Annotation excludeInboundPorts does not work as expected

I’m trying to disable the inbound traffic redirection to Envoy and keep the outbound traffic redirection to Envoy (and vice versa) by using the traffic.sidecar.istio.io/excludeInboundPorts annotation. However, it seems like setting this annotation cause the outbound traffic redirected to be disabled as well.

In my deployment yaml file I used:

      annotations:
        traffic.sidecar.istio.io/excludeInboundPorts: "5000"

and I checked the nat table using iptables. It looks like it added one line:
4 240 RETURN tcp -- any any anywhere anywhere tcp dpt:5000
and everything else is the same (as expected). My understanding is that the inbound traffic redirection for port 5000 will be disabled/skipped by this iptables rule, but the outbound traffic redirection will remain the same.

However, I checked both the Envoy access log and with tools like ss and netstat. It looks like the outbound traffic redirection is also skipped. (The tcp connection was not created between envoy and the application)

Can someone help me with this? Am I missing any configurations? Thanks in advance!

hi @Xiangfeng_Zhu

Can you try to add this annotation also
traffic.sidecar.istio.io/includeInboundPorts: “*”
and see if it works.

Thanks
Neha Lohia