You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: support/azure/azure-kubernetes/extensions/istio-add-on-egress-gateway.md
+6-6Lines changed: 6 additions & 6 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -110,23 +110,23 @@ You can also check the logs of the `kube-egress-gateway-cni-manager` pod that ru
110
110
111
111
Verify that the `spec.gatewayNodepoolName`for the `StaticGatewayConfiguration`for each Istio egress gateway references a valid agent pool of the mode type`Gateway` on the cluster. If any Istio add-on egress gateway `StaticGatewayConfiguration` references an agent pool through the `spec.gatewayNodepoolName`, you shouldn't delete a `Gateway` agent pool.
112
112
113
-
### Step 4: Try sending an external request from the Istio egress gateway
113
+
### Step 4: Try to send an external request from the Istio egress gateway
114
114
115
115
Verify that requests from the Istio egress gateway are routed correctly through the Static Egress Gateway node pool. To take this action, use the `kubectl debug` command to create a Kubernetes ephemeral container and verify the source IP of requests from the Istio egress pod. Make sure that you temporarily set `outboundTrafficPolicy.mode` to `ALLOW_ANY` so that the egress gateway can access `ifconfig.me`. As a security best practice, we recommend that you revert `outboundTrafficPolicy.mode` to `REGISTRY_ONLY` after you finish debugging.
The source IP address that's returned should match the `egressIpPrefix` value of the `StaticGatewayConfiguration` that's associated with that Istio egress gateway. If the request fails or the source IP address returned doesn't match the `egressIpPrefix`, try [restarting the Istio egress gateway deployment](#step-6-try-restarting-the-istio-egress-gateway-deployment) or debugging potential issues by using [Static Egress Gateway](#step-8-debug-the-static-egress-gateway).
121
+
The source IP address that's returned should match the `egressIpPrefix` value of the `StaticGatewayConfiguration` that's associated with that Istio egress gateway. If the request fails or the source IP address returned doesn't match the `egressIpPrefix`, try [to restart the Istio egress gateway deployment](#step-6-try-to-restart-the-istio-egress-gateway-deployment) or debugging potential issues by using [Static Egress Gateway](#step-8-debug-the-static-egress-gateway).
122
122
123
-
### Step 5: Try sending a request from an uninjected pod to the external service
123
+
### Step 5: Try to send a request from an uninjected pod to the external service
124
124
125
125
Another way to identify whether the issue is caused by the Istio add-on egress gateway or the Static Egress Gateway is to send a request directly from an uninjected pod (outside of the Istio mesh). You can use the [curl sample application](https://raw.githubusercontent.com/istio/istio/release-1.25/samples/curl/curl.yaml). Under `spec.template.metadata.annotations`, set the `kubernetes.azure.com/static-gateway-configuration` annotation to the same `gatewayConfigurationName`for the Istio add-on egress gateway.
126
126
127
-
If the requests from the uninjected pod fail, try debugging potential issues that affect the [Static Egress Gateway](#step-8-debug-the-static-egress-gateway). If the requests from the uninjected pod succeed, verify your [Istio egress gateway configurations](#istio-egress-configuration-and-custom-resources-troubleshooting).
127
+
If the requests from the uninjected pod fail, try to debug potential issues that affect the [Static Egress Gateway](#step-8-debug-the-static-egress-gateway). If the requests from the uninjected pod succeed, verify your [Istio egress gateway configurations](#istio-egress-configuration-and-custom-resources-troubleshooting).
128
128
129
-
### Step 6: Try restarting the Istio egress gateway deployment
129
+
### Step 6: Try to restart the Istio egress gateway deployment
130
130
131
131
For changes to take effect to certain `StaticGatewayConfiguration` fields such as `defaultRoute` and `excludeCidrs`, you must restart the Istio add-on egress gateway pods.
132
132
@@ -136,7 +136,7 @@ You can bounce the pod by triggering a restart of the egress gateway deployment:
### Step 7: Try creating a new StaticGatewayConfiguration for the Istio add-on egress gateway
139
+
### Step 7: Try to create a new StaticGatewayConfiguration for the Istio add-on egress gateway
140
140
141
141
If the `StaticGatewayConfiguration`forthe Istio add-on egress gateway has an error, try to create a new `StaticGatewayConfiguration` custom resourcein the same namespace. Then, run the following `az aks mesh enable-egress-gateway`command to update the `gatewayConfigurationName`. We recommend that you waituntil the newly created `StaticGatewayConfiguration` is assigned an `egressIpPrefix`:
0 commit comments