From Marko's reply in the support list for an email titled "Exclude ports from Service Mesh", this would be great to have somewhere in the OSSM doc.

 
Hi Victor, 
the excludeInboundPorts annotation is used to bypass Envoy and allow the traffic to reach the port directly. This is orthogonal to whether the port is exposed only within the cluster or also to the outside world. 
 **  
They can use a regular NodePort service, Ingress or Route to expose the application to external clients. Then they can decide whether this traffic flows through Istio or not. 
 
 
On Tue, Apr 13, 2021 at 9:54 AM Victor Medina <> wrote:
 
I have a customer with several applications deployed on projects using service mesh (v2.0.2) They would like to know if it is possible to expose some pods ports outside of the mesh, is this possible? My guess is they want pods with Mesh/Envoy configured but need something like a NodePort (outside of the mesh) for certain specific situations.
 
They found this [0] "traffic.sidecar.istio.io/excludeInboundPorts Alpha A comma separated list of inbound ports to be excluded from redirection to Envoy." They have not been able to make it work
 
Is there any way to make this kind of setup work for them?
 
[0] https://istio.io/latest/docs/reference/config/annotations/ 
 --

Victor Medina
Senior Technical Support Engineer