Using same port with different protocols

#1

Hello, Istio community,

Istio version: 1.0.5

I have two services one inside mesh and another outside mesh. Both expose port 8443, but one uses http and other users https as port name. When I curl the http service from another pod in the mesh, i see the outbound calls to https service from evoy proxy container, but the request succeeds.

Later I found this: https://istio.io/docs/setup/kubernetes/spec-requirements/
and I change the port name of https to http, I see the correct logs in evoy sidecar container.

Looking for info what exactly happening here and what does istio do with port name.

Thanks

#2

the port name helps us setup the right envoy config for traffic to that port (plus VIP). K8S does not have a way of specifying different protocols. So we resort to port names…

#3

Thanks @rshriram, just a follow up question what happens when two services use same port with different port names (http & https) ?

What does istio recommend to avoid these situations?

Thanks

#4

That’s equivalent to saying two protocols on same port. Envoy does not support that. The exception being the https service having a vip. If your app accesses this https service using the vip, then you are good.

All services get vip in kubernetes. So it shouldn’t be an issue if both are in kubernetes. If https is defined via service entry, make sure to use the addresses field to specify the vips or cidrs if any

#5

Hi Shriram, can you provide more insight on how the specific port prefixes are understood by envoy?
Why do I need to specify, for example, http when http operates over tcp? Wouldnt tcp-* also suffice in any instance http-* works?