Share via

How to troubleshoot traffic route LB to Istio Gateway to Virtual service to Pod(application)

Kasala, Balaji 0 Reputation points
2025-12-10T20:20:03.3533333+00:00

We are not able to trace and identify where is traffic failing while accessing application site.

Load Balancer -> Istio Gateway -> Virtual service -> Pod(application)

As we see couple of test it seems request reaching till LB we are unable to trace further.

Azure Kubernetes Service
Azure Kubernetes Service
An Azure service that provides serverless Kubernetes, an integrated continuous integration and continuous delivery experience, and enterprise-grade security and governance.
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Q&A Assist
    2025-12-10T20:20:30.17+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    To troubleshoot the traffic flow from the Load Balancer to the Istio Gateway, then to the Virtual Service, and finally to the Pod (application), you can follow these steps:

    1. Check Load Balancer Health Probes: Ensure that the Azure Load Balancer health probes are configured correctly. If the health probes are failing, it can block traffic from reaching the Istio Gateway. You can customize the health probe settings by adding annotations to the Gateway object or the GatewayClass ConfigMap.
    2. Inspect Firewall and NSG Rules: Verify that there are no firewall or Network Security Group (NSG) rules blocking ingress traffic to the Istio Gateway. Ensure that the rules allow traffic to the necessary subnets, especially if the ingress gateway pods are scheduled onto system node pools.
    3. Validate Gateway and Virtual Service Configurations: Ensure that the configurations for gateways, virtual services, and destination rules are correct. Check that the ingress gateway selector in the gateway resource matches the expected values, and confirm that the ports are set correctly in both the gateway and virtual service configurations.
    4. Analyze Traffic Flow: Use tools like kubectl to check the status of the Istio Gateway and the associated Virtual Service. You can also enable access logs in Istio to trace the requests and see where they might be failing.
    5. Check Pod Status: Ensure that the Pods are running and ready to accept traffic. You can check the Pod logs for any errors that might indicate why the application is not responding.

    By following these steps, you should be able to identify where the traffic is failing in the route from the Load Balancer to the application.

    References:

    0 comments
  2. Jilakara Hemalatha 6,055 Reputation points Microsoft External Staff Moderator
    2025-12-11T01:17:53.77+00:00

    Hi Kasala, Balaji

    Thank you for reaching out Q/A. Based on description there are some challenges tracing traffic from the Load Balancer through the Istio Gateway, Virtual Service, and finally to your application Pod. Here’s a detailed approach you can take to troubleshoot the issue:

    Verify Application Pod Status:

    • Start by ensuring that your Pods are running correctly and that the application inside them is responsive. You can check this using the commands: 
        kubectl get pods
  

    kubectl get pods
kubectl logs <pod-name>
    1. Check Service Reachability:
    • Ensure that the Pod can be reached from the corresponding Service. You can do this by executing:
    kubectl exec -ti <pod-name> -- curl http://<service-ip>:<service-port>
    1. Inspect Load Balancer Configuration:
    • Make sure that the health probes for the Load Balancer are configured correctly so that they can communicate with your Istio Gateway. Look for any failing health probes by checking the LoadBalancer in the Azure portal.
    • You can add annotations to the Gateway for the health probe configuration if needed:
    service.beta.kubernetes.io/azure-load-balancer-health-probe-request-path: "/healthz/ready"
    1. Check Network Security Groups (NSGs):
    • Confirm that no NSGs are blocking traffic to the Istio Gateway. Make sure that both the user node pools and system node pools are properly configured to allow required traffic.

    5.Validate Istio Gateway and Virtual Service Configuration:

    • Ensure that your Gateway and Virtual Service specifications are correct. Make sure that the Gateway selectors and port configurations match. Ports should typically be 80 for HTTP and 443 for HTTPS.
    • Cross-namespace routing should also be correctly configured if you are routing between different namespaces.
    1. Check Istiod Status:
    • Ensure that the Istio control plane (istiod) is healthy, as the ingress gateway relies on it. Use: 
        kubectl get pods -n istio-system
    1. Logs and Events:
    • Review the logs for both the Istio Gateway and virtual service. You can gather more insights by executing: 
        kubectl logs <gateway-pod-name> -n istio-system
    1. Any firewall settings outside of Azure that could be blocking traffic should be checked as well.

    These steps should give you a good start on identifying where traffic is failing. If you're still having trouble, consider providing further details such as:

    • The specific error messages or symptoms you're encountering.
    • The configuration snippets for your Istio Gateway and Virtual Service.
    • The results from the health checking commands above.

    Hope this helps! Here are some useful links for further reference:

    Reference List:

    Hope this helps! Please let me know if you have any queries in comments.

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.