Interview › Istio & Service Mesh
What is SNI-based routing, and how does the ingress gateway use it?
Istio & Service Mesh · Advanced level
Answer
SNI-based routing uses the Server Name Indication value in the TLS ClientHello to route encrypted traffic before HTTP is decrypted. An Istio ingress gateway can match hosts in TLS PASSTHROUGH mode and send traffic to the correct backend based on SNI.
Technical explanation
SNI routing is useful when the gateway should not terminate TLS, such as when backend services own their certificates.
Because the gateway does not decrypt traffic in PASSTHROUGH mode, it cannot route based on HTTP path or headers.
For HTTP path routing, terminate TLS at the gateway or use another design that exposes HTTP metadata to the proxy.
Hands-on example
PASSTHROUGH sketch:
Gateway server:
port: 443 HTTPS
tls:
mode: PASSTHROUGH
hosts: [secure.example.com]
VirtualService tls match:
- sniHosts: [secure.example.com]
route:
- destination:
host: secure-backend
port:
number: 443
Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.
More Istio & Service Mesh interview questions
- What is Istio, and what are the core capabilities it provides?
- What is the difference between the Istio control plane and data plane?
- What is istiod, and what does it do?
- What is Envoy, and what role does it play in Istio?
- What is the sidecar pattern, and how does Istio inject the proxy?
- How does automatic sidecar injection work (namespace label, webhook)?
- What is the Istio ambient (sidecarless) mode, and how does it differ from sidecar mode?
- What is the difference between ztunnel and a waypoint proxy in ambient mode?