How to route traffic from Anthos Service / Istio service Mesh to mutual TLS web server on IP address and Port number.
I have stumbled upon a use case where I have to route the http traffic from our service mesh and originate mutual TLS traffic to a mutual TLS web server running on a IP address & Port.
From the existing documentation it’s not obvious to figure it out, but it’s all there in bits and pieces. I am writing this up to make life easy for others who has this use case.
Step#1: Define a kuberenetes external service and end point with the IP address associated with it.
- protocol: TCP
- ip: X.X.X.X
- port: 443
Note: The HTTP traffic to this service cannot be routed like any other HTTP traffic as Istio-proxy initiates a TCP proxy connection to this IP address and port. So traditional Egress Gateway TLS origination process cannot be applied for this use case.
Step#2: Define traffic policy using Destination rule
The above rule will perform TLS origination with mutual TLS.
Note: Please make sure the client certs are mounted on the sidecar proxy of the application trying to make this connection.
No virtual services are required for this.