Two-container pod and consul envoy proxy

dluongiop · March 17, 2022, 8:22pm

Hi,

We have a two-container application (c1, c2) in pod A that communicates with service pod B. In addition, c1 connects to c2 port 5530 inside pod A.
We setup service mesh with envoy proxy for pod A and B to secure service communication.

When c1 tries to connect to c2, we observed that envoy sidecar in pod A is connecting to c2 port 5530. We think this is because the port 5530 is set up as a service port on pod A so envoy automatically picked up the inbound ports. We tried to use annotation to exclude inbound port 5530 and set transparent-proxy to false but that didn’t help.

Question:
Is the current consul architecture not able to support a two-container pod as we have here?

I’d appreciate any feedback!

Thanks.

ishustava1 · March 21, 2022, 9:16pm

Hey @dluongiop

Are you using loopback (i.e. localhost or 127.0.0.1) for c1 to connect to c2? If so, then loopback traffic should automatically excluded from traffic redirection for tproxy and so you shouldn’t need to exclude that port.

There’s nothing in the consul architecture that would prevent loopback traffic between containers in a pod that I know of.