Intra Cluster private Communication

Hi there!

Maybe some of you can give me some hints how to accomplish the following:


  1. I have two k8s clusters running on different sites.
  2. We established a policy, where every service should be published by ingress / https wherever possible.
  3. We plan to deploy an application on both sites, which depend on a mysql instance
  4. Between the mysql instances on both sites, we need to setup mysql replication, which uses a TCP based protocol on port 3306. This should not be published to the internet.

“Classic” Solution:
Create a Service type: LoadBalancer on each site, setup Routing / NAT / VPN between the firewalls, and go.

I don’t wanna go this route, because I need a distinct IP for each upcoming application, and I need external networking setup / configuration for each application too.

I ask if this should no be possible using istio proxies? I expect it to be like:

  1. Run istio on both sites
  2. Both sites establish a tunnel and talk to each other with HTTP2, authenticated by mutal authentication
  3. I have a local service on each site, representing the remote tcp endpoint.
  4. Each established tcp connection, and the data that is being exchanged, is encapsulated by istio within the HTTP2 tunnel.
  5. I configure mysql replication to the local service, which is transparently tunneled to the other cluster.

Can you tell me if this is possible with istio, and give me some hints about the configuration.


It is possible with east-west gateway to allow cross network service communication. No http2 tunnel is needed, gateway works in sni-dnat mode.

Hi @hzxuzhonghu, Thank you for your instant answer!

Can you share some documentation links or examples how to setup an east-west gateway?

Regarding the sni-dnat mode: How does this look like to the (cluster) external network infrastructure? Because of the ‘sni’ term I think this is an tls based protocol?