The docs state that Envoy proxies "...mediate and control all network communication between microservices": https://istio.io/latest/docs/ops/deployment/architecture/
How does that work? When I want my program to make connection to an arbitrary hostname, say, "google.com" or "something.default.svc.cluster.local", I'll make two OS calls: gethostbyname and connect. How would Envoy, running in another container, "intercept" this? How will it know when I'm accessing "google.com" or a k8s service?
If there is an online doc that explains it, I'd appreciate a link.
Istio has an Init Container which redirects traffic from/to the application container to the sidecar using iptables. This article from Istio documentation explains it.
There is also an alternative using CNI instead of the Init container.