External Services

An Istio service mesh has a few different ways of reaching services that are external to the mesh. External services are everything that are not defined in Istio’s internal service registry, that is, services which are outside of the mesh. By default Istio permits requests to unknown or external services. While using permissive configuration for testing purposes is ok, in a production environment a stricter configuration might be necessary.

Control access to external services Control access to external services

Note: Service Mesh Manager is using Istio’s - and therefore Envoy’s - egress control feature under the hood.

Change the default policy

You can change the default policy for outbound traffic by running the smm istio outbound-traffic-policy <setting> command.

  • To restrict outbound traffic to known endpoints, run the following command.

    smm istio outbound-traffic-policy restricted
    

    Expected output:

    mesh wide outbound traffic policy is set to 'REGISTRY_ONLY'
    

    To permit access to an external service, see Allow access only to registered services.

  • To permit all outbound traffic without restrictions, run the following command. (This is the default setting.)

    smm istio outbound-traffic-policy allowed
    

    Expected output:

    mesh wide outbound traffic policy is set to 'ALLOW_ANY'
    

    Note: Running smm istio outbound-traffic-policy returns the current setting of the traffic policy. If you haven’t changed the outbound traffic policy yet, it returns “mesh wide outbound traffic policy is not found”, which means that the default Istio setting is used, which is ALLOW_ANY (permits outbound traffic without any restrictions).

Allow access only to registered services

To allow access only to registered external services, complete the following steps.

Note: Accessing external HTTPS services comes with a few constrains.

  • All the HTTP-related information like method, URL path, response code, is encrypted so Istio cannot see and cannot monitor that information for HTTPS.
  • Service Mesh Manager’s dashboard shows HTTPS as TCP since detailed HTTP-related information is not available.
  1. Change the default outbound traffic policy to block unknown services.

    smm istio outbound-traffic-policy restricted
    
  2. Create ServiceEntry resources for the services you want to permit access to.

    ServiceEntry resources add additional entries into Istio’s internal service registry, so that auto-discovered services in the mesh can access/route to these manually specified services. A service entry describes the properties of a service (DNS name, VIPs, ports, protocols, endpoints). These services could be external to the mesh (for example, web APIs) or mesh-internal services that are not part of the platform’s service registry. For more information, see the documentation of the ServiceEntry resource.

    For example, the following command creates a ServiceEntry resource that allows HTTP access to the httpbin.org site from the smm-demo namespace.

    kubectl apply -f - <<EOF
    apiVersion: networking.istio.io/v1alpha3
    kind: ServiceEntry
    metadata:
      name: httpbin.org
      namespace: smm-demo
    spec:
      hosts:
      - httpbin.org
      - www.httpbin.org
      ports:
      - number: 80
        name: http
        protocol: HTTP
      resolution: DNS
      location: MESH_EXTERNAL
      EOF
    
  3. (Optional) Test that your pods can access the external service. For example, if you have installed the SMM demo application, you can change the notifications-v1 deployment by running:

    kubectl -n smm-demo set env deployment/notifications-v1 'REQUESTS=http://httpbin.org/get#1'
    

    Expected output:

    deployment.extensions/notifications-v1 env updated
    

    Once the notifications pods are restarted, the Service Mesh Manager Dashboard displays outgoing calls to httpbin.org

Note: To route outgoing traffic through an egress gateway, see Create egress gateway.

Remove access to an external service

To remove access to an external service, delete the ServiceEntry resource of the service, for example:

kubectl delete serviceentry -n smm-demo httpbin.org

Expected output:

serviceentry.networking.istio.io "httpbin.org" deleted