Health-check host value with external Backend services

[akardaspg]

Hello I have config with two backends of external services with header host rewrite to type of backend like so:

apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: external-https-split
spec:
  hostnames:
  - some.domain.test
  parentRefs:
  - name: eg
  rules:
  - matches:
    - path:
        type: PathPrefix
        value: /
    filters:
        - type: ExtensionRef
          extensionRef:
            group: gateway.envoyproxy.io
            kind: HTTPRouteFilter
            name: dynamic-host-rewrite
    backendRefs:
    - group: gateway.envoyproxy.io
      kind: Backend
      name: https-backend-1
      weight: 50
    - group: gateway.envoyproxy.io
      kind: Backend
      name: https-backend-2
      weight: 50
---
apiVersion: gateway.envoyproxy.io/v1alpha1
kind: HTTPRouteFilter
metadata:
  name: dynamic-host-rewrite
spec:
  urlRewrite:
    hostname:
      type: Backend
---
# External HTTPS Backend 1
apiVersion: gateway.envoyproxy.io/v1alpha1
kind: Backend
metadata:
  name: https-backend-1
spec:
  endpoints:
  - fqdn:
      hostname: svc1.some.domain.com
      port: 443
---
# External HTTPS Backend 2
apiVersion: gateway.envoyproxy.io/v1alpha1
kind: Backend
metadata:
  name: https-backend-2
spec:
  endpoints:
  - fqdn:
      hostname: svc2.some.domain.com
      port: 443
---
apiVersion: gateway.networking.k8s.io/v1
kind: BackendTLSPolicy
metadata:
  name: svc1-backend-tls
spec:
  targetRefs:
    - group: gateway.envoyproxy.io
      kind: Backend
      name: https-backend-1
  validation:
    hostname: svc1.some.domain.com #SNI TLS
    wellKnownCACertificates: System
---
apiVersion: gateway.networking.k8s.io/v1
kind: BackendTLSPolicy
metadata:
  name: svc2-backend-tls
spec:
  targetRefs:
    - group: gateway.envoyproxy.io
      kind: Backend
      name: https-backend-2
  validation:
    hostname: svc2.some.domain.com #SNI TLS
    wellKnownCACertificates: System

All seems to be fine, but observe problem with health-check within BackendTrafficPolicy:

apiVersion: gateway.envoyproxy.io/v1alpha1
kind: BackendTrafficPolicy
metadata:
  name: external-https-healthcheck
spec:
  targetRefs:
  - group: gateway.networking.k8s.io
    kind: HTTPRoute
    name: external-https-split
  healthCheck:
    active:
      type: HTTP
      http:
        path: "/health"
        method: "GET"
        expectedStatuses: [200]
      interval: "5s"
      timeout: "2s"
      unhealthyThreshold: 3
      healthyThreshold: 2

as health check is not using the backend host header, but the header from the HTTPRoute:

{
  "name": "httproute/default/external-https-split/rule/0",
  "health_checks": [
    {
      "timeout": "2s",
      "interval": "5s",
      "unhealthy_threshold": 3,
      "healthy_threshold": 2,
      "http_health_check": {
        "host": "some.domain.test",
        "path": "/health",
        "expected_statuses": [
          {
            "start": "200",
            "end": "201"
          }
        ],
        "method": "GET"
      }
    }
  ],
}

Would it be possible to use for health check host value from FQDN of the Backend resource, because as for now active health-checks in those kind of scenario are not able to work correctly, after activating it marking alll endpoints as not healthy:

httproute/default/external-https-split/rule/0::X.X.X.X:443::health_flags::/failed_active_hc
httproute/default/external-https-split/rule/0::Y.Y.Y.Y:443::health_flags::/failed_active_hc

[Aditya7880900936]

Thanks for the detailed config example.

Before diving into a fix, I want to clarify expected behavior:
Should health checks inherit the rewritten Host header
(from urlRewrite.hostname), or should they use the backend’s
original hostname?

From Envoy’s perspective, health checks often bypass request-level
filters, so this may be expected behavior rather than a bug.

I can try to trace how health check config is generated in Envoy Gateway,
but wanted to confirm expectations first.

