you how to visualize your services within an Istio mesh." href=/v1.1/docs/tasks/telemetry/kiali/>Visualizing Your Mesh</a></li><li role=none><a role=treeitem title="This task shows you how to configure external access to the set of Istio telemetry addons." href=/v1.1/docs/tasks/telemetry/gateways/>Remotely Accessing Telemetry Addons</a></li></ul></li></ul></div></div><div class=card><button class="header dynamic" id=card72 title="A variety of fully working example uses for Istio that you can experiment with." aria-controls=card72-body><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#examples"/></svg>Examples</button><div class=body aria-labelledby=card72 role=region id=card72-body><ul role=tree aria-expanded=true aria-labelledby=card72><li role=none><a role=treeitem title="Deploys a sample application composed of four separate microservices used to demonstrate various Istio features." href=/v1.1/docs/examples/bookinfo/>Bookinfo Application</a></li><li role=none><a role=treeitem title="Explains how to manually integrate Google Cloud Endpoints services with Istio." href=/v1.1/docs/examples/endpoints/>Install Istio for Google Cloud Endpoints Services</a></li><li role=none><a role=treeitem title="Illustrates how to use Istio to control a Kubernetes cluster and raw VMs as a single mesh." href=/v1.1/docs/examples/integrating-vms/>Integrating Virtual Machines</a></li><li role=treeitem aria-label="Edge Traffic Management"><button aria-hidden=true></button><a title="A variety of advanced examples for managing traffic at the edge (i.e., ingress and egress traffic) of an Istio service mesh." href=/v1.1/docs/examples/advanced-gateways/>Edge Traffic Management</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Describes how to configure SNI passthrough for an ingress gateway." href=/v1.1/docs/examples/advanced-gateways/ingress-sni-passthrough/>Ingress Gateway without TLS Termination</a></li><li role=none><a role=treeitem title="Describes how to configure Istio to perform TLS origination for traffic to external services." href=/v1.1/docs/examples/advanced-gateways/egress-tls-origination/>TLS Origination for Egress Traffic</a></li><li role=none><a role=treeitem title="Describes how to configure Istio to direct traffic to external services through a dedicated gateway." href=/v1.1/docs/examples/advanced-gateways/egress-gateway/>Configure an Egress Gateway</a></li><li role=none><a role=treeitem title="Describes how to configure an Egress Gateway to perform TLS origination to external services." href=/v1.1/docs/examples/advanced-gateways/egress-gateway-tls-origination/>Egress Gateway with TLS Origination</a></li><li role=none><a role=treeitem title="Describes how to enable egress traffic for a set of hosts in a common domain, instead of configuring each and every host separately." href=/v1.1/docs/examples/advanced-gateways/wildcard-egress-hosts/>Configure Egress Traffic using Wildcard Hosts</a></li><li role=none><a role=treeitem title="Describes how to configure SNI monitoring and apply policies on TLS egress traffic." href=/v1.1/docs/examples/advanced-gateways/egress_sni_monitoring_and_policies/>SNI Monitoring and Policies for TLS Egress Traffic</a></li><li role=none><a role=treeitem title="Describes how to configure Istio to let applications use an external HTTPS proxy." href=/v1.1/docs/examples/advanced-gateways/http-proxy/>Connect to an External HTTPS Proxy</a></li><li role=none><a role=treeitem title="Demonstrates how to obtain Let's Encrypt TLS certificates for Kubernetes Ingress automatically using Cert-Manager." href=/v1.1/docs/examples/advanced-gateways/ingress-certmgr/>Securing Kubernetes Ingress with Cert-Manager</a></li></ul></li><li role=treeitem aria-label="Multicluster Service Mesh"><button aria-hidden=true></button><a title="A variety of fully working multicluster examples for Istio that you can experiment with." href=/v1.1/docs/examples/multicluster/>Multicluster Service Mesh</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Configuring remote services in a gateway-connected multicluster mesh." href=/v1.1/docs/examples/multicluster/gateways/>Gateway-Connected Clusters</a></li><li role=none><a role=treeitem title="Set up a multicluster mesh over two GKE clusters." href=/v1.1/docs/examples/multicluster/gke/>Google Kubernetes Engine</a></li><li role=none><a role=treeitem title="Example multicluster mesh over two IBM Cloud Private clusters." href=/v1.1/docs/examples/multicluster/icp/>IBM Cloud Private</a></li><li role=none><a role=treeitem title="Multicluster mesh between IBM Cloud Kubernetes Service and IBM Cloud Private." href=/v1.1/docs/examples/multicluster/iks-icp/>IBM Cloud Kubernetes Service &amp; IBM Cloud Private</a></li><li role=none><a role=treeitem title="Leveraging Istio's Split-horizon EDS to create a multicluster mesh." href=/v1.1/docs/examples/multicluster/split-horizon-eds/>Cluster-Aware Service Routing</a></li></ul></li></ul></div></div><div class=card><button class="header dynamic" id=card106 title="Detailed authoritative reference material such as command-line options, configuration options, and API calling parameters." aria-controls=card106-body><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#reference"/></svg>Reference</button><div class=body aria-labelledby=card106 role=region id=card106-body><ul role=tree aria-expanded=true aria-labelledby=card106><li role=treeitem aria-label=Configuration><button aria-hidden=true></button><a title="Detailed information on configuration options." href=/v1.1/docs/reference/config/>Configuration</a><ul role=group aria-expanded=false><li role=treeitem aria-label="Traffic Management"><button aria-hidden=true></button><a title="Describes how to configure HTTP/TCP routing features." href=/v1.1/docs/reference/config/networking/>Traffic Management</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Configuration affecting load balancing, outlier detection, etc." href=/v1.1/docs/reference/config/networking/v1alpha3/destination-rule/>Destination Rule</a></li><li role=none><a role=treeitem title="Configuration affecting insertion of custom Envoy filters." href=/v1.1/docs/reference/config/networking/v1alpha3/envoy-filter/>Envoy Filter</a></li><li role=none><a role=treeitem title="Configuration affecting edge load balancer." href=/v1.1/docs/reference/config/networking/v1alpha3/gateway/>Gateway</a></li><li role=none><a role=treeitem title="Configuration affecting service registry." href=/v1.1/docs/reference/config/networking/v1alpha3/service-entry/>Service Entry</a></li><li role=none><a role=treeitem title="Configuration affecting network reachability of a sidecar." href=/v1.1/docs/reference/config/networking/v1alpha3/sidecar/>Sidecar</a></li><li role=none><a role=treeitem title="Configuration affecting label/content routing, sni routing, etc." href=/v1.1/docs/reference/config/networking/v1alpha3/virtual-service/>Virtual Service</a></li></ul></li><li role=treeitem aria-label=Authorization><button aria-hidden=true></button><a title="Describes how to configure Istio's authorization features." href=/v1.1/docs/reference/config/authorization/>Authorization</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Describes the supported constraints and properties." href=/v1.1/docs/reference/config/authorization/constraints-and-properties/>Constraints and Properties</a></li><li role=none><a role=treeitem title="Configuration for Role Based Access Control." href=/v1.1/docs/reference/config/authorization/istio.rbac.v1alpha1/>RBAC</a></li></ul></li><li role=none><a role=treeitem title="Describes the options available when installing Istio using the included Helm chart." href=/v1.1/docs/reference/config/installation-options/>Installation Options</a></li><li role=none><a role=treeitem title="Details the Helm chart installation options differences between release-1.0 and release-1.1." href=/v1.1/docs/reference/config/installation-options-changes/>Installation Options Changes</a></li><li role=treeitem aria-label="Policies and Telemetry"><button aria-hidden=true></button><a title="Describes how to configure Istio's policy and telemetry features." href=/v1.1/docs/reference/config/policy-and-telemetry/>Policies and Telemetry</a><ul role=group aria-expanded=false><li role=none><a role=treeitem title="Describes the base attribute vocabulary used for policy and control." href=/v1.1/docs/reference/config/policy-and-telemetry/attribute-vocabulary/>Attribute