Service Mesh: Using Istio to route TCP traffic based on Client IP in Virtual Service

Question

Ingress gateway is located behind AWS ELB(classic) using nodeport and I want to route TCP traffic in Virtual Service based on client ip.

Of course Proxy Protocol of ELB is enabled.

When I use HTTP, it works. The configuration is below.

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: app-vservice
  namespace: test
spec:
  hosts:
  - "app-service"
  http:
  - match:
    - headers:
        x-forwarded-for:
          exact: 123.123.123.123
    route:
    - destination:
        host: app-service
        subset: v2
  - route:
    - destination:
        host: app-service
        subset: v1

But I can't find headers field of TCP route in official documents.

Is it impossible?

Thank you.

redzack redzack · Accepted Answer · 2020-06-05T04:34:42

According to docs yes there is no field to pass headers in TCPRoute in Istio. Also to answer your question every header manipulation should be done using envoy filters because Istio, built on envoy supports that and also decreases the complexity.

Using envoy and lua filters as stated in Istio docs. It can be achieved. Please follow envoy docs.

Checkout the Istio Discussion for headers in Virtual Service.

For implementation of the same using Lua. And a blog showing an example how to implement filters on envoy.

Service Mesh: Using Istio to route TCP traffic based on Client IP in Virtual Service

1 Answers