Connection to MySQL (AWS RDS) in Istio

1
votes

We have a issue where connecting to AWS RDS in Istio Service Mesh is results in upstream connect error or disconnect/reset before header . Our Egress rule is as below 

 apiVersion: config.istio.io/v1alpha2
 kind: EgressRule
 metadata:
     namespace: <our-namespace>
     name: rds-egress-rule-with
 spec:
     destination:
     service: <RDS End point> 
 ports:
     - port: 80
       protocol: http
     - port: 443
       protocol: https
     - port: 3306
       protocol: https

The connection to MySQL works fine in a stand alone MySQL in EC2. The connection to AWS RDS works fine without Istio. The problem only occurs in Istio Service Mesh.

We are using istio in Disabled Mutual TLS Configuration.

1
mysqlamazon-web-serviceskubernetesamazon-rdsistio

1 Answers

2
votes

The protocol in your EgressRule definition should be tcp. The service should contain the IP address or a range of IP addresses in CIDR notation.

Alternatively, you can use the --includeIPRanges flag of istioctl kube-inject, to specify which IP ranges are handled by Istio. Istio will not interfere with the the not-included IP addresses and will just allow the traffic to pass thru.

References:

  1. https://istio.io/latest/blog/2018/egress-tcp/
  2. https://istio.io/latest/docs/tasks/traffic-management/egress/egress-control/#direct-access-to-external-services