VirtualService configuration help

Hi Team,

Could you please help me to understand configuration of VirtualServices. Example of two VS:

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
      name: app-health
    spec:
      hosts:
      - application.my.site.com
      gateways:
      - mygw
      http:
      - match:
        - uri:
            exact: /health
        route:

- destination:
            host: application-svc   
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: swagger
spec:
  hosts:
  - *
  gateways:
  - mygw
  http:
  - match:
    - uri:
        prefix: /swagger
    route:
    - destination:
        host: swagger-svc

When I curl following:

I verified route istio-ingressgateway and it exist:

istioctl proxy-config route istio-ingressgateway
[
{
“name”: “https.443.https.traefik-techfoundation-adhoc.adhoc”,
“virtualHosts”: [
{
“name”: “:443",
“domains”: [
"
”,
“*:443”
],
“routes”: [
{
“match”: {
“prefix”: “/swagger”,
“caseSensitive”: true
},
“route”: {
“cluster”: “outbound|443||swagger-svc.ns.svc.cluster.local”,

}

{
“name”: “application.my.site.com”:443",
“domains”: [
application.my.site.com”",
application.my.site.com”:443"
],
“routes”: [
{
“match”: {
“path”: “/health”,
“caseSensitive”: true
},
“route”: {
“cluster”: “outbound|443||application-svc.ns.svc.cluster.local”,
“timeout”: “0s”,

]
}
]

Istio 1.3.0. If I delete second VS - application.my.site.com/swagger - works.

Am i missing something?

The Envoy configuration that Istio produces will first do a host based matching, falling back to wildcards if defined. In your case the first VirtualService with host application.my.site.com gets matched when you curl application.my.site.com/swagger but as it only defines path for /health, /swagger will get a 404 NR.

To fix it you can add in the first VS, another match section for /swagger and route it to destination swagger-svc.

Thank you a lot for clarification.
Do happen to you know if it possible to change this: fail to wildcard after host matching?

Well it does fall back to wildcard if host doesn’t match. What you want I’m guessing is if the host + path don’t match, still fallback to wildcard.

I don’t think we support this use case as there are security implications of doing this.

Got it. Thank you very much!