Passthrough of sidecar traffic¶
Traffic passthrough refers to the fact that all or part of the upstream and downstream traffic of the workload is directly sent to the workload itself without being forwarded by the sidecar.
The DCE 5.0 service mesh realizes the controllable sidecar passthrough of workload outbound/inbound traffic, and can implement interception settings for specific ports and IP segments.
- Feature setting object: Workload
- Setting parameters: port, IP segment
- Flow direction: inbound, outbound
Fields related to traffic passthrough:
traffic.sidecar.istio.io/excludeInboundPorts
traffic.sidecar.istio.io/excludeOutboundPorts
traffic.sidecar.istio.io/excludeOutboundIPRanges
Enable traffic passthrough¶
This section explains how to enable/disable traffic passthrough on the DCE GUI.
-
Enter a mesh, click Mesh Sidecar -> Workload .
-
Click ⋮ on the right side of a workload, and select Traffic passthrough Settings in the pop-up menu.
-
After setting the parameters for traffic passthrough, check Restart now , and click Confirm changes .
- Inbound: Only ports are supported, i.e. ports for external access to workloads within the mesh
- Outbound: You can set the port or IP range of the target
-
If the settings are correct, there will be a prompt message Traffic passthrough setup successful in the upper right corner. You can also check the traffic passthrough effect.
-
If traffic passthrough is enabled, the pop-up window of Traffic passthrough settings in step 3 above will display the set parameters, click the x on the right, check Restart workload now , and click Confirm changes to Disable traffic passthrough.
Check traffic passthrough effect¶
In a real mesh cluster, check the effect before and after traffic passthrough.
-
Preparations
- Prepare a mesh cluster, for example 10.64.30.130
- In the namespace, configure the workload helloworld and inject sidecars
- Enable traffic passthrough, and then compare the traffic routing changes of the workload
-
Log in to the mesh via console or ssh.
-
Check the svc in the namespace to get the clusterIP and Port:
-
Run the curl command to view the traffic routing of helloworld:
=== "Before enabling traffic passthrough"
```bash $ curl -sSI 10.211.201.221:5000/hello HTTP/1.1 200 OK content-type: text/html; charset=utf-8 content-length: 65 server: istio-envoy # (1) date: Tue, 07 Feb 2023 03:08:33 GMT x-envoy-upstream-service-time: 100 x-envoy-decorator-operation: helloworld.default.svc.cluster.local:5000/* ``` 1. The traffic passes through istio-envoy, the proxy of the sidecar
=== "After enabling traffic passthrough"
```bash $ curl -sSI 10.211.201.221:5000/hello HTTP/1.0 200 OK Content-Type: text/html; charset=utf-8 Content-Length: 65 Server: Werkzeug/0.12.2 Python/2.7.13 # (1) Date: Tue, 07 Feb 2023 03:08:10 GMT ``` 1. Traffic goes directly to the workload itself