K
Q

Connection to MySQL (AWS RDS) in Istio

5/14/2018

We have a issue where connecting to AWS RDS in Istio Service Mesh is results in upstream connect error or disconnect/reset before header . Our Egress rule is as below

 apiVersion: config.istio.io/v1alpha2
 kind: EgressRule
 metadata:
     namespace: <our-namespace>
     name: rds-egress-rule-with
 spec:
     destination:
     service: <RDS End point> 
 ports:
     - port: 80
       protocol: http
     - port: 443
       protocol: https
     - port: 3306
       protocol: https

The connection to MySQL works fine in a stand alone MySQL in EC2. The connection to AWS RDS works fine without Istio. The problem only occurs in Istio Service Mesh.

We are using istio in Disabled Mutual TLS Configuration.

-- Anuranjit Maindola
amazon-rds
amazon-web-services
istio
kubernetes
mysql

Similar Questions

Multidrive access for Kubernetes Nodes
Does kubernetes cAdvisor include host machine (OS) metrics too when used with prometheus?
Ne4J performance on Kubernetes is too slow
kubernetes health check job into google cloud platform
Kubernetes: Node NotReady
Exposing a Kubernetes service outside the cluster
LivenessProbe command for a background process
Hashicorp Vault Installation as part of Umbrella Helm Chart?
kubernetes : How to deattach from an attached pod
Network policy preventing all traffic to selected labels
Kubectl status nodes provides different responses for equivalent clusters
Kubernetes rbac pod/exec create operation is forbidden
Why does my Tarantool Cartridge retrieve data from router instance sometimes?
How to assign a Deployment to a specific Node Pool
Zeppelin+Spark+Kubernetes: Let Zeppelin Job run on existing Spark Cluster
How to solve [Error: got &quot;map&quot;, expected &quot;array&quot;] while my YAML seems right
How to overwrite file in pods container in Kubernetes deployment file?

1 Answer

5/14/2018

The protocol in your EgressRule definition should be tcp. The service should contain the IP address or a range of IP addresses in CIDR notation.

Alternatively, you can use the --includeIPRanges flag of istioctl kube-inject, to specify which IP ranges are handled by Istio. Istio will not interfere with the the not-included IP addresses and will just allow the traffic to pass thru.

References:

  1. https://istio.io/docs/tasks/traffic-management/egress-tcp.html
  2. https://istio.io/blog/2018/egress-tcp.html
  3. https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly
-- Vadim Eisenberg
Source: StackOverflow