Vocabulary</a></li><li role=none><a role=treeitem title="Mixer configuration expression language reference." href=/v1.1/docs/reference/config/policy-and-telemetry/expression-language/>Expression Language</a></li><li role=treeitem aria-label=Adapters><button aria-hidden=true></button><a title="Mixer adapters allow Istio to interface to a variety of infrastructure backends for such things as metrics and logs." href=/v1.1/docs/reference/config/policy-and-telemetry/adapters/>Adapters</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Adapter to deliver metrics to Apache SkyWalking." href=/v1.1/docs/reference/config/policy-and-telemetry/adapters/apache-skywalking/>Apache SkyWalking</a></li><li role=none><a role=treeitem title="Adapter for Apigee's distributed policy checks and analytics." href=/v1.1/docs/reference/config/policy-and-telemetry/adapters/apigee/>Apigee</a></li><li role=none><a role=treeitem title="Adapter for circonus.com's monitoring solution." href=/v1.1/docs/reference/config/policy-and-telemetry/adapters/circonus/>Circonus</a></li><li role=none><a role=treeitem title="Adapter for cloudmonitor metrics." href=/v1.1/docs/reference/config/policy-and-telemetry/adapters/cloudmonitor/>CloudMonitor</a></li><li role=none><a role=treeitem title="Adapter for cloudwatch metrics." href=/v1.1/docs/reference/config/policy-and-telemetry/adapters/cloudwatch/>CloudWatch</a></li><li role=none><a role=treeitem title="Adapter to deliver metrics to a dogstatsd agent for delivery to DataDog." href=/v1.1/docs/reference/config/policy-and-telemetry/adapters/datadog/>Datadog</a></li><li role=none><a role=treeitem title="Adapter that always returns a precondition denial." href=/v1.1/docs/reference/config/policy-and-telemetry/adapters/denier/>Denier</a></li><li role=none><a role=treeitem title="Adapter that delivers logs to a Fluentd daemon." href=/v1.1/docs/reference/config/policy-and-telemetry/adapters/fluentd/>Fluentd</a></li><li role=none><a role=treeitem title="Adapter that extracts information from a Kubernetes environment." href=/v1.1/docs/reference/config/policy-and-telemetry/adapters/kubernetesenv/>Kubernetes Env</a></li><li role=none><a role=treeitem title="Adapter that performs whitelist or blacklist checks." href=/v1.1/docs/reference/config/policy-and-telemetry/adapters/list/>List</a></li><li role=none><a role=treeitem title="Adapter for a simple in-memory quota management system." href=/v1.1/docs/reference/config/policy-and-telemetry/adapters/memquota/>Memory quota</a></li><li role=none><a role=treeitem title="Adapter that implements an Open Policy Agent engine." href=/v1.1/docs/reference/config/policy-and-telemetry/adapters/opa/>OPA</a></li><li role=none><a role=treeitem title="Adapter that exposes Istio metrics for ingestion by a Prometheus harvester." href=/v1.1/docs/reference/config/policy-and-telemetry/adapters/prometheus/>Prometheus</a></li><li role=none><a role=treeitem title="Adapter for a Redis-based quota management system." href=/v1.1/docs/reference/config/policy-and-telemetry/adapters/redisquota/>Redis Quota</a></li><li role=none><a role=treeitem title="Adapter that sends metrics to SignalFx." href=/v1.1/docs/reference/config/policy-and-telemetry/adapters/signalfx/>SignalFx</a></li><li role=none><a role=treeitem title="Adapter to deliver logs and metrics to Papertrail and AppOptics backends." href=/v1.1/docs/reference/config/policy-and-telemetry/adapters/solarwinds/>SolarWinds</a></li><li role=none><a role=treeitem title="Adapter to deliver logs, metrics, and traces to Stackdriver." href=/v1.1/docs/reference/config/policy-and-telemetry/adapters/stackdriver/>Stackdriver</a></li><li role=none><a role=treeitem title="Adapter to deliver metrics to a StatsD backend." href=/v1.1/docs/reference/config/policy-and-telemetry/adapters/statsd/>StatsD</a></li><li role=none><a role=treeitem title="Adapter to locally output logs and metrics." href=/v1.1/docs/reference/config/policy-and-telemetry/adapters/stdio/>Stdio</a></li><li role=none><a role=treeitem title="Adapter to deliver metrics to Wavefront by VMware." href=/v1.1/docs/reference/config/policy-and-telemetry/adapters/wavefront/>Wavefront by VMware</a></li><li role=none><a role=treeitem title="Adapter to deliver tracing data to Zipkin." href=/v1.1/docs/reference/config/policy-and-telemetry/adapters/zipkin/>Zipkin</a></li></ul></li><li role=none><a role=treeitem title="Default Metrics exported from Istio through Mixer." href=/v1.1/docs/reference/config/policy-and-telemetry/metrics/>Default Metrics</a></li><li role=treeitem aria-label=Templates><button aria-hidden=true></button><a title="Mixer templates are used to send data to individual adapters." href=/v1.1/docs/reference/config/policy-and-telemetry/templates/>Templates</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="A template that represents a single API key." href=/v1.1/docs/reference/config/policy-and-telemetry/templates/apikey/>API Key</a></li><li role=none><a role=treeitem title="The Analytics template is used to dispatch runtime telemetry to Apigee." href=/v1.1/docs/reference/config/policy-and-telemetry/templates/analytics/>Analytics</a></li><li role=none><a role=treeitem title="A template used to represent an access control query." href=/v1.1/docs/reference/config/policy-and-telemetry/templates/authorization/>Authorization</a></li><li role=none><a role=treeitem title="A template that carries no data, useful for testing." href=/v1.1/docs/reference/config/policy-and-telemetry/templates/checknothing/>Check Nothing</a></li><li role=none><a role=treeitem title="A template designed to report observed communication edges between workloads." href=/v1.1/docs/reference/config/policy-and-telemetry/templates/edge/>Edge</a></li><li role=none><a role=treeitem title="A template that is used to control the production of Kubernetes-specific attributes." href=/v1.1/docs/reference/config/policy-and-telemetry/templates/kubernetes/>Kubernetes</a></li><li role=none><a role=treeitem title="A template designed to let you perform list checking operations." href=/v1.1/docs/reference/config/policy-and-telemetry/templates/listentry/>List Entry</a></li><li role=none><a role=treeitem title="A template that represents a single runtime log entry." href=/v1.1/docs/reference/config/policy-and-telemetry/templates/logentry/>Log Entry</a></li><li role=none><a role=treeitem title="A template that represents a single runtime metric." href=/v1.1/docs/reference/config/policy-and-telemetry/templates/metric/>Metric</a></li><li role=none><a role=treeitem title="A template that represents a quota allocation request." href=/v1.1/docs/reference/config/policy-and-telemetry/templates/quota/>Quota</a></li><li role=none><a role=treeitem title="A template that carries no data, useful for testing." href=/v1.1/docs/reference/config/policy-and-telemetry/templates/reportnothing/>Report Nothing</a></li><li role=none><a role=treeitem title="A template that represents an individual span within a distributed trace." href=/v1.1/docs/reference/config/policy-and-telemetry/templates/tracespan/>Trace Span</a></li></ul></li><li role=none><a role=treeitem title="Configuration state for the Mixer client library." href=/v1.1/docs/reference/config/policy-and-telemetry/istio.mixer.v1.config.client/>Mixer Client</a></li><li role=none><a role=treeitem title="Describes the rules used to configure Mixer's policy and telemetry features." href=/v1.1/docs/reference/config/policy-and-telemetry/istio.policy.v1beta1/>Rules</a></li></ul></li><li role=none><a role=treeitem title="Authentication policy for Istio services." href=/v1.1/docs/reference/config/istio.authentication.v1alpha1/>Authentication Policy</a></li><li role=none><a role=treeitem title="Configuration affecting the service mesh as a whole." href=/v1.1/docs/reference/config/istio.mesh.v1alpha1/>Service Mesh</a></li></ul></li><li role=treeitem aria-label=Commands><button aria-hidden=true></button><a title="Describes usage and options of the Istio commands and utilities." href=/v1.1/docs/reference/commands/>Commands</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Galley provides configuration management services for Istio." href=/v1.1/docs/reference/commands/galley/>galley</a></li><li role=none><a role=treeitem title="Istio Certificate Authority (CA)." href=/v1.1/docs/reference/commands/istio_ca/>istio_ca</a></li><li