Interview › Istio & Service Mesh
How do you handle non-HTTP (TCP) traffic in Istio?
Istio & Service Mesh · Intermediate level
Answer
Istio can handle non-HTTP TCP traffic with L4 routing, mTLS, telemetry, and authorization based on ports, IPs, principals, and services. It cannot apply HTTP path, method, or header rules to opaque TCP traffic.
Technical explanation
Protocol detection depends on service port names and traffic behavior, so port naming matters.
For raw TCP, VirtualService tcp routes and AuthorizationPolicy TCP rules are used.
For databases and stateful protocols, test connection pooling, long-lived connections, and failover behavior carefully.
Hands-on example
TCP ServiceEntry example for an external DB:
ports:
- number: 5432
name: tcp-postgres
protocol: TCP
Then policy can allow only the app service account to that port.
Test with psql and watch Envoy TCP connection metrics rather than HTTP response-code metrics.
Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.
More Istio & Service Mesh interview questions
- What is Istio, and what are the core capabilities it provides?
- What is the difference between the Istio control plane and data plane?
- What is istiod, and what does it do?
- What is Envoy, and what role does it play in Istio?
- What is the sidecar pattern, and how does Istio inject the proxy?
- How does automatic sidecar injection work (namespace label, webhook)?
- What is the Istio ambient (sidecarless) mode, and how does it differ from sidecar mode?
- What is the difference between ztunnel and a waypoint proxy in ambient mode?