Pod to pod communication

Can anyone help me understand how Pod to Pod communication works in Istio with Istio Proxy side car?

Our scenario…

We are using path based routing. lets say we have two applications - app1 and app2 and they have URL as https://myhost.abcd.com/app1 and https://myhost.abcd.com/app2. Now when the request comes from ingress all well and we understood it using gateway and virtualservice but what if app1 wants to talk to app2? We don’t want app1 first going to ingress and then reaching to app2…

How to implement efficient pod to pod communication?

Did you attempt sending message from app1 to app2 using the service ? It should traverse direct without hitting ingress unless traffic is explicitly routed to egress -> ingress using resources needed for same.

So it should be just like the way we communicate outside service mesh right

No, within your service mesh generally you would address other pod by its service name, with all the magic of istio-init container and istio-proxy sidecar the message would arrive at destination pod. For external traffic you would address to external peer using fqdn / IP for which istio has documentation for egress traffic.

This is pretty seamless. If I go by your example it is two routes in the same service. In that case from app1 to app2 you would do a localhost:/app2 from app1.

But say you have two services. Service1 and Service2 each being accessible like https://service1.mydomain.com and https://service2.mydomain.com. and say you have deployed them in the namespace dev. So now if Service 1 wants to connect to Service2 you would simplify call service2 like http://service2 from Service1 and underneath kubernetes would make it a fqdn like service2.dev.svc.cluster.local

Hope that helps

Check this nice video - Life of packet.
It is explained with older architecture but i think it is even better to actually understand what is happening in the code of istio and kubernetes.

Hopefully it helps if not let’s continue the thread.

Cool this is what I did and it is working. I testing it using Curl command with http based URL…Now I want to implement mTLS so that communications between Pod to pod happens only on https and not http. I implemented mTLS using peerauthentication at ns level as well as cluster level. After implementing it, I am still able to use Curl with http based url and not https based. Am I missing something?