role=none><a role=treeitem title="Istio control interface." href=/v1.1/docs/reference/commands/istioctl/>istioctl</a></li><li role=none><a role=treeitem title="Utility to trigger direct calls to Mixer's API." href=/v1.1/docs/reference/commands/mixc/>mixc</a></li><li role=none><a role=treeitem title="Mixer is Istio's abstraction on top of infrastructure backends." href=/v1.1/docs/reference/commands/mixs/>mixs</a></li><li role=none><a role=treeitem title="Istio security per-node agent." href=/v1.1/docs/reference/commands/node_agent/>node_agent</a></li><li role=none><a role=treeitem title="Istio Pilot agent." href=/v1.1/docs/reference/commands/pilot-agent/>pilot-agent</a></li><li role=none><a role=treeitem title="Istio Pilot." href=/v1.1/docs/reference/commands/pilot-discovery/>pilot-discovery</a></li><li role=none><a role=treeitem title="Kubernetes webhook for automatic Istio sidecar injection." href=/v1.1/docs/reference/commands/sidecar-injector/>sidecar-injector</a></li></ul></li></ul></div></div></div></nav></div><div class=article-container><button tabindex=-1 id=sidebar-toggler title="Toggle the navigation bar"><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#pull"/></svg></button><nav aria-label=Breadcrumb><ol><li><a href=/v1.1/ title="Connect, secure, control, and observe services.">Istio</a></li><li><a href=/v1.1/docs/ title="Learn how to deploy, use, and operate Istio.">Docs</a></li><li><a href=/v1.1/docs/concepts/ title="Learn about the different parts of the Istio system and the abstractions it uses.">Concepts</a></li><li>Traffic Management</li></ol></nav><article aria-labelledby=title><div class=title-area><div><h1 id=title>Traffic Management</h1><p class=byline><span title="5361 words"><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#clock"/></svg><span>&nbsp;</span>26 minute read</span></p></div></div><nav class=toc-inlined aria-label="Table of Contents"><div><hr><ol><li role=none aria-label="Pilot and Envoy"><a href=#pilot-and-envoy>Pilot and Envoy</a><li role=none aria-label="Request routing"><a href=#request-routing>Request routing</a><ol><li role=none aria-label="Communication between services"><a href=#communication-between-services>Communication between services</a><li role=none aria-label="Ingress and egress"><a href=#ingress-and-egress>Ingress and egress</a></ol></li><li role=none aria-label="Discovery and load balancing"><a href=#discovery-and-load-balancing>Discovery and load balancing</a><ol><li role=none aria-label="Locality Load Balancing"><a href=#locality-load-balancing>Locality Load Balancing</a></ol></li><li role=none aria-label="Handling failures"><a href=#handling-failures>Handling failures</a><ol><li role=none aria-label="Fine tuning"><a href=#fine-tuning>Fine tuning</a><li role=none aria-label="Failure handling FAQ"><a href=#failure-handling-faq>Failure handling FAQ</a></ol></li><li role=none aria-label="Fault injection"><a href=#fault-injection>Fault injection</a><li role=none aria-label="Canary rollout"><a href=#canary-rollout>Canary rollout</a><li role=none aria-label="Rule configuration"><a href=#rule-configuration>Rule configuration</a><ol><li role=none aria-label="Virtual Services"><a href=#virtual-services>Virtual Services</a><ol><li role=none aria-label="Rule destinations"><a href=#rule-destinations>Rule destinations</a><li role=none aria-label="Splitting traffic between versions"><a href=#splitting-traffic-between-versions>Splitting traffic between versions</a><li role=none aria-label="Timeouts and retries"><a href=#timeouts-and-retries>Timeouts and retries</a><li role=none aria-label="Injecting faults"><a href=#injecting-faults>Injecting faults</a><li role=none aria-label="Conditional rules"><a href=#conditional-rules>Conditional rules</a><li role=none aria-label="Multiple match conditions"><a href=#multiple-match-conditions>Multiple match conditions</a><li role=none aria-label=Precedence><a href=#precedence>Precedence</a></ol></li><li role=none aria-label="Destination rules"><a href=#destination-rules>Destination rules</a><ol><li role=none aria-label="Circuit breakers"><a href=#circuit-breakers>Circuit breakers</a><li role=none aria-label="Rule evaluation"><a href=#rule-evaluation>Rule evaluation</a></ol></li><li role=none aria-label="Service entries"><a href=#service-entries>Service entries</a><li role=none aria-label=Gateways><a href=#gateways>Gateways</a><li role=none aria-label=Sidecars><a href=#sidecars>Sidecars</a></ol></li><li role=none aria-label="See also"><a href=#see-also>See also</a></li></ol><hr></div></nav><p>This page provides an overview of how traffic management works
in Istio, including the benefits of its traffic management
principles. It assumes that you&rsquo;ve already read <a href=/v1.1/docs/concepts/what-is-istio/>What is Istio?</a>
and are familiar with Istio&rsquo;s high-level architecture.</p><p>Using Istio&rsquo;s traffic management model essentially decouples traffic flow
and infrastructure scaling, letting you specify via Pilot what
rules they want traffic to follow rather than which specific pods/VMs should
receive traffic - Pilot and intelligent Envoy proxies look after the
rest. For example, you can specify via Pilot that you want 5%
of traffic for a particular service to go to a canary version irrespective
of the size of the canary deployment, or send traffic to a particular version
depending on the content of the request.</p><figure style=width:85%><div class=wrapper-with-intrinsic-ratio style=padding-bottom:75%><a data-skipendnotes=true href=/v1.1/docs/concepts/traffic-management/./TrafficManagementOverview.svg title="Traffic Management with Istio"><img class=element-to-stretch src=/v1.1/docs/concepts/traffic-management/./TrafficManagementOverview.svg alt="Traffic Management with Istio"></a></div><figcaption>Traffic Management with Istio</figcaption></figure><p>Decoupling traffic flow from infrastructure scaling allows Istio
to provide a variety of traffic management features that live outside the
application code. As well as dynamic <a href=#request-routing>request routing</a>
for A/B testing, gradual rollouts, and canary releases, it also handles
<a href=#handling-failures>failure recovery</a> using timeouts, retries,
circuit breakers, and <a href=#fault-injection>fault injection</a> to
test the compatibility of failure recovery policies across services. These
capabilities are all realized through the Envoy sidecars/proxies deployed
across the service mesh.</p><h2 id=pilot-and-envoy>Pilot and Envoy</h2><p>The core component used for traffic management in Istio is <strong>Pilot</strong>, which
manages and configures all the Envoy
proxy instances deployed in a particular Istio service mesh. Pilot lets you
specify which rules you want to use to route traffic between Envoy proxies
and configure failure recovery features such as timeouts, retries, and
circuit breakers. It also maintains a canonical model of all the services
in the mesh and uses this model to let Envoy instances know about the other Envoy instances in the mesh via its discovery service.</p><p>Each Envoy instance maintains <a href=#discovery-and-load-balancing>load balancing information</a>
based on the information it gets from Pilot and periodic health-checks
of other instances in its load balancing pool, allowing it to intelligently
distribute traffic between destination instances while following its specified
routing rules.</p><p>Pilot is responsible for the lifecycle of Envoy instances deployed
across the Istio service mesh.</p><figure style=width:60%><div class=wrapper-with-intrinsic-ratio style=padding-bottom:70%><a data-skipendnotes=true href=/v1.1/docs/concepts/traffic-management/./PilotAdapters.svg title="Pilot Architecture"><img class=element-to-stretch src=/v1.1/docs/concepts/traffic-management/./PilotAdapters.svg alt="Pilot Architecture"></a></div><figcaption>Pilot Architecture</figcaption></figure><p>As shown in the figure above, Pilot maintains a canonical
representation of services in the mesh that is independent of the underlying
platform. Platform-specific adapters in Pilot are responsible for
populating this canonical model appropriately. For example, the Kubernetes
adapter in Pilot implements the necessary controllers to watch the
Kubernetes API server for changes to the pod registration information, ingress
resources, and third-party resources that store traffic management rules.
