Istio 多集群联邦与流量策略（EastWest Gateway、Failover 与验证）

概述多集群网格通过EastWest Gateway进行跨集群互联，在出站路由层结合本地优先与Failover策略保证就近访问与故障切换。在区域故障或实例异常时自动切换到备份集群，提升可用性与性能。关键实践与参数EastWest Gateway: 在每个集群部署并暴露网格内部服务ServiceEntry: 为跨集群目标声明外部主机与端口本地优先: `localityLbSetting` 优先同Region/Zone故障切换: `failover` 区域映射, 异常时跨区路由异常剔除: `outlierDetection` 剔除错误端点示例/配置/实现apiVersion: networking.istio.io/v1alpha3 kind: ServiceEntry metadata: name: orders-global spec: hosts: ["orders.global"] location: MESH_EXTERNAL ports: - number: 15443 name: tls protocol: TLS resolution: DNS apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata: name: dr-orders-global spec: host: orders.global trafficPolicy: loadBalancer: localityLbSetting: enabled: true failover: - from: cn to: us outlierDetection: consecutive5xxErrors: 5 interval: 5s baseEjectionTime: 30s maxEjectionPercent: 50 apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: vs-orders spec: hosts: ["orders.global"] tls: - match: - sniHosts: ["orders.global"] route: - destination: host: orders.global port: { number: 15443 } 验证就近访问: 在不同区域发起请求, 延迟与带宽显示本地优先效果故障切换: 注入区域故障或5xx错误, 自动切换至Failover目标剔除与恢复: 异常端点被剔除并在基准时间后恢复可观测: 采集出站请求成功率与切换事件, 设置告警注意事项DNS与Gateway需正确暴露EastWest入口Failover映射需贴合业务拓扑与成本与出口治理策略一致, 防止绕过定期演练跨区切换并记录审计