Exposing Workloads Using Istio VirtualService

Learn how to expose a workload with Istio VirtualService and your custom domain.

Prerequisites

You have the Istio module added.
You have a deployed workload.
You have set up your custom domain and a custom TLS Gateway. See Set Up a Custom Domain and Set Up a TLS Gateway.
Alternatively, you can use the default domain of your Kyma cluster and the default Gateway kyma-system/kyma-gateway. To use the default domain and Gateway, the API Gateway module must be added to your cluster.
TIP
To get the default domain of your Kyma cluster, run the following command:
yaml
```
kubectl get gateway -n kyma-system kyma-gateway -o jsonpath='{.spec.servers[0].hosts}'
```

Context

Kyma's API Gateway module provides the APIRule custom resource (CR), which is the recommended solution for securely exposing workloads. To expose a workload using an APIRule v2, you must include the workload in the Istio service mesh. Including a workload in the mesh brings several benefits, such as secure service-to-service communication, tracing capabilities, or traffic management. For more information, see Purpose and Benefits of Istio Sidecar Proxies and The Istio service mesh.

However, if you do not need the capabilities provided by the Istio service mesh, you can expose an unsecured workload using Istio VirtualService only. Such an approach might be useful in the following scenarios:

If you use Unified Gateway as an entry point for SAP Cloud solutions. In this case, you can configure Unified Gateway to manage API exposure, JWT validation, and routing capabilities, offloading these responsibilities from the service mesh.
If you want to expose front-end Services that manage their own authentication mechanisms.
If you require certain features or want to implement specific configurations that APIRule does not support.
If you require full control over Istio resources and you want to manage them directly without any higher-level abstractions.

The following instructions demonstrate a simple use case where VirtualService exposes an unsecured Service, skipping the requirement to include the Service in the Istio service mesh.

Istio Service Mesh

Tutorials

Technical Reference

Troubleshooting

Tutorials

Expose a Workload

Use APIRule v2

Use APIRule v2alpha1

Use APIRule v1beta1

Expose and Secure a Workload

Use APIRule v2

Use APIRule v2alpha1

Use APIRule v1beta1

Security

Custom Resources

APIGateway Custom Resource

APIRule Custom Resource

v2

v2alpha1

v1beta1

APIRule Migration

Technical Reference

Troubleshooting Guides

APIRule and Service Connection Issues

APIRule v2

APIRule v2alpha1

APIRule v1beta1

External DNS Management Errors

APIRule v2 Introduction

Resources

Tutorials

Technical Reference

Runtime Agent

Tutorials

Resources

Tutorials

Register a Service

VPC Peering

Resources

Tutorials

Tutorials

Resources

Resources

Troubleshooting

Tutorials

Resources

Technical Reference

Troubleshooting Guides

Collecting Logs

Collecting Traces

Collecting Metrics

Filtering and Processing Data

Integrate with your OTLP Backend

Architecture

Integration Guides

Resources

Tutorials

Resources

Technical Reference

Tutorials

Commands

Exposing Workloads Using Istio VirtualService ​

Prerequisites ​

Context ​

Procedure ​

Exposing Workloads Using Istio VirtualService

Prerequisites

Context

Procedure