This data is translated into the canonical representation. An Envoy-specific configuration is then generated based on the canonical representation.</p><p>Pilot enables service discovery,
dynamic updates to load balancing pools
and routing tables.</p><p>You can specify high-level traffic management rules through
<a href=/v1.1/docs/reference/config/networking/>Pilot&rsquo;s Rule configuration</a>. These rules are translated into low-level
configurations and distributed to Envoy instances.</p><h2 id=request-routing>Request routing</h2><p>As described above, the canonical representation
of services in a mesh is maintained by Pilot. The Istio
model of a service is independent of how it is represented in the underlying
platform (Kubernetes, Mesos, Cloud Foundry,
etc.). Platform-specific adapters are responsible for populating the
internal model representation with various fields from the metadata found
in the platform.</p><p>Istio introduces the concept of a <em>service version</em>, which is a finer-grained
way to subdivide service instances by versions (<code>v1</code>, <code>v2</code>) or environment
(<code>staging</code>, <code>prod</code>). These variants are not necessarily different API
versions: they could be iterative changes to the same service, deployed in
different environments (prod, staging, dev, etc.). Common scenarios where
this is used include A/B testing or canary rollouts. Istio&rsquo;s <a href=#rule-configuration>traffic
routing rules</a> can refer to service versions to provide
additional control over traffic between services.</p><h3 id=communication-between-services>Communication between services</h3><figure style=width:60%><div class=wrapper-with-intrinsic-ratio style=padding-bottom:100%><a data-skipendnotes=true href=/v1.1/docs/concepts/traffic-management/./ServiceModel_Versions.svg title="Service Versions"><img class=element-to-stretch src=/v1.1/docs/concepts/traffic-management/./ServiceModel_Versions.svg alt="Showing how service versions are handled."></a></div><figcaption>Service Versions</figcaption></figure><p>As shown in the figure above, clients of a service have no knowledge
of different versions of the service. They can continue to access the
services using the hostname/IP address of the service. The Envoy sidecar/proxy
intercepts and forwards all requests/responses between the client and the
service.</p><p>Envoy determines its actual choice of service version dynamically
based on the routing rules that you specify by using Pilot. This
model enables the application code to decouple itself from the evolution of its dependent
services, while providing other benefits as well (see
<a href=/v1.1/docs/concepts/policies-and-telemetry/>Mixer</a>). Routing
rules allow Envoy to select a version based
on conditions such as headers, tags associated with
source/destination, and/or by weights assigned to each version.</p><p>Istio also provides load balancing for traffic to multiple instances of
the same service version. See <a href=/v1.1/docs/concepts/traffic-management/#discovery-and-load-balancing>Discovery
and Load Balancing</a> for more.</p><p>Istio does not provide a DNS. Applications can try to resolve the
FQDN using the DNS service present in the underlying platform (<code>kube-dns</code>,
<code>mesos-dns</code>, etc.).</p><h3 id=ingress-and-egress>Ingress and egress</h3><p>Istio assumes that all traffic entering and leaving the service mesh
transits through Envoy proxies. By deploying an Envoy proxy in front of
services, you can conduct A/B testing, deploy canary services,
etc. for user-facing services. Similarly, by routing traffic to external
web services (for instance, accessing a maps API or a video service API)
via the Envoy sidecar, you can add failure recovery features such as
timeouts, retries, and circuit breakers and obtain detailed metrics on
the connections to these services.</p><figure style=width:85%><div class=wrapper-with-intrinsic-ratio style=padding-bottom:42.857142857142854%><a data-skipendnotes=true href=/v1.1/docs/concepts/traffic-management/./ServiceModel_RequestFlow.svg title="Request Flow"><img class=element-to-stretch src=/v1.1/docs/concepts/traffic-management/./ServiceModel_RequestFlow.svg alt="Ingress and Egress through Envoy."></a></div><figcaption>Request Flow</figcaption></figure><h2 id=discovery-and-load-balancing>Discovery and load balancing</h2><p>Istio load balances traffic across instances of a service in a service mesh.</p><p>Istio assumes the presence of a service registry
to keep track of the pods/VMs of a service in the application. It also
assumes that new instances of a service are automatically registered with
the service registry and unhealthy instances are automatically removed.
Platforms such as Kubernetes and Mesos already provide such functionality for
container-based applications, and many solutions exist for VM-based
applications.</p><p>Pilot consumes information from the service
registry and provides a platform-independent service discovery
interface. Envoy instances in the mesh perform service discovery and
dynamically update their load balancing pools accordingly.</p><figure style=width:55%><div class=wrapper-with-intrinsic-ratio style=padding-bottom:80%><a data-skipendnotes=true href=/v1.1/docs/concepts/traffic-management/./LoadBalancing.svg title="Discovery and Load Balancing"><img class=element-to-stretch src=/v1.1/docs/concepts/traffic-management/./LoadBalancing.svg alt="Discovery and Load Balancing"></a></div><figcaption>Discovery and Load Balancing</figcaption></figure><p>As shown in the figure above, services in the mesh access each other
using their DNS names. All HTTP traffic bound to a service is automatically
re-routed through Envoy. Envoy distributes the traffic across instances in
the load balancing pool. While Envoy supports several
<a href=https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/load_balancing/load_balancing>sophisticated load balancing algorithms</a>,
Istio currently allows three load balancing modes:
round robin, random, and weighted least request.</p><p>In addition to load balancing, Envoy periodically checks the health of each
instance in the pool. Envoy follows a circuit breaker pattern to
classify instances as unhealthy or healthy based on their failure rates for
the health check API call. In other words, when the number of health
check failures for a given instance exceeds a pre-specified threshold, it
will be ejected from the load balancing pool. Similarly, when the number of
health checks that pass exceed a pre-specified threshold, the instance will
be added back into the load balancing pool. You can find out more about Envoy&rsquo;s
failure-handling features in <a href=#handling-failures>Handling Failures</a>.</p><p>Services can actively shed load by responding with an HTTP 503 to a health
check. In such an event, the service instance will be immediately removed
from the caller&rsquo;s load balancing pool.</p><h3 id=locality-load-balancing>Locality Load Balancing</h3><p>A locality defines a geographic location within your mesh using the following triplet:</p><ul><li>Region</li><li>Zone</li><li>Sub-zone</li></ul><p>The geographic location typically represents a data center. Istio uses
this information to prioritize load balancing pools to control
the geographic location where requests are proxied.</p><p>For more information and instructions on how to enable this feature see the <a href=/v1.1/help/ops/traffic-management/locality-load-balancing/>operations guide</a>.</p><h2 id=handling-failures>Handling failures</h2><p>Envoy provides a set of out-of-the-box <em>opt-in</em> failure recovery features
that can be taken advantage of by the services in an application. Features
include:</p><ol><li><p>Timeouts</p></li><li><p>Bounded retries with timeout budgets and variable jitter between retries</p></li><li><p>Limits on number of concurrent connections and requests to upstream services</p></li><li><p>Active (periodic) health checks on each member of the load balancing pool</p></li><li><p>Fine-grained circuit breakers (passive health checks) &ndash; applied per
instance in the load balancing pool</p></li></ol><p>These features can be dynamically configured at runtime through
<a href=#rule-configuration>Istio&rsquo;s traffic management rules</a>.</p><p>The jitter between retries minimizes the impact of retries on an overloaded
upstream service, while timeout budgets ensure that the calling service
gets a response (success/failure) within a predictable time frame.</p><p>A combination of active and passive health checks (4 and 5 above)
minimize the chances of accessing an unhealthy instance in the load
balancing pool. When combined with platform-level health checks (such as
those supported by Kubernetes or Mesos), applications can ensure that
unhealthy pods/containers/VMs can be quickly ejected from the service
mesh, minimizing the request failures and impact on latency.</p><p>Together, these features enable the service mesh to tolerate failing nodes
and prevent localized failures from cascading instability to other nodes.</p><h3 id=fine-tuning>Fine tuning</h3><p>Istio&rsquo;s traffic management rules allow you to set defaults for failure recovery per
service and version that apply to all callers. However, consumers of a service can also
override <a href=/v1.1/docs/reference/config/networking/v1alpha3/virtual-service/#HTTPRoute-timeout>timeout</a>
and <a href=/v1.1/docs/reference/config/networking/v1alpha3/virtual-service/#HTTPRoute-retries>retry</a>
defaults by providing request-level overrides through special HTTP headers.
