Fig. 1 Request lifecycle
REQUEST → ← RESPONSE EXTERNAL Client HTTP/2 · TLS AWS · L4 Network LB TCP passthrough kind: Gateway IngressGateway envoy · TLS term kind: VirtualService VirtualService host · path · rewrite kind: DestinationRule DestinationRule subsets · mTLS kind: Service Service ClusterIP kind: Pod Backend Pod ×3 replica · :8080
Fig. 1 — An HTTPS request from a public client reaches the cluster via an AWS NLB, terminates TLS at the Istio IngressGateway (envoy), is routed by a VirtualService, shaped by a DestinationRule (mTLS, subsets, outlier detection), and lands at a backend pod via a standard ClusterIP. Response returns along the reverse path.
request response