Istio 入口和出口网关的用途
Istio ingress and egress gateways purpose
我无法理解入口和出口 Istio 网关控制的流量。
- 例如,应用程序在 MQ 队列上设置侦听器。这是入口或出口流量的示例吗?
我以为应用程序发起连接的地方,然后这个流量将被引导到出口网关。相反,如果应用程序是端点,则流量必须通过入口网关路由。
- 假设应用程序 A 是应用程序 B 的外部服务。应用程序 A 向 B 发出休息请求。该请求是否应该通过入口路由?
现在应用程序 B 向 A 发出休息请求。流量现在应该通过出口吗?
让我们从一些理论开始。我发现很少有资源描述 istio 入口网关和出口网关的工作原理。
Istio documentation
Istio uses ingress and egress gateways to configure load balancers executing at the edge of a service mesh. An ingress gateway allows you to define entry points into the mesh that all incoming traffic flows through. Egress gateway is a symmetrical concept; it defines exit points from the mesh. Egress gateways allow you to apply Istio features, for example, monitoring and route rules, to traffic exiting the mesh.
Istio in action book
For our applications and services to provide anything meaningful, they’re going to need to
interact with applications that live outside of our cluster. That could be existing monolith
applications, off-the-shelf software, messaging queues, databases, and 3rd party partner systems.
To do this, operators will need to configure Istio to allow traffic into the cluster and be very
specific about what traffic is allowed to leave the cluster.
The Istio components that provide this functionality are the istio-ingressgateway and
istio-egressgateway.
这张图片很好地展示了它
Banzaicloud
An ingress gateway serves as the entry point for all services running within the mesh.
egress gateways are exit points from the mesh that allow us to apply Istio features. This includes applying features like monitoring and route rules to traffic that’s exiting the mesh.
关于您的问题
For example, an application sets up listeners on an MQ queue. Is this an example of ingress or egress traffic? I thought that where the application initiates the connection, then this traffic will be directed to the egress gateway. Conversely, if the application is an endpoint, then traffic must be routed through the ingress gateway.
我不熟悉消息队列,但根据上图,我们假设消费者在网格内,因此生产者服务必须通过入口网关到达那里。
[Producer Service] -> ingress gateway -> [envoy sidecar -> Consumer Service]
所以是的,流量必须通过入口网关路由
Let's say application A is an external service to application B. Application A makes a rest request to B. Should this request be routed through ingress? Now application B makes a rest request to A. Should traffic go through egress now?
如果服务网格内部的服务想要与外部服务对话,我们应该从配置 egress and service entry 开始。
Because all outbound traffic from an Istio-enabled pod is redirected to its sidecar proxy by default, accessibility of URLs outside of the cluster depends on the configuration of the proxy. By default, Istio configures the Envoy proxy to passthrough requests for unknown services. Although this provides a convenient way to get started with Istio, configuring stricter control is usually preferable.
据我所知,这就是交通状况。
appA -> external service outside the mesh
appB -> injected service in the istio mesh
假设您要使用 curl 从 appA 到 appB
[app A](curl ingress-external-ip/specific 路径或端口) -> ingress gateway -> [envoy sidecar -> appB]
假设您要使用 curl 从 appB 到 appA
[appB -> envoy sidecar](curl appA) -> egress gateway -> [appA]
如果您有任何问题或想讨论什么,请在评论中告诉我。
我无法理解入口和出口 Istio 网关控制的流量。
- 例如,应用程序在 MQ 队列上设置侦听器。这是入口或出口流量的示例吗? 我以为应用程序发起连接的地方,然后这个流量将被引导到出口网关。相反,如果应用程序是端点,则流量必须通过入口网关路由。
- 假设应用程序 A 是应用程序 B 的外部服务。应用程序 A 向 B 发出休息请求。该请求是否应该通过入口路由? 现在应用程序 B 向 A 发出休息请求。流量现在应该通过出口吗?
让我们从一些理论开始。我发现很少有资源描述 istio 入口网关和出口网关的工作原理。
Istio documentation
Istio uses ingress and egress gateways to configure load balancers executing at the edge of a service mesh. An ingress gateway allows you to define entry points into the mesh that all incoming traffic flows through. Egress gateway is a symmetrical concept; it defines exit points from the mesh. Egress gateways allow you to apply Istio features, for example, monitoring and route rules, to traffic exiting the mesh.
Istio in action book
For our applications and services to provide anything meaningful, they’re going to need to interact with applications that live outside of our cluster. That could be existing monolith applications, off-the-shelf software, messaging queues, databases, and 3rd party partner systems. To do this, operators will need to configure Istio to allow traffic into the cluster and be very specific about what traffic is allowed to leave the cluster. The Istio components that provide this functionality are the istio-ingressgateway and istio-egressgateway.
这张图片很好地展示了它
Banzaicloud
An ingress gateway serves as the entry point for all services running within the mesh.
egress gateways are exit points from the mesh that allow us to apply Istio features. This includes applying features like monitoring and route rules to traffic that’s exiting the mesh.
关于您的问题
For example, an application sets up listeners on an MQ queue. Is this an example of ingress or egress traffic? I thought that where the application initiates the connection, then this traffic will be directed to the egress gateway. Conversely, if the application is an endpoint, then traffic must be routed through the ingress gateway.
我不熟悉消息队列,但根据上图,我们假设消费者在网格内,因此生产者服务必须通过入口网关到达那里。
[Producer Service] -> ingress gateway -> [envoy sidecar -> Consumer Service]
所以是的,流量必须通过入口网关路由
Let's say application A is an external service to application B. Application A makes a rest request to B. Should this request be routed through ingress? Now application B makes a rest request to A. Should traffic go through egress now?
如果服务网格内部的服务想要与外部服务对话,我们应该从配置 egress and service entry 开始。
Because all outbound traffic from an Istio-enabled pod is redirected to its sidecar proxy by default, accessibility of URLs outside of the cluster depends on the configuration of the proxy. By default, Istio configures the Envoy proxy to passthrough requests for unknown services. Although this provides a convenient way to get started with Istio, configuring stricter control is usually preferable.
据我所知,这就是交通状况。
appA -> external service outside the mesh
appB -> injected service in the istio mesh
假设您要使用 curl 从 appA 到 appB
[app A](curl ingress-external-ip/specific 路径或端口) -> ingress gateway -> [envoy sidecar -> appB]
假设您要使用 curl 从 appB 到 appA
[appB -> envoy sidecar](curl appA) -> egress gateway -> [appA]
如果您有任何问题或想讨论什么,请在评论中告诉我。