With the Envoy proxy implementation, the headers are <code>x-envoy-upstream-rq-timeout-ms</code> and
<code>x-envoy-max-retries</code>, respectively.</p><h3 id=failure-handling-faq>Failure handling FAQ</h3><p>Q: <em>Do applications still handle failures when running in Istio?</em></p><p>Yes. Istio improves the reliability and availability of services in the
mesh. However, <strong>applications need to handle the failure (errors)
and take appropriate fallback actions</strong>. For example, when all instances in
a load balancing pool have failed, Envoy will return HTTP 503. It is the
responsibility of the application to implement any fallback logic that is
needed to handle the HTTP 503 error code from an upstream service.</p><p>Q: <em>Will Envoy&rsquo;s failure recovery features break applications that already
use fault tolerance libraries (for example <a href=https://github.com/Netflix/Hystrix>Hystrix</a>)?</em></p><p>No. Envoy is completely transparent to the application. A failure response
returned by Envoy would not be distinguishable from a failure response
returned by the upstream service to which the call was made.</p><p>Q: <em>How will failures be handled when using application-level libraries and
Envoy at the same time?</em></p><p>Given two failure recovery policies for the same destination service, <strong>the
more restrictive of the two will be triggered when failures occur</strong>. For example, you have two timeouts &ndash; one set in Envoy and another in an application&rsquo;s library. In this
example, if the application sets a 5 second timeout for an API call to a
service, while you configured a 10 second timeout in Envoy, the
application&rsquo;s timeout will kick in first. Similarly, if Envoy&rsquo;s circuit
breaker triggers before the application&rsquo;s circuit breaker, API calls to the
service will get a 503 from Envoy.</p><h2 id=fault-injection>Fault injection</h2><p>While the Envoy sidecar/proxy provides a host of
<a href=#handling-failures>failure recovery mechanisms</a> to services running
on Istio, it is still
imperative to test the end-to-end failure recovery capability of the
application as a whole. Misconfigured failure recovery policies (for example,
incompatible/restrictive timeouts across service calls) could result in
continued unavailability of critical services in the application, resulting
in poor user experience.</p><p>Istio enables protocol-specific fault injection into the network, instead
of deleting pods or delaying or corrupting packets at the TCP layer. The rationale
is that the failures observed by the application layer are the same
regardless of network level failures, and that more meaningful failures can
be injected at the application layer (for example, HTTP error codes) to exercise the resilience of an application.</p><p>You can configure faults to be injected into requests that match
specific conditions. You can further restrict the percentage of
requests that should be subjected to faults. Two types of faults can be
injected: delays and aborts. Delays are timing failures, mimicking
increased network latency, or an overloaded upstream service. Aborts are
crash failures that mimic failures in upstream services. Aborts usually
manifest in the form of HTTP error codes or TCP connection failures.</p><h2 id=canary-rollout>Canary rollout</h2><p>The idea behind canary rollout is to introduce a new version of a service by first testing
it using a small percentage of user traffic and then, if all goes well, gradually increase
the percentage until all the traffic is moved to the new version. If anything
goes wrong along the way, the rollout is aborted and the traffic is returned to the old version.</p><p>Although container orchestration platforms like Docker, Mesos/Marathon, or Kubernetes provide features
that support canary rollout, they are limited by the fact that they use instance scaling to manage
the traffic distribution. For example, to send 10% of traffic to a canary version requires 9 instances of
the old version to be running for every 1 instance of the canary.
This becomes particularly difficult in production deployments where autoscaling is needed.
When traffic load increases, the autoscaler needs to scale instances of both versions concurrently,
making sure to keep the instance ratio the same.</p><p>Another problem with the instance deployment approach is that it only
supports a simple (random percentage) canary rollout. It&rsquo;s not possible to limit the
visibility of the canary to requests based on some specific criteria.</p><p>With Istio, traffic routing and instance deployment are two completely independent functions.
The number of instances implementing services are free to scale up and down based on traffic load,
completely orthogonal to the control of version traffic routing. This makes managing a canary
version in the presence of autoscaling a much simpler problem.
See <a href=/v1.1/blog/2017/0.1-canary/>Canary Deployments using Istio</a> for more about
the interoperability of canary deployment and autoscaling when using Istio.</p><h2 id=rule-configuration>Rule configuration</h2><p>Istio provides a simple configuration model to
control how API calls and layer-4 traffic flow across various
services in an application deployment. The configuration model allows you to
configure service-level properties such as circuit breakers, timeouts,
and retries, as well as set up common continuous deployment tasks such as
canary rollouts, A/B testing, staged rollouts with %-based traffic splits,
etc.</p><p>There are five traffic management configuration resources in Istio:
<code>VirtualService</code>, <code>DestinationRule</code>, <code>ServiceEntry</code>, <code>Gateway</code>, and <code>Sidecar</code>:</p><ul><li><p>A <a href=/v1.1/docs/reference/config/networking/v1alpha3/virtual-service/><code>VirtualService</code></a>
defines the rules that control how requests for a service are routed within an Istio service mesh.</p></li><li><p>A <a href=/v1.1/docs/reference/config/networking/v1alpha3/destination-rule/><code>DestinationRule</code></a>
configures the set of policies to be applied to a request after <code>VirtualService</code> routing has occurred.</p></li><li><p>A <a href=/v1.1/docs/reference/config/networking/v1alpha3/service-entry/><code>ServiceEntry</code></a> is commonly used to enable requests to services outside of an Istio service mesh.</p></li><li><p>A <a href=/v1.1/docs/reference/config/networking/v1alpha3/gateway/><code>Gateway</code></a>
configures a load balancer operating at the edge of the mesh for HTTP/TCP ingress traffic to a mesh application
or egress traffic to external services.</p></li><li><p>A <a href=/v1.1/docs/reference/config/networking/v1alpha3/sidecar/><code>Sidecar</code></a>
configures one or more sidecar proxies attached to application workloads running inside the mesh.</p></li></ul><p>For example, you can implement a simple rule to send 100% of incoming traffic for a <em>reviews</em> service to version &ldquo;v1&rdquo; by using a <code>VirtualService</code> configuration as follows:</p><pre><code class=language-yaml data-expandlinks=true>apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: reviews
spec:
hosts:
- reviews
http:
- route:
- destination:
host: reviews
subset: v1
</code></pre><p>This configuration says that traffic sent to the <em>reviews</em> service
(specified in the <code>hosts</code> field) should be routed to the v1 subset
of the underlying <em>reviews</em> service instances. The route <code>subset</code> specifies the name of a defined subset in a corresponding destination rule configuration.</p><p>A subset specifies one or more labels that identify version-specific instances.
For example, in a Kubernetes deployment of Istio, &ldquo;version: v1&rdquo; indicates that
only pods containing the label &ldquo;version: v1&rdquo; will receive traffic.</p><p>In a <code>DestinationRule</code>, you can then add additional policies. For example, the following definition specifies to use the random load balancing mode:</p><pre><code class=language-yaml data-expandlinks=true>apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: reviews
spec:
host: reviews
trafficPolicy:
loadBalancer:
simple: RANDOM
subsets:
- name: v1
labels:
version: v1
- name: v2
labels:
version: v2
</code></pre><p>Rules can be configured using the <code>kubectl</code> command. See the
<a href=/v1.1/docs/tasks/traffic-management/request-routing/>configuring request routing
task</a> for examples.</p><p>The following sections provide a basic overview of the traffic management configuration resources.
See <a href=/v1.1/docs/reference/config/networking/>networking reference</a>
for detailed information.</p><h3 id=virtual-services>Virtual Services</h3><p>A <a href=/v1.1/docs/reference/config/networking/v1alpha3/virtual-service/><code>VirtualService</code></a>
defines the rules that control how requests for a service are routed within an Istio service mesh.
For example, a virtual service could route requests to different versions of a service or to a completely different service than was requested.
Requests can be routed based on the request source and destination, HTTP paths and
header fields, and weights associated with individual service versions.</p><h4 id=rule-destinations>Rule destinations</h4><p>Routing rules correspond to one or more request destination hosts that are specified in
a <code>VirtualService</code> configuration. These hosts may or may not be the same as the actual
destination workload and may not even correspond to an actual routable service in the mesh.
For example, to define routing rules for requests to the <em>reviews</em> service using its internal
mesh name <code>reviews</code> or via host <code>bookinfo.com</code>, a <code>VirtualService</code> could set the <code>hosts</code> field as:</p><pre><code class=language-yaml data-expandlinks=true>hosts:
- reviews
- bookinfo.com
</code></pre><p>The <code>hosts</code> field specifies, implicitly or explicitly, one or more fully qualified
domain names (FQDN). The short name <code>reviews</code>, above, would implicitly
expand to an implementation specific FQDN. For example, in a Kubernetes environment
the full name is derived from the cluster and namespace of the <code>VirtualService</code>
(for example, <code>reviews.default.svc.cluster.local</code>).</p><h4 id=splitting-traffic-between-versions>Splitting traffic between versions</h4><p>Each route rule identifies one or more weighted backends to call when the rule is activated.
Each backend corresponds to a specific version of the destination service,
where versions can be expressed using <em>labels</em>.
