Ports#

Service ports must be named <protocol>[-<suffix>]#

Warning

Any unlisted ports will bypass the proxy and all associated mesh policies.

Protocol

Port Name

Port Name w/ Suffix

HTTP

http

http-<suffix>

HTTP2

http2

http2-<suffix>

HTTPS

https

https-<suffix>

TLS

tls

tls-<suffix>

GRPC

grpc

grpc-<suffix>

TCP

tcp

tcp-<suffix>

Mongo

mongo

mongo-<suffix>

MySQL

mysql

mysql-<suffix>

Redis

redis

redis-<suffix>

apiVersion: v1
kind: Service
metadata:
  name: example-api
  namespace: default
  labels:
    app: example-api
spec:
  ports:
    - port: 1080
      name: http-api
      targetPort: http-api
    - port: 1090
      name: grpc-api
      targetPort: grpc-api
  selector:
    app: example-api

Pods must include an explicit list of ports each container listens on#

apiVersion: apps/v1beta1
kind: Deployment
metadata:
  name: example-api
  namespace: default
spec:
template:
  metadata:
    labels:
      app: example-api
  spec:
    containers:
      - name: example-api
        ports:
          - containerPort: 1080
            name: grpc-api
          - containerPort: 1090
            name: http-api

To avoid port conflicts with sidecars, applications should not use any of the ports used by Envoy#

Istio Ports#

Port

Protocol

Used by

Description

443

HTTPS

Istiod

Webhooks

8080

HTTP

Istiod

Debug interface

15000

TCP

Envoy

Envoy admin port (commands/diagnostics)

15001

TCP

Envoy

Envoy outbound

15006

TCP

Envoy

Envoy inbound

15008

TCP

Envoy

Envoy tunnel port (inbound)

15010

GRPC

Istiod

XDS and CA services (plaintext)

15012

GRPC

Istiod

XDS and CA services (TLS, recommended for production use)

15014

HTTP

Istiod

Control plane monitoring

15020

HTTP

Envoy

Merged Prometheus telemetry from Istio agent, Envoy, and application

15021

HTTP

Envoy

Health checks

15090

HTTP

Envoy

Envoy Prometheus telemetry

15443

TLS

Ingress and Egress Gateways

Envoy Prometheus telemetry