Introduction When Envoy proxy cannot connect to upstream services, requests fail with connection refused errors. This is a common service mesh issue caused by configuration mismatches or service discovery problems.

Symptoms - 503 Upstream connection failure - Envoy logs: "upstream connect error or disconnect/reset before headers" - Error: "connection refused" in proxy access logs - Service working without sidecar but failing with sidecar - Circuit breaker triggering for specific upstreams

Common Causes - Upstream service not registered in service mesh - Envoy cluster configuration pointing to wrong port - Upstream service health check failing - Network policy blocking Envoy to upstream traffic - mTLS certificate validation failing

Step-by-Step Fix 1. **Check Envoy cluster configuration': ```bash istioctl proxy-config clusters <pod-name> -n <namespace> ```

  1. 1.**Check endpoint discovery':
  2. 2.```bash
  3. 3.istioctl proxy-config endpoints <pod-name> -n <namespace>
  4. 4.`
  5. 5.**Verify upstream service is in the mesh':
  6. 6.```bash
  7. 7.istioctl analyze -n <namespace>
  8. 8.`

Prevention - Validate service mesh configuration before deployment - Monitor Envoy proxy error rates - Use istioctl for proxy configuration debugging - Implement service dependency documentation - Test service mesh routing in staging