Egress gateway and https traffic - enforce istio_requests_total metric

Hello,

I am new to Istio and I have following problem. I am trying to set up configuration of egress gateway for external service communicating through tls/443 like for the following example: Istio / Egress Gateways.

Everything seems to work correctly. For outbound traffic for ‘externalapi’ service, I am getting istio_tcp_connections_closed_total metric. And here’s my question:

Is there any way to enforce generating istio_requests_total metric for outbound traffic for tls/443 going through egress gateway? I would like to get some additional information like response codes for outgoing traffic.

Here’s my configuration:

apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
  name: externalapi-egress
spec:
  hosts:
  - externalapi.mydomain.com
  ports:
  - number: 443
    name: tls
    protocol: TLS
  resolution: DNS
  location: MESH_EXTERNAL
---
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: externalapi-egress
spec:
  selector:
    istio: egressgateway
  servers:
  - port:
      number: 443
      name: tls
      protocol: TLS
    hosts:
    - externalapi.mydomain.com
    tls:
      mode: PASSTHROUGH
---
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
  name: externalapi-egress
spec:
  host: istio-egressgateway.istio-system.svc.cluster.local
  subsets:
  - name: externalapi-egress
---
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: externalapi
spec:
  hosts:
    - externalapi.mydomain.com
  gateways:
    - externalapi-egress
    - mesh
  tls:
  - match:
    - gateways:
      - mesh
      port: 443
      sniHosts:
        - externalapi.mydomain.com
    route:
    - destination:
        host: istio-egressgateway.istio-system.svc.cluster.local
        subset: externalapi-egress
        port:
          number: 443
      weight: 100
  - match:
    - gateways:
      - externalapi-egress
      port: 443
      sniHosts:
        - externalapi.mydomain.com
    route:
    - destination:
        host: externalapi.mydomain.com
        port:
          number: 443
      weight: 100

Thank you for helping me with this,
Robert

1 Like

I have exactly the same issue. Did you find any solution for it?

The Only reference I found for it in docs is that egress traffic is handled by “HTTP proxy listener, when the port of the external service is the same as one of the service ports defined in the cluster. In this scenario, when the PassthroughCluster or BlackHoleCluster is hit, istio_requests_total will get increased” instead of the istio_tcp_connections_closed_total.

“TCP proxy virtual listener - If the external service port doesn’t map to any HTTP based service ports within the cluster, this listener is invoked and istio_tcp_connections_closed_total is the metric that will be increased”

The description doesn’t really make much sense to me though.

Since you are using SNI routing, the egress proxy does not see the inner http messages. The proxies along the way treat this as a TCP / tls stream and therefore cannot produce http telemetry.

If you want full http telemetery consider tls origination.