Envoy proxies communicate directly with the application microservices. The control plane only interacts with the Envoy proxy for policy-based rules. The Envoy proxy intercepts all inbound and outbound traffic for all of the services in the mesh.

In the upcoming Chapter 10, Exploring Istio Traffic Management Capabilities, you will see the istio-init container at the time of its deployment. The init container sets the iptables rules to divert inbound and outbound traffic from the microservice to the Envoy sidecar proxy.

Pilot is easy to understand through Istio configuration primitives such as gateways, virtual services, service entry, and destination rules. The following workflow explains a gateway for a specific application that multiple virtual services can connect to. The virtual service can point to different services based upon a path, URI, headers, cookies, or subsets defined through the destination rules. Load balancing and traffic management to external services through the service entry is what happens in L7 traffic management:

The preceding diagram is a simplified illustration of the relationship between the gateway, virtual services, destination rules, and service entry.

The Istio primitive gateway is the one that facilitates virtual service connection to external incoming and outgoing traffic. Let's explore Istio-defined gateways.