Well done — that was a long module. Here’s a compact, organized recap of the Istio traffic-management concepts you learned, with guidance about where to place configuration and what to expect on the exam.Documentation Index
Fetch the complete documentation index at: https://notes.kodekloud.com/llms.txt
Use this file to discover all available pages before exploring further.
- Sidecar proxy: intercepts inbound and outbound traffic for a workload. By default it can route all outbound traffic. Use a
Sidecarresource to restrict egress and limit which services a workload may reach. - Mutual TLS (mTLS): enable mesh-wide or namespace/workload-level mTLS with
PeerAuthenticationandmode: STRICT. - VirtualService: controls runtime routing behavior — retries, timeouts, traffic mirroring/shadowing, fault injection (delays/aborts), and routing rules (weights, headers).
- DestinationRule: complements VirtualService by defining subsets, load-balancing policy, connection pools, and circuit-breaking/outlier detection.
- EgressGateway and ServiceEntry: control traffic leaving the mesh and allow external services to be part of the service registry so policies and telemetry apply.
VirtualService vs DestinationRule — what goes where
Use VirtualService to express how requests should be routed and manipulated at runtime:- Traffic splitting (weights), header-based routing, path rewrites.
- Fault injection (delays, aborts), retries, timeouts, and mirroring via the
mirrorfield.
- Define
subsets(e.g., v1, v2) that VirtualService can target. - Set
trafficPolicyfor load balancing, connection pools, and circuit breakers (outlier detection, max connections, max pending requests).
| Resource | Primary Responsibility | Example / Notes |
|---|---|---|
VirtualService | Routing, fault injection, retries, timeouts, mirroring | Use mirror to shadow traffic to a candidate service |
DestinationRule | Subsets, load balancing, connection pools, circuit breaking | trafficPolicy.connectionPool and outlierDetection live here |
PeerAuthentication | mTLS enforcement | mode: STRICT enforces mTLS for target workloads/namespaces |
Sidecar | Limit egress and configure proxy scope for workloads | Controls which services the sidecar can reach |
ServiceEntry | Add external services to Istio service registry | Required to apply policies/telemetry to external endpoints |
EgressGateway | Centralized control of outbound traffic | Useful when you must inspect, filter, or monitor egress traffic |
Mirroring, circuit breaking, and egress
- Traffic mirroring (also called traffic shadowing) lets you send a copy of production traffic to a candidate service without affecting responses to users. Configure mirroring in the
VirtualServiceusing themirrorfield; destination subsets can be defined in aDestinationRuleif needed. - Circuit breaking prevents cascading failures. Configure limits such as
maxConnections,maxPendingRequests, andoutlierDetectionin aDestinationRuleundertrafficPolicy. - To observe and control traffic leaving the mesh, use an
EgressGateway. To bring an external service under Istio control (policies, telemetry), create aServiceEntry.
Connection limits, rate limiting, and fault injection
- Connection limits live in
DestinationRuleundertrafficPolicy.connectionPool. Examples:tcp.maxConnectionshttp.http2MaxRequestshttp.http1MaxPendingRequests(for HTTP/1)
- Request-rate limiting is typically implemented via Envoy rate-limit filters or an external rate-limit service integrated via Envoy filters — not directly via VirtualService/DestinationRule fields.
- Fault injection belongs to
VirtualService. You can:- Inject fixed delays (seconds) for a given percentage of traffic.
- Abort requests with a specified HTTP status code for some traffic percentage.
Waypoint proxies and HTTPRoute (brief)
- Waypoint proxies provide a single, centralized hop for traffic entering or leaving a namespace. They are often used in larger deployments for observability and policy enforcement.
- HTTPRoute (part of the Gateway API) can be used for advanced routing scenarios alongside waypoint proxies.
- For exam-level coverage (ICA exam course or the KodeKloud course referenced in the module), you may only be asked to install and label namespaces or waypoint proxy namespaces to opt-in. Make sure to:
- Label namespaces appropriately when using ambient mode.
- Install and label waypoint-proxy namespaces when opting workloads into waypoint behavior.
Tip: For exam prep and practical use, memorize where each behavior belongs: VirtualService for routing/faults/mirroring, DestinationRule for subsets/circuit-breaking/connection pools, PeerAuthentication for mTLS, and Sidecar for egress scoping.