Egress traffic to multiple ports on same server

Networking
1

I’m trying to achieve following:

  1. Egress traffic from local istio-proxy sidecar --> egress g/w --> ExtServerIP:Port1
  2. Egress traffic from local istio-proxy sidecar --> egress g/w --> ExtServerIP:Port2

Application to invoke path #1 via http://ExtServerIP:Port1 and to #2 using http://ExtServerIP:Port2
Following are the resources were attempted but not successful. Using istio 1.4 release.

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: srv1-example-com-direct-hook-to-egress-gateway-vs
  namespace: app-ns
spec:
  exportTo:
  - .
  gateways:
  - mesh
  hosts:
  - 10.10.10.10
  http:
  - headers:
      request:
        set:
          host: srv1.example.com
    match:
    - gateways:
      - mesh
      port: 3002
    route:
    - destination:
        host: istio-egressgateway-li.app-ns.svc.cluster.local
        port:
          number: 443
        subset: srv1-example-com
      weight: 100

---

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: srv1-example-com-direct-through-egress-gateway-vs
  namespace: app-ns
spec:
  exportTo:
  - .
  gateways:
  - srv1-example-com-egress-gw
  hosts:
  - srv1.example.com
  http:
  - match:
    - gateways:
      - srv1-example-com-egress-gw
      port: 443
    route:
    - destination:
        host: srv1.example.com
        port:
          number: 3002
      weight: 100

---

apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: srv1-example-com-egress-gateway-subset-dr
  namespace: app-ns
spec:
  exportTo:
  - .
  host: istio-egressgateway-li.app-ns.svc.cluster.local
  subsets:
  - name: srv1-example-com
    trafficPolicy:
      loadBalancer:
        simple: ROUND_ROBIN
      portLevelSettings:
      - port:
          number: 443
        tls:
          mode: ISTIO_MUTUAL
          sni: srv1.example.com

---

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: srv1-example-com-egress-gw
  namespace: app-ns
spec:
  selector:
    istio: app-ns-egressgateway-li
  servers:
  - hosts:
    - srv1.example.com
    port:
      name: https-port-443
      number: 443
      protocol: HTTPS
    tls:
      caCertificates: /etc/certs/root-cert.pem
      minProtocolVersion: TLSV1_1
      mode: MUTUAL
      privateKey: /etc/certs/key.pem
      serverCertificate: /etc/certs/cert-chain.pem

---

apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: srv1-example-com-external-host-se
  namespace: app-ns
spec:
  addresses:
  - 10.10.10.10
  endpoints:
  - address: 10.10.10.10
  exportTo:
  - .
  hosts:
  - srv1.example.com
  ports:
  - name: https
    number: 3002
    protocol: HTTPS
  resolution: STATIC

---

apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: srv1-example-com-secure-port-dr
  namespace: app-ns
spec:
  exportTo:
  - .
  host: srv1.example.com
  trafficPolicy:
    loadBalancer:
      simple: ROUND_ROBIN
    portLevelSettings:
    - port:
        number: 3002
      tls:
        caCertificates: /etc/app/ca-certs/ca-chain.cert.pem
        clientCertificate: /etc/app/certs/tls.crt
        mode: MUTUAL
        privateKey: /etc/app/certs/tls.key
        sni: srv1.example.com

Observation is that only port 80 on mesh is working if any other port e.g 3002 here is specified, the flow is on tcp filter as seen from logs.

Any help here?

2

I’ve also attempted using header as differentiator e.g. x-egress-port: 3002 to route to 3002 and x-egress-port: 4002 to route to 4002 in virtual service but noticed that set of resources for second port config was not added but skipped as listener was seen as duplicate.
“duplicate/locked listener ‘{}’. no add/update”
Not sure if this is because IP and port:80 is same.

“name”: “80”,
“virtualHosts”: [
{
“name”: “10.10.10.10:80”,
“domains”: [
“10.10.10.10”,
“10.10.10.10:80”
],
“routes”: [
{
“match”: {
“prefix”: “/”,
“caseSensitive”: true,
“headers”: [
{
“name”: “x-egress-port”,
“exactMatch”: “3002”
}
]
},

3

2 basic questions here would be:

  1. Does config (1.4 rel) allow to have ports other than 80 and 443 for ‘mesh’ gateway ?
  2. If the application specified port is 80, is it possible to split the traffic to multiple destination port based on http header ?
4

Is there any update here? I’m trying to achieve almost same setup where some pods require Active Directory authentication and the AD server is in outside of kubernetes cluste