Ingress-gateway TCP routing per host?

I am trying to expose a TCP service but I noticed that i need to reserve a port on the ingress-gateway for each service that I want to expose.
Is there a way to use hostname to route TCP traffic sharing the same port?

Ignore Istio for a moment. On a normal internet-facing server, you need to reserve a port for every TCP or UDP service that you want to expose. Istio doesn’t have any new magic to add here.

At the HTTP level, there’s a little more to work with. Inbound requests look like this:

GET / HTTP/1.1
Host: developer.mozilla.org

That Host entry gives the server a way of routing requests to different “services” on a single shared port. But that is HTTP-specific. In the general case, there’s nothing like that for TCP.

You could use an Authorization Policy if you have known client IPs, I suppose.

Or maybe you could create multiple ingress gateways, in which case you’d be trading multiple IP addresses for multiple ports. I don’t know if multiple ingress gateways is a supported configuration.

1 Like

Thank you, you made it very clear

The istio ingress gateway tcp listening node port is fixed. All requests can be sent to that port but in addition with ssl, where SNI can convey the “logical” dns name - creating an istio gateway CR every such dns name with the proper tls setting and certificate can enable istio to route to the backend service via a Virtual Service CR attached to such a gateway.

Basically a client can be configured to send to a fixed target host/ip:port, while using the SNI of TLS handshake to tell istio the “logical” host name for which istio will do the routing with. This is an “equivalent” to the Host header in http/https.

Problem is that i wanted to faciliate communication inside our network, from a non Kubernetes to a Kubernetes resource, so i doubt SSL can offer anything there - if anything it’s a performance impediment and performance is an issue usually on TCP apps. Thanks anyway