Exploring Traefik 2.0: New TCP Routing, Middleware, Canary Deployments & Traffic Mirroring

Traefik 2.0 Core Features

Traefik 2.0 adds native TCP support with SNI‑based routing, allowing raw TCP traffic to be directed to specific services. HTTP and TCP can also share the same entrypoint.

TCP and SNI Routing

Example routing any request on the database-entrypoint TCP entrypoint to a database-service:

tcp:
  routers:
    to-database:
      entrypoints:
        - database-entrypoint
      rule: HostSNI(`*`)
      service: database-service
  services:
    database-service:
      loadBalancer:
        servers:
          - address: xx.xx.xx.xx:xx

With TLS enabled, SNI can be used to route to different back‑ends:

tcp:
  routers:
    to-db-1:
      entrypoints:
        - web-secure
      rule: "HostSNI(`db1.domain`)"
      service: db1
      tls: {}
    to-db-2:
      entrypoints:
        - web-secure
      rule: "HostSNI(`db2.domain`)"
      service: db2
      tls: {}

Middleware System

Traefik 2.0 introduces a flexible middleware layer that can be attached to any router. A common use‑case is BasicAuth:

# Define a BasicAuth middleware for two users
[http.middlewares.test-auth.basicAuth]
  users = ["user1:hashed", "user2:hashed"]

# Apply the middleware to a router
[http.routers.my-router-to-service]
  rule = "host(`my-protected.domain`)"
  middlewares = ["test-auth"]
  service = "service1"

Middlewares can be chained and, for Kubernetes users, declared via the IngressRoute CRD:

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: test
  namespace: default
spec:
  entryPoints:
    - web
  routes:
    - match: Host(`mydomain`)
      kind: Rule
      services:
        - name: whoami
          port: 80
      middlewares:
        - name: secured
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: secured
spec:
  chain:
    middlewares:
      - name: https-only
      - name: known-ips
      - name: auth-users

Built‑in middlewares cover path rewriting, authentication, buffering, circuit breaking, retries, compression, error handling, headers, IP whitelisting, rate limiting, and redirects.

New Dashboard

The redesigned Web UI shows cluster information and the full configuration of services, making it easier to see which features are enabled.

Canary Releases (Weighted Load‑Balancing)

Traefik 2.0 supports progressive rollouts by defining a weighted service that distributes traffic between versions:

http:
  routers:
    my-route:
      rule: "Host(`my.domain`)"
      service: cannary-api
  services:
    cannary-api:
      weighted:
        services:
          - name: my-api-v1
            weight: 3
          - name: my-api-v2
            weight: 1

Adjusting the weights changes the traffic split without redeploying the underlying services.

Traffic Mirroring

Traefik can mirror a percentage of incoming requests to a secondary service for testing or debugging, discarding the mirrored response:

[http.services.mirrored-api]
  [http.services.mirrored-api.mirroring]
    service = "api"
    [[http.services.mirrored-api.mirroring.mirrors]]
      name = "api-v2"
      percent = 10

This configuration copies 10 % of traffic to api‑v2 while the primary service handles the original response.

Migration Assistance

A migration guide and a conversion tool are provided to help users upgrade from Traefik 1.x and translate legacy Ingress objects into the new IngressRoute format. The tool is available at https://github.com/containous/traefik-migration-tool.

References

Official documentation: https://docs.traefik.io/v2.0

GitHub repository: https://github.com/containous/traefik

Release notes blog post: https://blog.containo.us/traefik-2-0-6531ec5196c2