Protocol Selection

 2 minute read  

Istio supports proxying any TCP traffic. This includes HTTP, HTTPS, gRPC, as well as raw TCP protocols. In order to provide additional capabilities, such as routing and rich metrics, the protocol must be determined. This can be done automatically or explicitly specified.

Non-TCP based protocols, such as UDP, are not proxied. These protocols will continue to function as normal, without any interception by the Istio proxy but cannot be used in proxy-only components such as ingress or egress gateways.

Automatic protocol selection

Istio can automatically detect HTTP and HTTP/2 traffic. If the protocol cannot automatically be determined, traffic will be treated as plain TCP traffic.

Explicit protocol selection

Protocols can be specified manually in the Service definition.

This can be configured in two ways:

  • By the name of the port: name: <protocol>[-<suffix>].
  • In Kubernetes 1.18+, by the appProtocol field: appProtocol: <protocol>.

Note that behavior at the Gateway differs in some cases as the gateway can terminate TLS and the protocol can be negotiated.

The following protocols are supported:

ProtocolSidecar PurposeGateway Purpose
httpPlaintext HTTP/1.1 trafficPlaintext HTTP (1.1 or 2) traffic
http2Plaintext HTTP/2 trafficPlaintext HTTP (1.1 or 2) traffic
httpsTLS Encrypted data. Because the Sidecar does not decrypt TLS traffic, this is the same as tlsTLS Encrypted HTTP (1.1 or 2) traffic
tcpOpaque TCP data streamOpaque TCP data stream
tlsTLS Encrypted dataTLS Encrypted data
grpcSame as http2Same as http2
grpc-web, mongo, mysql, redisExperimental application protocol support. To enable them, configure the corresponding Pilot environment variables. If not enabled, treated as opaque TCP data streamExperimental application protocol support. To enable them, configure the corresponding Pilot environment variables. If not enabled, treated as opaque TCP data stream

Below is an example of a Service that defines a https port by appProtocol and an http port by name:

kind: Service
metadata:
  name: myservice
spec:
  ports:
  - number: 3306
    name: database
    appProtocol: https
  - number: 80
    name: http-web
Was this information useful?
Do you have any suggestions for improvement?

Thanks for your feedback!