VirtualService vs DestinationRule
In Istio, what's the difference between a VirtualService and a DestinationRule? When would you use each?
In Istio, what's the difference between a VirtualService and a DestinationRule? When would you use each?
A VirtualService defines how requests are routed to a service: which hosts to match, path or header matching, weighted splits between versions, timeouts, and retries. A DestinationRule defines what happens after the route is chosen: which pod subsets exist (like v1 and v2), load balancing policy, connection pool limits, and outlier detection for circuit breaking. The mental model is: VirtualService picks the destination, DestinationRule configures the destination. They almost always come in pairs. If you split traffic 90/10 between v1 and v2 in a VirtualService, you also need a DestinationRule that declares the v1 and v2 subsets and labels them. Circuit breaker settings always live in DestinationRule because they're a property of the destination, not the route.
This is the foundational Istio question. Candidates who can't separate these two CRDs usually struggle with everything else: they put retries in DestinationRule, circuit breakers in VirtualService, or forget to declare subsets and wonder why 90/10 routing returns 503s. A clean answer shows the candidate has actually written Istio config, not just read a blog post.
DestinationRule declaring subsets
VirtualService routing to those subsets
- Saying VirtualService handles circuit breaking — it doesn't, that's DestinationRule
- Forgetting that subsets need matching pod labels or all routes return 503
- Treating the two CRDs as interchangeable instead of complementary
- What happens if your VirtualService references a subset that the DestinationRule doesn't declare?
- Can you have a VirtualService without a DestinationRule? When?
- Where would you put a connection pool limit, and why there?
More Service Mesh interview questions
Also worth your time on this topic
Istio Traffic Management: Routing, Retries, and Circuit Breaking
Configure weighted routing, automatic retries, and circuit breakers in Istio with copy-paste YAML examples and real kubectl output you can verify on your own cluster.
Istio Traffic Management Checklist: Routing, Retries, and Circuit Breaking
How to configure traffic management policies in Istio so your services can do canary releases, retry transient failures, and shed load when a downstream service goes bad. Covers VirtualService, DestinationRule, retries, timeouts, circuit breakers, and outlier detection.
60-90 minutes
Service Mesh Concepts
What is a service mesh and when would you implement one? Explain the sidecar pattern.
mid