Configuring a Gateway
1. Configuring a Gateway
Along with support for Kubernetes Ingress, Cloud Service Mesh offers gateways to manage inbound and outbound traffic to the mesh. Gateways in Istio are based on the Kubernetes Gateway API, which standardizes Ingress traffic management. Istio's gateways provide more extensive customization and flexibility than Kubernetes Ingress, allowing greater granularity when configuring load balancing properties, TLS settings, and routing rules. Gateways are applied to standalone Envoy proxies, at the mesh edge, not to sidecar proxies. And they configure layer four to six load balancing, ports, TLS. Virtual services handle layer 7 application level routing bound to the Gateway. There are three main types of Gateways. Ingress gateways are load balancers located at the edge of the mesh. They receive HTTP/TCP connections. Egress gateways represent dedicated exit nodes for traffic leaving the mesh, controlling external network access. This enables secure control of egress traffic to enhance the security of your mesh. And east-west gateways are proxies for cross-cluster traffic in multi-primary meshes. East-west Gateways are essential for managing inter-cluster communication and applying policies to traffic, flowing between clusters. To route inbound traffic, bind a VirtualService to a Gateway. Ingress gateways can enable HTTPS connections and link to external certificates via a VirtualService. The gateways field in a VirtualService links to the specific gateway, in this example, bookinfo-gateway. The host field is defined by an asterisk, meaning the VirtualService accepts traffic from any destination. After it's evaluated, the VirtualService routes traffic based on the route attribute. The host attribute on spec dot HTTP dot match dot route dot destination dot host, refers to the Kubernetes Service. The Istio-ingress Gateway, is a Kubernetes load balancer. A Google Cloud load balancer is created along with an Ingress Gateway. Inbound traffic flows from a load balancer into the mesh. The load balancer forwards traffic to a NodePort and then to the Istio-ingress gateway pod. The Ingress Gateways deployment has a single Envoy container configured with VirtualServices and destination rules. The Ingress Gateways Envoy processes requests and forwards them to the appropriate destination. So we explored Ingress Gateways. But what are Egress gateways? Egress gateways provide control over traffic exiting the service mesh. They can be used to enforce security policies for outbound traffic. For example, traffic may need to pass through monitored nodes, potentially on separate machines. Egress Gateways are also used in scenarios where the nodes of an application lack public IPs and are unable to access the internet. Egress traffic can be routed through the Egress Gateway and assigned public IPs, enabling applications to access external services securely. To configure an Egress Gateway, you need to perform the following steps. First, add a ServiceEntry for the external location, for example, sheets.google.com. Then, create a Gateway resource using the same host as the ServiceEntry. Configure the Gateway to allow outbound traffic. Optionally, configure routing or load balancing using VirtualServices and destination rules.2. Let's practice!
Create Your Free Account
or
By continuing, you accept our Terms of Use, our Privacy Policy and that your data is stored in the USA.