If there are multiple registered instances with the specified label(s),
they will be routed to based on the load balancing policy configured for the service,
or round-robin by default.</p><p>For example, the following rule will route 25% of traffic for the <em>reviews</em> service to instances with
the &ldquo;v2&rdquo; label and the remaining 75% of traffic to &ldquo;v1&rdquo;:</p><pre><code class=language-yaml data-expandlinks=true>apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: reviews
spec:
hosts:
- reviews
http:
- route:
- destination:
host: reviews
subset: v1
weight: 75
- destination:
host: reviews
subset: v2
weight: 25
</code></pre><h4 id=timeouts-and-retries>Timeouts and retries</h4><p>By default, the timeout for HTTP requests is disabled,
but it can be overridden in a route rule as follows:</p><pre><code class=language-yaml data-expandlinks=true>apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: ratings
spec:
hosts:
- ratings
http:
- route:
- destination:
host: ratings
subset: v1
timeout: 10s
</code></pre><p>You can also specify the number of retry attempts for an HTTP request in a virtual service.
The maximum number of retry attempts, or the number of attempts possible within the default or overridden timeout period, can be set as follows:</p><pre><code class=language-yaml data-expandlinks=true>apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: ratings
spec:
hosts:
- ratings
http:
- route:
- destination:
host: ratings
subset: v1
retries:
attempts: 3
perTryTimeout: 2s
</code></pre><p>Note that request timeouts and retries can also be
<a href=#fine-tuning>overridden on a per-request basis</a>.</p><p>See the <a href=/v1.1/docs/tasks/traffic-management/request-timeouts>request timeouts task</a> for an example of timeout control.</p><h4 id=injecting-faults>Injecting faults</h4><p>A virtual service can specify one or more faults to inject
while forwarding HTTP requests to the rule&rsquo;s corresponding request destination.
The faults can be either delays or aborts.</p><p>The following example introduces a 5 second delay in 10% of the requests to the &ldquo;v1&rdquo; version of the <em>ratings</em> microservice:</p><pre><code class=language-yaml data-expandlinks=true>apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: ratings
spec:
hosts:
- ratings
http:
- fault:
delay:
percent: 10
fixedDelay: 5s
route:
- destination:
host: ratings
subset: v1
</code></pre><p>You can use the other kind of fault, an abort, to prematurely terminate a request. For example, to simulate a failure.</p><p>The following example returns an HTTP 400 error code for 10%
of the requests to the <em>ratings</em> service &ldquo;v1&rdquo;:</p><pre><code class=language-yaml data-expandlinks=true>apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: ratings
spec:
hosts:
- ratings
http:
- fault:
abort:
percent: 10
httpStatus: 400
route:
- destination:
host: ratings
subset: v1
</code></pre><p>Sometimes delay and abort faults are used together. For example, the following rule delays by 5 seconds all requests from the <em>reviews</em> service &ldquo;v2&rdquo; to the <em>ratings</em> service &ldquo;v1&rdquo; and then aborts 10% of them:</p><pre><code class=language-yaml data-expandlinks=true>apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: ratings
spec:
hosts:
- ratings
http:
- match:
- sourceLabels:
app: reviews
version: v2
fault:
delay:
fixedDelay: 5s
abort:
percent: 10
httpStatus: 400
route:
- destination:
host: ratings
subset: v1
</code></pre><p>To see fault injection in action, see the <a href=/v1.1/docs/tasks/traffic-management/fault-injection/>fault injection task</a>.</p><h4 id=conditional-rules>Conditional rules</h4><p>Rules can optionally be qualified to only apply to requests that match some
specific condition such as the following:</p><p><em>1. Restrict to specific client workloads using workload labels</em>. For example, a rule
can indicate that it only applies to calls from workload instances (pods) implementing
the <em>reviews</em> service:</p><pre><code class=language-yaml data-expandlinks=true>apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: ratings
spec:
hosts:
- ratings
http:
- match:
- sourceLabels:
app: reviews
route:
...
</code></pre><p>The value of <code>sourceLabels</code> depends on the implementation of the service.
In Kubernetes, for example, it would probably be the same labels that are used
in the pod selector of the corresponding Kubernetes service.</p><p>The above example can also be further refined to only apply to calls from a workload instance having the &ldquo;v2&rdquo; label:</p><pre><code class=language-yaml data-expandlinks=true>apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: ratings
spec:
hosts:
- ratings
http:
- match:
- sourceLabels:
app: reviews
version: v2
route:
...
</code></pre><p><em>2. Select rule based on HTTP headers</em>. For example, the following rule only applies to an incoming request if it includes a custom &ldquo;end-user&rdquo; header that
contains the string &ldquo;jason&rdquo;:</p><pre><code class=language-yaml data-expandlinks=true>apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: reviews
spec:
hosts:
- reviews
http:
- match:
- headers:
end-user:
exact: jason
route:
...
</code></pre><p>If more than one header is specified in the rule, then all of the
corresponding headers must match for the rule to apply.</p><p><em>3. Select rule based on request URI</em>. For example, the following rule only applies to a request if the URI path starts with <code>/api/v1</code>:</p><pre><code class=language-yaml data-expandlinks=true>apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: productpage
spec:
hosts:
- productpage
http:
- match:
- uri:
prefix: /api/v1
route:
...
</code></pre><h4 id=multiple-match-conditions>Multiple match conditions</h4><p>Multiple match conditions can be set simultaneously. In such a case, AND or OR
semantics apply, depending on the nesting.</p><p>If multiple conditions are nested in a single match clause, then the conditions
are ANDed. For example, the following rule only applies if the
client workload is &ldquo;reviews:v2&rdquo; AND the custom &ldquo;end-user&rdquo; header containing
&ldquo;jason&rdquo; is present in the request:</p><pre><code class=language-yaml data-expandlinks=true>apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: ratings
spec:
hosts:
- ratings
http:
- match:
- sourceLabels:
app: reviews
version: v2
headers:
end-user:
exact: jason
route:
...
</code></pre><p>If instead, the condition appear in separate match clauses, then only one
of the conditions applies (OR semantics):</p><pre><code class=language-yaml data-expandlinks=true>apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: ratings
spec:
hosts:
- ratings
http:
- match:
- sourceLabels:
app: reviews
version: v2
- headers:
end-user:
exact: jason
route:
...
</code></pre><p>This rule applies if either the client workload is &ldquo;reviews:v2&rdquo; OR
the custom &ldquo;end-user&rdquo; header containing &ldquo;jason&rdquo; is present in the request.</p><h4 id=precedence>Precedence</h4><p>When there are multiple rules for a given destination,
they are evaluated in the order they appear
in the <code>VirtualService</code>, meaning the first rule
in the list has the highest priority.</p><p><strong>Why is priority important?</strong> Whenever the routing story for a particular
service is purely weight based, it can be specified in a single rule.
On the other hand, when other conditions
(such as requests from a specific user) are being used to route traffic, more
than one rule will be needed to specify the routing. This is where the
rule priority must be carefully considered to make sure that the rules are
evaluated in the right order.</p><p>A common pattern for generalized route specification is to provide one or
more higher priority rules that match various conditions,
and then provide a single weight-based rule with no match
condition last to provide the weighted distribution of
traffic for all other cases.</p><p>For example, the following <code>VirtualService</code> contains two rules that, together,
specify that all requests for the <em>reviews</em> service that includes a header
named &ldquo;Foo&rdquo; with the value &ldquo;bar&rdquo; will be sent to the &ldquo;v2&rdquo; instances.
All remaining requests will be sent to &ldquo;v1&rdquo;:</p><pre><code class=language-yaml data-expandlinks=true>apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: reviews
spec:
hosts:
- reviews
http:
- match:
- headers:
Foo:
exact: bar
route:
- destination:
host: reviews
subset: v2
- route:
- destination:
host: reviews
subset: v1
</code></pre><p>Notice that the header-based rule has the higher priority. If
it was lower, these rules wouldn&rsquo;t work as expected because the weight-based
rule, with no specific match condition, would be evaluated first to route all traffic to &ldquo;v1&rdquo;, even requests that include the
matching &ldquo;Foo&rdquo; header. Once a rule is found that applies to the incoming
request, it is executed and the rule-evaluation process terminates. That&rsquo;s why it&rsquo;s very important to carefully consider the
priorities of each rule when there is more than one.</p><h3 id=destination-rules>Destination rules</h3><p>A <a href=/v1.1/docs/reference/config/networking/v1alpha3/destination-rule/><code>DestinationRule</code></a>
configures the set of policies to be applied to a request after <code>VirtualService</code> routing has occurred. They are
intended to be authored by service owners, describing the circuit breakers, load balancer settings, TLS settings, and other settings.</p><p>A <code>DestinationRule</code> also defines addressable <code>subsets</code>, meaning named versions, of the corresponding destination host.
