Question posted in
The official documentation can be found here.

Istio in Azure AKS – Connection issues over 15001 port while connecting to Azure Redis Cache

We are facing issues on 15001 port in istio deployed in Azure AKS.

Currently we have deployed Istio in AKS and trying to connect to Azure cache redis instance in cluster mode. Our Azure redis instance is having more than two shards with SSL enabled and one of the master node is assigned on port 15001. We were able to connect to Azure redis from AKS pods over ports 6380, 15000, 15002, 15003, 15004 and 15005 ports. However when we try to connect to over 15001 we see some issues. When we try to connect to redis over 15001 port from a namespace without istio sidecar injection from same aks cluster the connection is working fine.

Below are the logs from rediscli pod deployed in our AKS cluster.

Success case:

redis-cli -h our-redis-host.redis.cache.windows.net -p 6380 -a our-account-key --cacert "BaltimoreCyberTrustRoot.pem" --tls ping

OUTPUT:

Warning: Using a password with ‘-a’ or ‘-u’ option on the command line interface may not be safe.
PONG

We are able to connect over all ports – 6380, 15000, 15002, 15003, 15004 and 15005 to redis. However when we try to conenct using 15001. We are getting below error

Failure case:

redis-cli -h our-redis-host.redis.cache.windows.net -p 15001 -a our-account-key --cacert "BaltimoreCyberTrustRoot.pem" --tls ping

OUTPUT:

Warning: Using a password with ‘-a’ or ‘-u’ option on the command line interface may not be safe.
Could not connect to Redis at our-redis-host.redis.cache.windows.net :15001: SSL_connect failed: Success

I could not see any entry in istio-proxy logs when trying from 15001 port. However when trying for other ports we can see entry in logs as below

[2021-05-05T00:59:18.677Z] "- - -" 0 - - - "-" 600 3982 10 - "-" "-" "-" "-" "172.XX.XX.XX:6380" PassthroughCluster 172.XX.XX.XX:45478 172.22.XX.XX:6380 172.XX.XX.XX:45476 - -

Is this because 15001 port blocks the outbound requests or manipulates certs for requests on 15001 port. If yes, is there any configuration to update the proxy_port to other ports than 15001?

Note: Posted this on istio forum . Posting here for better reach.

Istio versions:

> istioctl version
client version: 1.8.2
control plane version: 1.8.3
data plane version: 1.8.3
Tags:

2

Answers


  1. Chosen as BEST ANSWER
    0

    We have utilised the concept of istio excludeOutboundPorts annotation to bypass the the istio envoy proxy interception of the traffic on outbound ports for which we are see the problem due to istio port requirements

    Using annotations provided by istio, we can use either IP or port ranges to exclude the interception. Below is an explain with ports

    template:
    metadata:
      labels:
        app: 'APP-NAME'
      annotations:
        traffic.sidecar.istio.io/excludeOutboundPorts: "15001"

    References:

    Istio Annotations

    Istio traffic capture limitations

    Istio Port Requirement


  2. 0

    Port 15001 is used by Envoy in Istio. Applications should not use ports reserved by Istio to avoid conflicts.

    You can read more here

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search