Ports#
Service ports must be named <protocol>[-<suffix>]#
Warning
Any unlisted ports will bypass the proxy and all associated mesh policies.
Protocol |
Port Name |
Port Name w/ Suffix |
---|---|---|
HTTP |
http |
http-<suffix> |
HTTP2 |
http2 |
http2-<suffix> |
HTTPS |
https |
https-<suffix> |
TLS |
tls |
tls-<suffix> |
GRPC |
grpc |
grpc-<suffix> |
TCP |
tcp |
tcp-<suffix> |
Mongo |
mongo |
mongo-<suffix> |
MySQL |
mysql |
mysql-<suffix> |
Redis |
redis |
redis-<suffix> |
apiVersion: v1
kind: Service
metadata:
name: example-api
namespace: default
labels:
app: example-api
spec:
ports:
- port: 1080
name: http-api
targetPort: http-api
- port: 1090
name: grpc-api
targetPort: grpc-api
selector:
app: example-api
Pods must include an explicit list of ports each container listens on#
apiVersion: apps/v1beta1
kind: Deployment
metadata:
name: example-api
namespace: default
spec:
template:
metadata:
labels:
app: example-api
spec:
containers:
- name: example-api
ports:
- containerPort: 1080
name: grpc-api
- containerPort: 1090
name: http-api
To avoid port conflicts with sidecars, applications should not use any of the ports used by Envoy#
Istio Ports#
Port |
Protocol |
Used by |
Description |
---|---|---|---|
443 |
HTTPS |
Istiod |
Webhooks |
8080 |
HTTP |
Istiod |
Debug interface |
15000 |
TCP |
Envoy |
Envoy admin port (commands/diagnostics) |
15001 |
TCP |
Envoy |
Envoy outbound |
15006 |
TCP |
Envoy |
Envoy inbound |
15008 |
TCP |
Envoy |
Envoy tunnel port (inbound) |
15010 |
GRPC |
Istiod |
XDS and CA services (plaintext) |
15012 |
GRPC |
Istiod |
XDS and CA services (TLS, recommended for production use) |
15014 |
HTTP |
Istiod |
Control plane monitoring |
15020 |
HTTP |
Envoy |
Merged Prometheus telemetry from Istio agent, Envoy, and application |
15021 |
HTTP |
Envoy |
Health checks |
15090 |
HTTP |
Envoy |
Envoy Prometheus telemetry |
15443 |
TLS |
Ingress and Egress Gateways |
Envoy Prometheus telemetry |