Gateways

A gateway is a proxy at the edge of an ambient mesh. A Gateway can be used to allow traffic to ingress or egress.

Creating an ingress gateway

Like waypoints, gateways are deployed using the Kubernetes Gateway API. A simple deployment looks like this:

apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: httpbin-gateway
spec:
  gatewayClassName: istio
  listeners:
  - name: http
    port: 80
    protocol: HTTP
    allowedRoutes:
      namespaces:
        from: All

The gatewayClassName must be set to istio for the Istio control plane to create and manage the gateway. The default is to create a LoadBalancer service, which on most cloud providers will cause a load balancer to be provisioned.

Annotations and labels on the Gateway will be copied to the Service and Deployment that are created. This allows configuring things such as internal load balancers that read from these fields.

Attaching a route to a gateway

Route objects are attached to either gateways or waypoints based on their parentRefs value. See the request routing guide for the differences.

Gateways and waypoints

Both gateways and waypoints can be used to route traffic, or perform authentication.

The default behavior of Istio is to send traffic that transits a gateway to the destination directly, even if that destination is enrolled in a waypoint. This is to avoid cases of double handling, for example, where rules for traffic splitting of fault injection could be applied twice.

However, that means you have to add certain policies on both the gateway and the waypoint.

You can enable ingress waypoint routing on a service, such that traffic will be sent from the gateway to the configured waypoint, not to the destination service. To do this, set the label istio.io/ingress-use-waypoint=true on a service.

If you enable this feature, we recommend the following setup:

  • Gateway: apply minimal routing logic; strictly enough to pick a backend. Apply policies that only apply at the edge (for example, rate limiting or user authentication)
  • Waypoints: apply all other logic.

Adding TLS certificates to a gateway

Refer to the Gateway API documentation for how to configure a Gateway with TLS certificates.

Using gateways for egress

Check the egress gateway guide to learn how to configure an egress gateway.