Skill

SkillsDevOps & Infrastructure › Containers & orchestration

istio-traffic-management

Configure Istio traffic management including routing, load balancing, circuit breakers, and canary deployments. Use when implementing service mesh traffic policies, progressive delivery, or resilience patterns.

Freerisk: medium
istiotrafficmanagement

The full skill

— name: istio-traffic-management description: Configure Istio traffic management including routing, load balancing, circuit breakers, and canary deployments. Use when implementing service mesh traffic policies, progressive delivery, or resilience patterns. — # Istio Traffic Management Comprehensive guide to Istio traffic management for production service mesh deployments. ## When to Use This Skill – Configuring service-to-service routing – Implementing canary or blue-green deployments – Setting up circuit breakers and retries – Load balancing configuration – Traffic mirroring for testing – Fault injection for chaos engineering ## Core Concepts ### 1. Traffic Management Resources | Resource | Purpose | Scope | | ——————- | —————————– | ————- | | **VirtualService** | Route traffic to destinations | Host-based | | **DestinationRule** | Define policies after routing | Service-based | | **Gateway** | Configure ingress/egress | Cluster edge | | **ServiceEntry** | Add external services | Mesh-wide | ### 2. Traffic Flow “` Client → Gateway → VirtualService → DestinationRule → Service (routing) (policies) (pods) “` ## Templates ### Template 1: Basic Routing “`yaml apiVersion: networking.istio.io/v1beta1 kind: VirtualService metadata: name: reviews-route namespace: bookinfo spec: hosts: – reviews http: – match: – headers: end-user: exact: jason route: – destination: host: reviews subset: v2 – route: – destination: host: reviews subset: v1 — apiVersion: networking.istio.io/v1beta1 kind: DestinationRule metadata: name: reviews-destination namespace: bookinfo spec: host: reviews subsets: – name: v1 labels: version: v1 – name: v2 labels: version: v2 – name: v3 labels: version: v3 “` ### Template 2: Canary Deployment “`yaml apiVersion: networking.istio.io/v1beta1 kind: VirtualService metadata: name: my-service-canary spec: hosts: – my-service http: – route: – destination: host: my-service subset: stable weight: 90 – destination: host: my-service subset: canary weight: 10 — apiVersion: networking.istio.io/v1beta1 kind: DestinationRule metadata: name: my-service-dr spec: host: my-service trafficPolicy: connectionPool: tcp: maxConnections: 100 http: h2UpgradePolicy: UPGRADE http1MaxPendingRequests: 100 http2MaxRequests: 1000 subsets: – name: stable labels: version: stable – name: canary labels: version: canary “` ### Template 3: Circuit Breaker “`yaml apiVersion: networking.istio.io/v1beta1 kind: DestinationRule metadata: name: circuit-breaker spec: host: my-service trafficPolicy: connectionPool: tcp: maxConnections: 100 http: http1MaxPendingRequests: 100 http2MaxRequests: 1000 maxRequestsPerConnection: 10 maxRetries: 3 outlierDetection: consecutive5xxErrors: 5 interval: 30s baseEjectionTime: 30s maxEjectionPercent: 50 minHealthPercent: 30 “` ### Template 4: Retry and Timeout “`yaml apiVersion: networking.istio.io/v1beta1 kind: VirtualService metadata: name: ratings-retry spec: hosts: – ratings http: – route: – destination: host: ratings timeout: 10s retries: attempts: 3 perTryTimeout: 3s retryOn: connect-failure,refused-stream,unavailable,cancelled,retriable-4xx,503 retryRemoteLocalities: true “` ### Template 5: Traffic Mirroring “`yaml apiVersion: networking.istio.io/v1beta1 kind: VirtualService metadata: name: mirror-traffic spec: hosts: – my-service http: – route: – destination: host: my-service subset: v1 mirror: host: my-service subset: v2 mirrorPercentage: value: 100.0 “` ### Template 6: Fault Injection “`yaml apiVersion: networking.istio.io/v1beta1 kind: VirtualService metadata: name: fault-injection spec: hosts: – ratings http: – fault: delay: percentage: value: 10 fixedDelay: 5s abort: percentage: value: 5 httpStatus: 503 route: – destination: host: ratings “` ### Template 7: Ingress Gateway “`yaml apiVersion: networking.istio.io/v1beta1 kind: Gateway metadata: name: my-gateway spec: selector: istio: ingressgateway servers: – port: number: 443 name: https protocol: HTTPS tls: mode: SIMPLE credentialName: my-tls-secret hosts: – "*.example.com" — apiVersion: networking.istio.io/v1beta1 kind: VirtualService metadata: name: my-vs spec: hosts: – "api.example.com" gateways: – my-gateway http: – match: – uri: prefix: /api/v1 route: – destination: host: api-service port: number: 8080 “` ## Load Balancing Strategies “`yaml apiVersion: networking.istio.io/v1beta1 kind: DestinationRule metadata: name: load-balancing spec: host: my-service trafficPolicy: loadBalancer: simple: ROUND_ROBIN # or LEAST_CONN, RANDOM, PASSTHROUGH — # Consistent hashing for sticky sessions apiVersion: networking.istio.io/v1beta1 kind: DestinationRule metadata: name: sticky-sessions spec: host: my-service trafficPolicy: loadBalancer: consistentHash: httpHeaderName: x-user-id # or: httpCookie, useSourceIp, httpQueryParameterName “` ## Best Practices ### Do's – **Start simple** – Add complexity incrementally – **Use subsets** – Version your services clearly – **Set timeouts** – Always configure reasonable timeouts – **Enable retries** – But with backoff and limits – **Monitor** – Use Kiali and Jaeger for visibility ### Don'ts – **Don't over-retry** – Can cause cascading failures – **Don't ignore outlier detection** – Enable circuit breakers – **Don't mirror to production** – Mirror to test environments – **Don't skip canary** – Test with small traffic percentage first ## Debugging Commands “`bash # Check VirtualService configuration istioctl analyze # View effective routes istioctl proxy-config routes deploy/my-app -o json # Check endpoint discovery istioctl proxy-config endpoints deploy/my-app # Debug traffic istioctl proxy-config log deploy/my-app –level debug “`