Istio outbound https traffic troubleshooting

Bogdanp · July 18, 2022, 9:38am

I have 2 AKS clusters, Cluster 1 and Cluster 2 both running Istio 1.14 minimal out-of-the-box (default configs).

Everything on Cluster 1 works as expected (after deploying Istio).

On Cluster 2, all HTTPS outbound connections initiated from my services (injected with istio-proxy) fail.

curl http://www.google.com  #works
curl https://www.google.com #fails

If I create a service entry for google, then the https curl works:

apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: google
spec:
  hosts:
  - www.google.com
  ports:
  - number: 443
    name: https
    protocol: HTTPS
  resolution: DNS
  location: MESH_EXTERNAL

Both Istio installations are out-of-the-box so meshConfig.outboundTrafficPolicy.mode is set to ALLOW_ANY (double-checked).

I’m starting to think the problem may lie in some cluster configs because I know there are some differences between the 2 clusters here.

How would you go about troubleshooting this? Do you think the issue is related to Istio or Cluster services/configs? What should I look into first?

hzxuzhonghu · July 18, 2022, 9:46am

Try to dump the outbound listener and router for 443

Bogdanp · July 18, 2022, 9:50am

could you give a little more details as to how I would do that? Thanks

Topic		Replies	Views
Outbound HTTPS traffic to Internal Service from istio-sidecar Networking	0	488	February 13, 2020
Send-proxy-v2-ssl with engressgateway dont work Networking	6	465	August 31, 2023
External service https downgraded to http	1	368	June 7, 2023
External access https not passing through istio-proxy Networking	0	466	March 13, 2020
Can't route to an external https service (error 35) Networking	2	2935	February 26, 2019

Istio outbound https traffic troubleshooting

Related Topics