Interview › Istio & Service Mesh
How do you enforce that all traffic leaving the mesh goes through an egress gateway?
Istio & Service Mesh · Intermediate level
Answer
To force outbound mesh traffic through an egress gateway, I combine Istio outbound traffic policy, ServiceEntry, VirtualService, DestinationRule, AuthorizationPolicy, and network controls. The mesh config routes allowed external hosts to the egress gateway, while firewall or NetworkPolicy blocks direct pod egress.
Technical explanation
Istio config alone is not enough if pods can directly reach the internet at the network layer.
ServiceEntry defines known external services; VirtualService sends that traffic through the egress gateway.
NetworkPolicy, cloud security groups, NAT rules, or firewall policy should allow outbound only from the egress gateway path.
Hands-on example
Implementation flow:
1. Set outboundTrafficPolicy to REGISTRY_ONLY if appropriate.
2. Create ServiceEntry for api.partner.com.
3. Route host through istio-egressgateway.
4. Allow only egress gateway subnet/security group to external firewall.
5. Test direct pod curl fails while routed egress succeeds.
Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.
More Istio & Service Mesh interview questions
- What is Istio, and what are the core capabilities it provides?
- What is the difference between the Istio control plane and data plane?
- What is istiod, and what does it do?
- What is Envoy, and what role does it play in Istio?
- What is the sidecar pattern, and how does Istio inject the proxy?
- How does automatic sidecar injection work (namespace label, webhook)?
- What is the Istio ambient (sidecarless) mode, and how does it differ from sidecar mode?
- What is the difference between ztunnel and a waypoint proxy in ambient mode?