[akardaspg]

I believe it would be reasonable to have logic like that:

1. Enable user to provide host header value in healthCheck definition like for example path (it will be used for all backends)
2. If that is not provided use by default backend provided hostname for each backend while executing tests

what do you think about it, it provides quite nice flexibility, as I can point host header manually for all backend explicitly, and if it is not provided it will grab automatically host value from each backend - then tests should works fine for that kind of scenarios.

I think there is no need to grap the value (from urlRewrite.hostname), because I'm only rewriting here header to correctly reach backends, that are hosted on different hosts, which in fact takes host headers value from backend hostname definition.

[Aditya7880900936]

Thanks, that makes sense and I agree with this approach.

Having an explicit host field in the healthCheck config feels like the right primary control, and falling back to each backend’s FQDN when it’s not set would cover the external HTTPS use case well.

I also agree that reusing urlRewrite.hostname for health checks would be mixing request-routing concerns with health checking, so it’s better to keep those separate.

If this direction sounds good, I can:

• Trace where health check config is generated today
• Propose how to extend the API (or defaults) accordingly
• Start with a small design note or draft PR for discussion

Let me know what you’d prefer as a next step.

[akardaspg]

It sound good for me, I think you can proceed with the order you proposed if there is no other concerns from project maintainers point of view.

[Aditya7880900936]

Thanks for the confirmation 👍

I’ve started looking into the current health check translation flow to understand where the host value is derived today and how it could be improved for external HTTPS backends.

Before going further, I wanted to loop in maintainers for visibility and alignment on scope.

@zirain @zhaohuabing
Does the proposed direction — falling back to each backend’s FQDN for health checks when no explicit host is set (and potentially adding an explicit override later) — sound reasonable from the project’s point of view?

If so, I’m happy to continue with a small, incremental change and follow the usual review process.

[zhaohuabing]

Hi @akardaspg you can use the Hostname in the current HTTP health check：

apiVersion: gateway.envoyproxy.io/v1alpha1
kind: BackendTrafficPolicy
metadata:
  name: external-https-healthcheck
spec:
  targetRefs:
  - group: gateway.networking.k8s.io
    kind: HTTPRoute
    name: external-https-split
  healthCheck:
    active:
      type: HTTP
      http:
        hostname: "foo.bar.com"
        path: "/health"
        method: "GET"
        expectedStatuses: [200]
      interval: "5s"
      timeout: "2s"
      unhealthyThreshold: 3
      healthyThreshold: 2

[Aditya7880900936]

Hi @zhaohuabing ,Thanks for pointing that out — you’re right, the explicit healthCheck.http.hostname field already exists and can be used as a workaround 👍

The gap I was trying to address is mainly around the default behavior when hostname is not set.
In the external HTTPS backend case, users currently have to manually duplicate the backend FQDN into the health check config, otherwise the generated health check ends up using the route hostname and fails due to SNI/virtual host mismatch.

Would it make sense to improve the default behavior so that:

• if healthCheck.http.hostname is explicitly set → use it (current behavior)
• if it’s not set → automatically fall back to the backend endpoint FQDN for external backends

This would keep the API unchanged while making active health checks work out-of-the-box for external HTTPS backends.

If this sounds reasonable, I’m happy to trace the exact code path and propose a small, incremental PR focused just on the fallback logic.

[zhaohuabing]

It seems reasonable to use the backend hostname for health checks when the hostname is rewritten to the backend hostname with an HTTPRouteFilter. cc @envoyproxy/gateway-maintainers for additional input.

[arkodg]

yeah +1 for backend hostname if set

[jukie]

Agreed, that sounds good

[akardaspg]

Hello, sorry for late response I was ooo couple of days.

Thanks @zhaohuabing I missed somewhere this hostname in health check definition, that will be helpfull.

Anyway, I believe the second part of logic that @Aditya7880900936 mentioned:

• if it’s not set → automatically fall back to the backend endpoint FQDN for external backends

also will be handy, if there is a situation where two external backend are defined with two different hostnames, then using their hostnames in health checks would be reasonable (and aligned with TLS SNI), as for now some common hostname for health check must be defined on both backend as workaround.