Original source ip address of client

Hi Community,

We are trying to understand this behavior of “preserving the original source ip address of client”.

We have referred the following wiki:

We have the following test setup:
(1) one kubernetes cluster having two nodes node1 and node2
(2) istio ingress-gateway pod running on node1
(3) httpbin pod running on node2
(4) gateway and virtual-service has been created to route traffic from istio-ingressgateway service to httpbin pod

We have the following flow :
external traffic → istio ingress-gateway service (load balancer) → istio ingress-gateway pod → httpbin service → httpbin pod

We have been testing with Azure and GCP (Network Load Balancer)

We have set externalTrafficPolicy to local

We are firing the following call:
curl --connect-to httpbin.example.com:80:istio_ingress_gateway_external_ip:80 http://httpbin.example.com/get?show_env=1

Now from the response, we are getting “X-Forwarded-For” header which contains the source ip address (which is different from node ip address)

We have the following queries:
(1) According to ISTIO wiki, if istio ingress-gateway pod is not running on every node, then the traffic will be dropped. In our test setup there is no istio ingress-gateway pod on node2, but it is not dropping the traffic.
(2) Setting ‘externalTrafficPolicy to local’, it should prevent sending traffic to other nodes. In our test setup, we observe that the traffic are sent to node2.

Can anyone please help us if we are missing something, or the istio wiki needs to be further explained ?

1 Like