These subsets are used in <code>VirtualService</code> route specifications when sending traffic to specific versions of the service.</p><p>The following <code>DestinationRule</code> configures policies and subsets for the reviews service:</p><pre><code class=language-yaml data-expandlinks=true>apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: reviews
spec:
host: reviews
trafficPolicy:
loadBalancer:
simple: RANDOM
subsets:
- name: v1
labels:
version: v1
- name: v2
labels:
version: v2
trafficPolicy:
loadBalancer:
simple: ROUND_ROBIN
- name: v3
labels:
version: v3
</code></pre><p>Notice that multiple policies, default and v2-specific in this example, can be
specified in a single <code>DestinationRule</code> configuration.</p><h4 id=circuit-breakers>Circuit breakers</h4><p>A simple circuit breaker can be set based on a number of conditions such as connection and request limits.</p><p>For example, the following <code>DestinationRule</code>
sets a limit of 100 connections to <em>reviews</em> service version &ldquo;v1&rdquo; backends:</p><pre><code class=language-yaml data-expandlinks=true>apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: reviews
spec:
host: reviews
subsets:
- name: v1
labels:
version: v1
trafficPolicy:
connectionPool:
tcp:
maxConnections: 100
</code></pre><p>See the <a href=/v1.1/docs/tasks/traffic-management/circuit-breaking/>circuit-breaking task</a> for a demonstration of circuit breaker control.</p><h4 id=rule-evaluation>Rule evaluation</h4><p>Similar to route rules, policies defined in a <code>DestinationRule</code> are associated with a particular <em>host</em>. However if they are subset specific,
activation depends on route rule evaluation results.</p><p>The first step in the rule evaluation process evaluates the route rules in
the <code>VirtualService</code> corresponding to the requested <em>host</em>, if there are any,
to determine the subset (meaning specific
version) of the destination service that the current request will be routed
to. Next, the set of policies corresponding to the selected subset, if any,
are evaluated to determine if they apply.</p><div><aside class="callout tip"><div class=type><svg class="large-icon"><use xlink:href="/v1.1/img/icons.svg#callout-tip"/></svg></div><div class=content>One subtlety of the algorithm to keep in mind is that policies
that are defined for specific subsets will only be applied if
the corresponding subset is explicitly routed to. For example,
consider the following configuration as the one and only rule defined for the
<em>reviews</em> service, meaning there are no route rules in the corresponding <code>VirtualService</code> definition:</div></aside></div><pre><code class=language-yaml data-expandlinks=true>apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: reviews
spec:
host: reviews
subsets:
- name: v1
labels:
version: v1
trafficPolicy:
connectionPool:
tcp:
maxConnections: 100
</code></pre><p>Since there is no specific route rule defined for the <em>reviews</em>
service, default round-robin routing behavior will apply, which will
presumably call &ldquo;v1&rdquo; instances on occasion, maybe even always if &ldquo;v1&rdquo; is
the only running version. Nevertheless, the above policy will never be
invoked since the default routing is done at a lower level. The rule
evaluation engine will be unaware of the final destination and therefore
unable to match the subset policy to the request.</p><p>You can fix the above example in one of two ways. You can either move the
traffic policy up a level in the <code>DestinationRule</code> to make it apply to any version:</p><pre><code class=language-yaml data-expandlinks=true>apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: reviews
spec:
host: reviews
trafficPolicy:
connectionPool:
tcp:
maxConnections: 100
subsets:
- name: v1
labels:
version: v1
</code></pre><p>Or, better yet, define proper route rules for the service in the <code>VirtualService</code> definition.
For example, add a simple route rule for &ldquo;reviews:v1&rdquo;:</p><pre><code class=language-yaml data-expandlinks=true>apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: reviews
spec:
hosts:
- reviews
http:
- route:
- destination:
host: reviews
subset: v1
</code></pre><p>Although the default Istio behavior conveniently sends traffic from any
source to all versions of a destination service
without any rules being set, as soon as version discrimination is desired
rules are going to be needed.
Therefore, setting a default rule for every service, right from the
start, is generally considered a best practice in Istio.</p><h3 id=service-entries>Service entries</h3><p>A <a href=/v1.1/docs/reference/config/networking/v1alpha3/service-entry/><code>ServiceEntry</code></a>
is used to add additional entries into the service registry that Istio maintains internally.
It is most commonly used to enable requests to services outside of an Istio service mesh.
For example, the following <code>ServiceEntry</code> can be used to allow external calls to services hosted
under the <code>*.foo.com</code> domain:</p><pre><code class=language-yaml data-expandlinks=true>apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: foo-ext-svc
spec:
hosts:
- *.foo.com
ports:
- number: 80
name: http
protocol: HTTP
- number: 443
name: https
protocol: HTTPS
</code></pre><p>The destination of a <code>ServiceEntry</code> is specified using the <code>hosts</code> field, which
can be either a fully qualified or wildcard domain name.
It represents a white listed set of one or more services that services
in the mesh are allowed to access.</p><p>A <code>ServiceEntry</code> is not limited to external service configuration. It can be of two types: mesh-internal or mesh-external.
Mesh-internal entries are like all other internal services but are used to explicitly add services
to the mesh. They can be used to add services as part of expanding the service mesh to include unmanaged infrastructure
(for example, VMs added to a Kubernetes-based service mesh).
Mesh-external entries represent services external to the mesh.
For them, mutual TLS authentication is disabled and policy enforcement is performed on the client-side,
instead of on the server-side as it is for internal service requests.</p><p>Service entries work well in conjunction with virtual services
and destination rules as long as they refer to the services using matching
<code>hosts</code>. For example, the following rule can be used in conjunction with
the above <code>ServiceEntry</code> rule to set a 10s timeout for calls to
the external service at <code>bar.foo.com</code>:</p><pre><code class=language-yaml data-expandlinks=true>apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: bar-foo-ext-svc
spec:
hosts:
- bar.foo.com
http:
- route:
- destination:
host: bar.foo.com
timeout: 10s
</code></pre><p>Rules to redirect and forward traffic, to define retry,
timeout, and fault injection policies are all supported for external destinations.
Weighted (version-based) routing is not possible, however, since there is no notion
of multiple versions of an external service.</p><p>See the <a href=/v1.1/docs/tasks/traffic-management/egress/>egress task</a> for a more
about accessing external services.</p><h3 id=gateways>Gateways</h3><p>A <a href=/v1.1/docs/reference/config/networking/v1alpha3/gateway/>Gateway</a>
configures a load balancer for HTTP/TCP traffic operating at the edge of the
mesh, most commonly to enable ingress traffic for an application.</p><p>Unlike Kubernetes Ingress, Istio <code>Gateway</code> only configures the L4-L6 functions
(for example, ports to expose, TLS configuration). Users can then use standard Istio rules
to control HTTP requests as well as TCP traffic entering a <code>Gateway</code> by binding a
<code>VirtualService</code> to it.</p><p>For example, the following simple <code>Gateway</code> configures a load balancer
to allow external HTTPS traffic for host <code>bookinfo.com</code> into the mesh:</p><pre><code class=language-yaml data-expandlinks=true>apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: bookinfo-gateway
spec:
selector:
istio: ingressgateway # use istio default controller
servers:
- port:
number: 443
name: https
protocol: HTTPS
hosts:
- bookinfo.com
tls:
mode: SIMPLE
serverCertificate: /tmp/tls.crt
privateKey: /tmp/tls.key
</code></pre><p>To configure the corresponding routes, you must define a <code>VirtualService</code>
for the same host and bound to the <code>Gateway</code> using
the <code>gateways</code> field in the configuration:</p><pre><code class=language-yaml data-expandlinks=true>apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: bookinfo
spec:
hosts:
- bookinfo.com
gateways:
- bookinfo-gateway # &lt;---- bind to gateway
http:
- match:
- uri:
prefix: /reviews
route:
...
</code></pre><p>See the <a href=/v1.1/docs/tasks/traffic-management/ingress/>ingress task</a> for a
complete ingress gateway example.</p><p>Although most often used to manage ingress traffic, a <code>Gateway</code> can also be used to model
an egress proxy. Irrespective of the location, all gateways
can be configured and controlled in the same way. See
<a href=/v1.1/docs/reference/config/networking/v1alpha3/gateway/>gateway reference</a>
for details.</p><h3 id=sidecars>Sidecars</h3><p>By default, Istio configures every sidecar proxy
to accept traffic on all the ports of its associated workload and to reach
every workload in the mesh when forwarding traffic.
