What is the order of evaluation between features or actions specified by VirtualService objects and those specified by AuthorizationPolicy objects?
That is, does VirtualService routing happen before or after AuthorizationPolicy access checking?
For example, if a given VirtualService VS would (without the following AuthorizationPolicy) return a redirection for a given request, and a given AuthorizationPolicy AP with a DENY action would (without the preceding VirtualService) block access for that given request, then if both VS and AP are used, will Istio return a redirection (per VS) or block access (per AP) for that given request?
Relatedly, if a VirtualService that is configured to rewrite a URI path of /a to /b is used with an AuthorizationPolicy that is configured to block requests with path of /a, is a request with a path of /a routed per the VirtualService or blocked per the AuthorizationPolicy? What about with an AuthorizationPolicy configured to block \b?
Generally when between two Envoy, the VirtualService is evaluated in the client side Envoy and AuthorizationPolicy is evaluated in the server side Envoy. So you could think that the VirtualService is evaluated before the AuthorizationPolicy in this case.
When inside a single Envoy, the authorization policy is evaluated before the virtual service.
For example, if a given VirtualService VS would (without the following AuthorizationPolicy) return a redirection for a given request, and a given AuthorizationPolicy AP with a DENY action would (without the preceding VirtualService) block access for that given request, then if both VS and AP are used, will Istio return a redirection (per VS) or block access (per AP) for that given request?
This depends on where you applied the VS and AuthZ policy, consider the following two caess:
VS applied to Ingress gateway and AuthZ policy applied to a backend workload, the VS will take effect first causing the request first to be redirected;
VS and AuthZ policy applied to the same workload (or ingress gateway), the AuthZ will take effect first causing the request to be rejected.