istio.io/istio@v0.0.0-20240520182934-d79c90f27776/releasenotes/notes/sni-dnat-default.yaml

apiVersion: release-notes/v2
kind: feature
area: networking
issue:
- 27749
releaseNotes:
- |
  **Updated** the default installation of gateways to not configure clusters for `AUTO_PASSTHROUGH`, reducing memory costs.

upgradeNotes:
- title: "`AUTO_PASSTHROUGH` Gateway mode"
  content: |
    Previously, gateways were configured with multiple Envoy `cluster` configurations for each Service in the cluster, even those
    not referenced by any Gateway or VirtualService. This was added to support the `AUTO_PASSTHROUGH` mode on Gateway, generally used for exposing Services across networks.

    However, this came at an increased CPU and memory cost in the gateway and Istiod. As a result, we have disabled these by default
    on the `istio-ingressgateway` and `istio-egressgateway`.

    If you are relying on this feature for multi-network support, please ensure you apply one of the following changes:

    1. Follow our new [Multicluster Installation](/docs/setup/install/multicluster/) documentation.

       This documentation will guide you through running a dedicate gateway deployment for this type of traffic (generally referred to as the `eastwest-gateway`).
       This `eastwest-gateway` will automatically be configured to support `AUTO_PASSTHROUGH`.

    1. Modify your installation of the gateway deployment to include this configuration. This is controlled by the `ISTIO_META_ROUTER_MODE` environment variable. Setting this to `sni-dnat` enables these clusters, while `standard` (the new default) disables them.

      {{< text yaml >}}
      ingressGateways:
       - name: istio-ingressgateway
         enabled: true
         k8s:
           env:
             - name: ISTIO_META_ROUTER_MODE
               value: "sni-dnat"
       {{< /text >}}