Tech Study Guide
Istio Gateways, Ingress, and Egress
Istio ingress gateways, egress gateways, Kubernetes Gateway API, TLS termination and passthrough, SNI, external services, and gateway troubleshooting.
Istio Gateways, Ingress, and Egress
Gateways are where mesh policy meets traffic entering or leaving the cluster. They combine Kubernetes service exposure, Envoy listener configuration, TLS certificates, route attachment, and upstream policy.
Gateway Shapes
| Shape | Use |
|---|---|
| Ingress gateway | Accepts external traffic and routes it to services inside the mesh. |
| Egress gateway | Centralizes selected outbound traffic from mesh workloads. |
| Kubernetes Gateway API | Standard Kubernetes resources such as Gateway and HTTPRoute for traffic routing. |
| Istio Gateway API | Istio networking resources such as Gateway and VirtualService. |
| Waypoint proxy | Ambient L7 policy and routing gateway for enrolled workloads or services. |
Know which API owns the listener and which resource owns routes. Mixing Gateway API and Istio networking APIs can be valid, but only when attachment and hostnames are clear.
Ingress Path
kubectl get svc,pod -n istio-system
kubectl get gateway,virtualservice --all-namespaces
kubectl get httproute,gateway --all-namespaces
istioctl proxy-config listeners deploy/<gateway-deploy> -n istio-system
istioctl proxy-config routes deploy/<gateway-deploy> -n istio-system
Check layers in order:
- External DNS resolves to the load balancer.
- Load balancer forwards to the gateway Service.
- Gateway listener accepts the host, port, protocol, and TLS mode.
- Route resource attaches to the gateway and matches host/path/header.
- Destination service has healthy endpoints.
- Destination policy permits the request.
TLS Modes
| Mode | Meaning |
|---|---|
| Termination | Gateway presents a certificate and decrypts TLS before routing HTTP. |
| Passthrough | Gateway routes encrypted traffic based on SNI without decrypting it. |
| Mutual TLS | Gateway requires client certificates and validates them against configured trust. |
| Origination | Proxy starts TLS to an upstream service even if the downstream request is plaintext. |
Common failures are missing Kubernetes secrets, wrong secret namespace, SNI mismatch, certificate chain problems, and route hostnames that do not match the request authority.
kubectl get secret -n istio-system
openssl s_client -connect <host>:443 -servername <host> -showcerts
curl -vk --resolve <host>:443:<lb-ip> https://<host>/
istioctl proxy-config secret deploy/<gateway-deploy> -n istio-system
Egress Control
Egress gateways can centralize outbound traffic for auditing, policy, static source IP, or firewall integration. ServiceEntry models the external service, DestinationRule controls TLS or subsets, and routing decides whether traffic goes through the egress gateway.
kubectl get serviceentry,destinationrule,virtualservice --all-namespaces
istioctl proxy-config clusters <pod> -n <namespace> | grep <external-host>
kubectl logs -n istio-system deploy/istio-egressgateway
Be careful with wildcard hosts and DNS. A broad egress rule can accidentally allow more traffic than intended, while a narrow one can break dependencies that use alternate names or redirects.
Gateway Debugging Runbook
- Capture host, SNI, path, method, source, response code, and response flags.
- Check load balancer and gateway Service endpoints.
- Inspect gateway listeners and route attachment.
- Validate TLS secret, certificate chain, and SNI.
- Confirm VirtualService or HTTPRoute host matching.
- Check destination endpoints, DestinationRule, mTLS, and AuthorizationPolicy.
Study Cards
What does an ingress gateway do?
It accepts external traffic and applies listener, TLS, and route configuration before forwarding into the mesh.
What is TLS passthrough at a gateway?
The gateway routes encrypted traffic using SNI without decrypting HTTP.
Why can a gateway route fail even when the Service is healthy?
DNS, load balancer, listener, TLS, host matching, route attachment, or policy can fail before the Service is reached.
Why use an egress gateway?
To centralize outbound policy, audit, source IP, TLS origination, or firewall integration for selected external traffic.
Why inspect gateway proxy-config listeners?
It shows which ports, protocols, hosts, and TLS filter chains Envoy actually received.