How to use the gateway in inbound mesh expansion

I tried to follow the documentation to set up inbound mesh expansion with 1.1 on a bare-metal cluster to access in-cluster services from an vm outside of the cluster.

My requests end in a timeout, and they seem to get sent directly to the target pod (and some data directly to a telemetry pod) instead of being sent to the gateway. My podCIDR is not routable from outside the cluster. With the support for multi-cluster I expected this to work in 1.1 by routing through the gateway.

Am I mistaken here and podCIDR must still be routable for inbound mesh expansion or do I just miss some configuration?


Does anybody here have an idea regarding this topic?

I’m facing the almost same thing.

I guess mesh expansion machine (VM) cannot access Kubernetes services if mesh expansion machine cannot reach the IP address of endpoints (Pods) directly. (The document you used says “Mesh expansion machines must have IP connectivity to the endpoints in the mesh.”.)

But is it possible to set the endpoint of Istio Mixer for mesh expansion machine’s Envoy to Istio gateway IP address? If so, can we collect the metrics of mesh expansion machine’s Envoy even if the mesh expansion machine cannot reach the IP address of endpoints (Pods)? If anyone know that, I’m glad if you let us know. Thanks.