A <a href=/v1.1/docs/reference/config/networking/v1alpha3/sidecar/>Sidecar</a> configuration
can be used to fine tune the set of ports and protocols that a proxy will accept
and to limit the set of services that the proxy can reach.</p><p>A <code>Sidecar</code> resource can be used to configure one or more sidecar proxies selected using
workload labels, or to configure all sidecars in a particular namespace. For example,
the following <code>Sidecar</code> configures all services in the <code>bookinfo</code> namespace
to only reach services running in the same namespace:</p><pre><code class=language-yaml data-expandlinks=true>apiVersion: networking.istio.io/v1alpha3
kind: Sidecar
metadata:
name: default
namespace: bookinfo
spec:
egress:
- hosts:
- &#34;./*&#34;
</code></pre><p>Limiting sidecar reachability this way can be used to significantly reduce memory
usage, which by default can become a major problem for large applications where every sidecar
is provided with the configuration necessary to reach every other service in the mesh.</p><p>A <code>Sidecar</code> resource can also be used in many more ways.
Refer to the <a href=/v1.1/docs/reference/config/networking/v1alpha3/sidecar/>sidecar reference</a> for details.</p><nav id=see-also><h2>See also</h2><div class=see-also><div class=entry><p class=link><a data-skipendnotes=true href=/v1.1/blog/2019/multicluster-version-routing/>Version Routing in a Multicluster Service Mesh</a></p><p class=desc>Configuring Istio route rules in a multicluster service mesh.</p></div><div class=entry><p class=link><a data-skipendnotes=true href=/v1.1/blog/2019/data-plane-setup/>Demystifying Istio&#39;s Sidecar Injection Model</a></p><p class=desc>De-mystify how Istio manages to plugin its data-plane components into an existing deployment.</p></div><div class=entry><p class=link><a data-skipendnotes=true href=/v1.1/blog/2019/egress-performance/>Egress Gateway Performance Investigation</a></p><p class=desc>Verifies the performance impact of adding an egress gateway.</p></div><div class=entry><p class=link><a data-skipendnotes=true href=/v1.1/blog/2019/custom-ingress-gateway/>Deploy a Custom Ingress Gateway Using Cert-Manager</a></p><p class=desc>Describes how to deploy a custom ingress gateway using cert-manager manually.</p></div><div class=entry><p class=link><a data-skipendnotes=true href=/v1.1/blog/2018/incremental-traffic-management/>Incremental Istio Part 1, Traffic Management</a></p><p class=desc>How to use Istio for traffic management without deploying sidecar proxies.</p></div><div class=entry><p class=link><a data-skipendnotes=true href=/v1.1/blog/2018/egress-mongo/>Consuming External MongoDB Services</a></p><p class=desc>Describes a simple scenario based on Istio&#39;s Bookinfo example.</p></div></div></nav></article><nav class=pagenav><div class=left><a title="Introduces Istio, the problems it solves, its high-level architecture and design goals." href=/v1.1/docs/concepts/what-is-istio/><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#left-arrow"/></svg>What is Istio?</a></div><div class=right><a title="Describes Istio's authorization and authentication functionality." href=/v1.1/docs/concepts/security/>Security<svg class="icon"><use xlink:href="/v1.1/img/icons.svg#right-arrow"/></svg></a></div></nav><div id=endnotes-container aria-hidden=true><h2>Links</h2><ol id=endnotes></ol></div></div><div class=toc-container><nav class=toc aria-label="Table of Contents"><div id=toc><ol><li role=none aria-label="Pilot and Envoy"><a href=#pilot-and-envoy>Pilot and Envoy</a><li role=none aria-label="Request routing"><a href=#request-routing>Request routing</a><ol><li role=none aria-label="Communication between services"><a href=#communication-between-services>Communication between services</a><li role=none aria-label="Ingress and egress"><a href=#ingress-and-egress>Ingress and egress</a></ol></li><li role=none aria-label="Discovery and load balancing"><a href=#discovery-and-load-balancing>Discovery and load balancing</a><ol><li role=none aria-label="Locality Load Balancing"><a href=#locality-load-balancing>Locality Load Balancing</a></ol></li><li role=none aria-label="Handling failures"><a href=#handling-failures>Handling failures</a><ol><li role=none aria-label="Fine tuning"><a href=#fine-tuning>Fine tuning</a><li role=none aria-label="Failure handling FAQ"><a href=#failure-handling-faq>Failure handling FAQ</a></ol></li><li role=none aria-label="Fault injection"><a href=#fault-injection>Fault injection</a><li role=none aria-label="Canary rollout"><a href=#canary-rollout>Canary rollout</a><li role=none aria-label="Rule configuration"><a href=#rule-configuration>Rule configuration</a><ol><li role=none aria-label="Virtual Services"><a href=#virtual-services>Virtual Services</a><ol><li role=none aria-label="Rule destinations"><a href=#rule-destinations>Rule destinations</a><li role=none aria-label="Splitting traffic between versions"><a href=#splitting-traffic-between-versions>Splitting traffic between versions</a><li role=none aria-label="Timeouts and retries"><a href=#timeouts-and-retries>Timeouts and retries</a><li role=none aria-label="Injecting faults"><a href=#injecting-faults>Injecting faults</a><li role=none aria-label="Conditional rules"><a href=#conditional-rules>Conditional rules</a><li role=none aria-label="Multiple match conditions"><a href=#multiple-match-conditions>Multiple match conditions</a><li role=none aria-label=Precedence><a href=#precedence>Precedence</a></ol></li><li role=none aria-label="Destination rules"><a href=#destination-rules>Destination rules</a><ol><li role=none aria-label="Circuit breakers"><a href=#circuit-breakers>Circuit breakers</a><li role=none aria-label="Rule evaluation"><a href=#rule-evaluation>Rule evaluation</a></ol></li><li role=none aria-label="Service entries"><a href=#service-entries>Service entries</a><li role=none aria-label=Gateways><a href=#gateways>Gateways</a><li role=none aria-label=Sidecars><a href=#sidecars>Sidecars</a></ol></li><li role=none aria-label="See also"><a href=#see-also>See also</a></li></ol></div></nav></div></main><footer><div class=user-links><a class=channel title="Go download Istio 1.1.9 now" href=https://github.com/istio/istio/releases/tag/1.1.9 aria-label="Download Istio"><span>download</span><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#download"/></svg>
</a><a class=channel title="Join the Istio discussion board to participate in discussions and get help troubleshooting problems" href=https://discuss.istio.io aria-label="Istio discussion board"><span>discuss</span><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#discourse"/></svg></a>
<a class=channel title="Stack Overflow is where you can ask questions and find curated answers on deploying, configuring, and using Istio" href=https://stackoverflow.com/questions/tagged/istio aria-label="Stack Overflow"><span>stack overflow</span><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#stackoverflow"/></svg></a>
<a class=channel title="Follow us on Twitter to get the latest news" href=https://twitter.com/IstioMesh aria-label=Twitter><span>twitter</span><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#twitter"/></svg></a><div class=tag>for everyone</div></div><div class=info><p class=copyright>Istio Archive
1.1.9<br>&copy; 2019 Istio Authors, <a href=https://policies.google.com/privacy>Privacy Policy</a><br>Archived on June 18, 2019</p></div><div class=dev-links><a class=channel title="GitHub is where development takes place on Istio code" href=https://github.com/istio/community aria-label=GitHub><span>github</span><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#github"/></svg></a>
<a class=channel title="Interactively discuss issues with the Istio community on Slack" href=https://istio.slack.com aria-label=slack><span>slack</span><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#slack"/></svg></a>
<a class=channel title="Access our team drive if you'd like to take a look at the Istio technical design documents" href=https://groups.google.com/forum/#!forum/istio-team-drive-access aria-label="team drive"><span>drive</span><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#drive"/></svg></a>
<a class=channel title="If you'd like to contribute to the Istio project, consider participating in our working groups" href=https://github.com/istio/community/blob/master/WORKING-GROUPS.md aria-label="working groups"><span>working groups</span><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#working-groups"/></svg></a><div class=tag>for developers</div></div></footer><div id=scroll-to-top-container aria-hidden=true><button id=scroll-to-top title="Back to top"><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#top"/></svg></button></div></body></html>
Reference in New Issue View Git Blame Copy Permalink