Ingress gateway is located behind AWS ELB(classic) using nodeport and I want to route TCP traffic in Virtual Service based on client ip.
When using HTTP, it works with the below configuration.
apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: app-vservice namespace: test spec: hosts: - "app-service" http: - match: - headers: x-forwarded-for: exact: 126.96.36.199 route: - destination: host: app-service subset: v2 - route: - destination: host: app-service subset: v1
To get client ip address of tcp, proxy protocol of ELB is enabled but there isn’t headers field for tcp in VirtualService.
I can extract real client ip address using proxy protocol as following.
apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: name: proxy-protocol namespace: istio-system spec: workloadSelector: labels: istio: ingressgateway configPatches: - applyTo: LISTENER patch: operation: MERGE value: listener_filters: - name: envoy.listener.proxy_protocol - name: envoy.listener.tls_inspector
And how can TCP traffic be routed based on client ip address?