A Gateway is a standalone set of Envoy proxies that load-balance inbound traffic. Istio deploys a default
IngressGateway with a public IP address, which you can configure to expose applications inside your service mesh to the Internet.
Istio Gateways have two key advantages over traditional Kubernetes Ingress. Because a Gateway is another Envoy proxy, you can use Istio to configure Gateway traffic in the same way you would configure east-west traffic between services (traffic splitting, redirects, retry logic).
Gateways also forward metrics (request rate, error rate) just like sidecar proxies, allowing you to view Ingress traffic in a service graph, and set fine-grained SLOs on frontend services directly serving clients.
Let’s see Gateways in action.
hello application runs in a container, inside a Pod. The Pod has an injected Istio sidecar proxy container. A Kubernetes Service called
hello fronts this Pod. We want to direct inbound traffic from
hello.com to the
First we need a
Gateway resource, which opens port
80 in the default Istio
IngressGateway, for all hosts resolving from the
apiVersion: networking.istio.io/v1alpha3 kind: Gateway metadata: name: hello-gateway spec: selector: istio: ingressgateway # use the default IngressGateway servers: - port: number: 80 name: http protocol: HTTP hosts: - "hello.com"
(Note: on your own, you’ll still have to resolve the DNS for that host to the Istio
IngressGateway external IP address.)
Second, we need a
VirtualService to direct traffic from the
IngressGateway to the
hello backend Service, running in the
default namespace on port
apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: frontend-ingress spec: hosts: - "hello.com" gateways: - hello-gateway http: - route: - destination: host: hello.default.svc.cluster.local port: number: 80