Traffic Management

This page covers the traffic management features available in Service Mesh.

Traffic Management Features Overview

Adding Service Mesh to your application provides traffic management features. By default, Service Mesh denies external requests and requests between services. Ingress gateways must be configured with routing rules to route external traffic to virtual services. Access policies are required to allow traffic between virtual services. In addition, access policies can be configured to allow egress traffic to external services.

Using Service Mesh virtual deployments you can do canary deployment. Different versions of a virtual service can be tracked with virtual deployments. When you publish a new version of your code to production, a virtual service route table can be configured to allow a portion of traffic to reach it. That way, new features are deployed quicker and with the least amount of disturbance to your application. Routing rules are flexible, and along with access policies, govern all inter-service communication inside the mesh.

Routing Traffic in a Virtual Service

When traffic is directed toward a virtual service, it needs to be forwarded to a virtual deployment. To forward the traffic, the virtual service evaluates the rules specified in the attached virtual service route tables. The virtual service processes virtual service route tables based on priority ordering. The first route rule that is matched is applied and the traffic is directed to the virtual deployments listed in the matched route rule.

If no virtual service route tables are defined for the virtual service, the default routing policy is used to direct traffic to the virtual deployments.

  • Uniform: If the routing policy is Uniform, then traffic is uniformly split across the virtual deployments.
  • Deny: If the routing policy is Deny, then the traffic is blocked or dropped

To enforce that traffic is only directed to virtual deployments when virtual service route rules are matched, set the default routing policy to Deny. That way, only traffic matching a rule is forwarded. All other traffic is blocked.