Service Mesh provides three methods to access external services: configuring an outbound traffic policy, creating a service entry, and configuring CIDR blocks for traffic interception. This topic describes how to manage access to external services from a Service Mesh instance.
Set the outbound traffic policy
In Service Mesh, you can set the Outbound Traffic Policy to control access to external services, which are services not defined in Istio's internal service registry.
Log on to the ASM console, click the name of the target ASM instance, and in the left-side navigation pane, choose Instance Information > Network Status to view the services in the Istio service registry.
-
If this policy is set to ALLOW_ANY, the sidecar proxy allows passthrough requests to any unknown service. This provides direct access to external services but at the cost of mesh-level traffic monitoring and control.
ImportantWe strongly recommend avoiding this method for accessing external services like databases to prevent access conflicts.
Define a service entry for each external service to explicitly control traffic and prevent potential issues.
-
If this policy is set to REGISTRY_ONLY, the sidecar proxy blocks traffic to any host not defined as a service or service entry in the mesh.
-
Log on to the ASM console.
-
In the left-side navigation pane, choose .
-
On the Mesh Management page, find the ASM instance that you want to configure. Click the name of the ASM instance or click Manage in the Actions column.
-
On the details page of the ASM instance, choose in the left-side navigation pane.
-
On the Configure the agent parameters of the injected Sidecar page, on the global tab, click Outbound Traffic Policy, set Outbound Traffic Policy to ALLOW_ANY, and click Update Settings.
In an application container where a sidecar proxy is injected, run a curl command to access an external HTTP or HTTPS service. The command returns a successful response.
-
Access an external HTTP service.
curl -I http://www.aliyun.com/Expected output:
HTTP/1.1 301 Moved Permanently server: envoy date: Mon, 07 Sep 2020 09:28:54 GMT content-type: text/html content-length: 239 location: https://www.aliyun.com/ eagleeye-traceid: 0be3e0a615994709353116335ea5ea timing-allow-origin: * x-envoy-upstream-service-time: 67 -
Access an external HTTPS service.
curl -I https://www.aliyun.com/Expected output:
HTTP/2 200 server: Tengine date: Mon, 07 Sep 2020 09:16:31 GMT content-type: text/html; charset=utf-8 vary: Accept-Encoding vary: Accept-Encoding strict-transport-security: max-age=31536000 x-download-options: noopen x-content-type-options: nosniff x-xss-protection: 1; mode=block x-readtime: 0 eagleeye-traceid: 0b57ff8715994701916963132ec7ad strict-transport-security: max-age=0 timing-allow-origin: *
-
Configure a service entry
If you set the Outbound Traffic Policy to REGISTRY_ONLY, running a curl command from an application container with an injected sidecar proxy to access an external HTTP or HTTPS service will fail.
-
Access an external HTTP service.
curl -I http://www.aliyun.com/Expected output:
HTTP/1.1 502 Bad Gateway date: Mon, 07 Sep 2020 09:25:58 GMT server: envoy transfer-encoding: chunked -
Access an external HTTPS service.
curl -I https://www.aliyun.com/Expected output:
curl: (35) LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to www.aliyun.com:443
Use a service entry to enable controlled access to external public services. This approach allows you to access external services while retaining Istio's traffic monitoring and control capabilities.
-
Create a service entry.
-
Log on to the ASM console.
-
In the left-side navigation pane, choose .
-
On the Mesh Management page, find the ASM instance that you want to configure. Click the name of the ASM instance or click Manage in the Actions column.
-
On the details page of the ASM instance, choose in the left-side navigation pane. On the page that appears, click Create from YAML.
-
Select a namespace, paste the following content into the text box, and then click Create.
Set the hosts field based on your requirements. In this example, hosts is set to www.aliyun.com.
apiVersion: networking.istio.io/v1alpha3 kind: ServiceEntry metadata: name: aliyun-com-ext spec: hosts: - 'www.aliyun.com' ports: - number: 80 name: http protocol: HTTP - number: 443 name: https protocol: HTTPS resolution: DNS location: MESH_EXTERNAL
-
-
Access the external HTTP or HTTPS service again. The command now returns a successful response.
-
Access an external HTTP service.
curl -I http://www.aliyun.com/Expected output:
HTTP/1.1 301 Moved Permanently server: envoy date: Mon, 07 Sep 2020 09:49:17 GMT content-type: text/html content-length: 239 location: https://www.aliyun.com/ eagleeye-traceid: 0be3e0a915994721583014504e7b31 timing-allow-origin: * x-envoy-upstream-service-time: 66 -
Access an external HTTPS service.
curl -I https://www.aliyun.com/Expected output:
HTTP/2 200 server: Tengine date: Mon, 07 Sep 2020 09:49:31 GMT content-type: text/html; charset=utf-8 vary: Accept-Encoding vary: Accept-Encoding strict-transport-security: max-age=31536000 x-download-options: noopen x-content-type-options: nosniff x-xss-protection: 1; mode=block x-readtime: 1 eagleeye-traceid: 0be3e0b115994721709577294ed9e8 strict-transport-security: max-age=0 timing-allow-origin: *
-
-
Create a virtual service.
-
Log on to the ASM console.
-
In the left-side navigation pane, choose .
-
On the Mesh Management page, find the ASM instance that you want to configure. Click the name of the ASM instance or click Manage in the Actions column.
-
On the details page of the ASM instance, choose in the left-side navigation pane. On the page that appears, click Create from YAML.
-
Select a namespace, paste the following content into the text box, and then click Create.
Create a routing rule for the external service defined by the service entry. This example adds a rule to inject a fixedDelay for calls to the www.aliyun.com service.
apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: aliyun-com-ext spec: hosts: - 'www.aliyun.com' http: - fault: delay: percent: 100 fixedDelay: 5s route: - destination: host: www.aliyun.com weight: 100
-
-
Verify that the routing rule is active.
The real time in the output is 5.07s, which indicates that the routing rule is active.
time curl -o /dev/null -s -w "%{http_code}\n" http://www.aliyun.com/Expected output:
301 real 0m 5.07s user 0m 0.00s sys 0m 0.00s
Set IP ranges for traffic interception
You can specify IP ranges for traffic interception by the sidecar proxy. Traffic to IP addresses outside these ranges bypasses the sidecar proxy and goes directly to its destination.
In Service Mesh, you can configure the Addresses to Which External Access Is Redirected to Sidecar Proxy. Typically, you set this to your Kubernetes cluster's service CIDR. This means that traffic to services within the cluster is intercepted by the Service Mesh, while traffic to destinations outside the cluster bypasses the Service Mesh.
-
Log on to the ASM console.
-
In the left-side navigation pane, choose .
-
On the Mesh Management page, find the ASM instance that you want to configure. Click the name of the ASM instance or click Manage in the Actions column.
-
On the details page of the ASM instance, choose in the left-side navigation pane.
-
On the global tab of the Configure the agent parameters of the injected Sidecar page, click Enable/Disable Sidecar Proxy by Ports or IP Addresses. In the Addresses to Which External Access Is Redirected to Sidecar Proxy text box, enter the CIDR blocks to intercept, and then click Update Settings.
Alternatively, you can enter CIDR blocks in the Addresses to Which External Access Is Not Redirected to Sidecar Proxy text box. In this case, the sidecar proxy intercepts traffic to all other CIDR blocks.
NoteBy default, the Addresses to Which External Access Is Redirected to Sidecar Proxy field is set to *, which means the sidecar proxy intercepts all outbound traffic. You can set this to specific IP ranges based on your needs. A common practice is to set it to your Kubernetes cluster's service CIDR.