To configure the access to external services from an Alibaba Cloud Service Mesh (ASM) instance, you can configure a policy for accessing external services, create a service entry, or block access from a specific CIDR block. This topic describes how to access external services from an ASM instance. External services are services that are not registered in Istio.

Configure a policy for accessing external services

In the ASM console, you can set the External Access Policy parameter for an ASM instance to configure a policy for accessing external services from the ASM instance.
Note To view registered services in an ASM instance, perform the following steps: Log on to the ASM console. In the left-side navigation pane, click Overview. On the Overview page, select the ASM instance. The services that are registered in Istio appear in the table below.
  • If the External Access Policy parameter is set to ALLOW_ANY, sidecar proxies in the ASM instance allow all outbound traffic to pass without checking where the traffic is to be sent. This allows services in the ASM instance to access all external services. However, traffic to external services is not monitored or controlled.
  • If the External Access Policy parameter is set to REGISTRY_ONLY, sidecar proxies in the ASM instance block hosts for which no HTTP service or service entry is defined in the ASM instance.
  1. Log on to the ASM console.
  2. In the left-side navigation pane, choose Service Mesh > Mesh Management.
  3. On the Mesh Management page, find the ASM instance that you want to configure. Click the name of the ASM instance or click Manage in the Actions column of the ASM instance.
  4. On the management page of the ASM instance, click Settings in the upper-right corner.
  5. In the Settings Update panel, click Show Advanced Settings. Set External Access Policy to ALLOW_ANY and click OK.
    In a pod into which a sidecar proxy is injected, run the curl -I command to access an external HTTP or HTTPS service. Success responses are returned, as shown in the following examples:
    Note
    • Example: Access an external HTTP service. A success response is returned.
      curl -I  http://www.aliyun.com/
      HTTP/1.1 301 Moved Permanently
      server: envoy
      date: Mon, 07 Sep 2020 09:28:54 GMT
      content-type: text/html
      content-length: 239
      location: https://www.aliyun.com/
      eagleeye-traceid: 0be3e0a615994709353116335ea5ea
      timing-allow-origin: *
      x-envoy-upstream-service-time: 67
    • Example: Access an external HTTPS service. A success response is returned.
      curl -I  https://www.aliyun.com/
      HTTP/2 200
      server: Tengine
      date: Mon, 07 Sep 2020 09:16:31 GMT
      content-type: text/html; charset=utf-8
      vary: Accept-Encoding
      vary: Accept-Encoding
      strict-transport-security: max-age=31536000
      x-download-options: noopen
      x-content-type-options: nosniff
      x-xss-protection: 1; mode=block
      x-readtime: 0
      eagleeye-traceid: 0b57ff8715994701916963132ec7ad
      strict-transport-security: max-age=0
      timing-allow-origin: *

Create a service entry

If the External Access Policy parameter of an ASM instance is set to REGISTRY_ONLY, run the curl -I command in a pod into which a sidecar proxy is injected to access an external HTTP or HTTPS service. The request is rejected by the sidecar proxy of the pod, as shown in the following examples:
  • Example: Access an external HTTP service. The request is rejected.
    curl -I  http://www.aliyun.com/
    HTTP/1.1 502 Bad Gateway
    date: Mon, 07 Sep 2020 09:25:58 GMT
    server: envoy
    transfer-encoding: chunked
  • Example: Access an external HTTPS service. The request is rejected.
    curl -I https://www.aliyun.com/
    curl: (35) LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to www.aliyun.com:443

In this case, you can create a service entry for the external service to allow access to the external service. In this method, traffic to the external service is monitored and controlled by Istio.

  1. Create a service entry for an external service by creating a file that contains the following code. For more information, see Manage service entries.

    Set the hosts parameter based on your needs. In this example, the hosts parameter is set to www.aliyun.com.

    apiVersion: networking.istio.io/v1alpha3
    kind: ServiceEntry
    metadata:
      name: aliyun-com-ext
    spec:
      hosts:
      - 'www.aliyun.com'
      ports:
      - number: 80
        name: http
        protocol: HTTP
      - number: 443
        name: https
        protocol: HTTPS  
      resolution: DNS
      location: MESH_EXTERNAL
  2. In a pod into which a sidecar proxy is injected, run the curl -I command to access an external HTTP or HTTPS service. Success responses are returned, as shown in the following examples:
    • Example: Access an external HTTP service. A success response is returned.
      curl -I  http://www.aliyun.com/
      HTTP/1.1 301 Moved Permanently
      server: envoy
      date: Mon, 07 Sep 2020 09:49:17 GMT
      content-type: text/html
      content-length: 239
      location: https://www.aliyun.com/
      eagleeye-traceid: 0be3e0a915994721583014504e7b31
      timing-allow-origin: *
      x-envoy-upstream-service-time: 66
    • Example: Access an external HTTPS service. A success response is returned.
      curl -I https://www.aliyun.com/
      HTTP/2 200
      server: Tengine
      date: Mon, 07 Sep 2020 09:49:31 GMT
      content-type: text/html; charset=utf-8
      vary: Accept-Encoding
      vary: Accept-Encoding
      strict-transport-security: max-age=31536000
      x-download-options: noopen
      x-content-type-options: nosniff
      x-xss-protection: 1; mode=block
      x-readtime: 1
      eagleeye-traceid: 0be3e0b115994721709577294ed9e8
      strict-transport-security: max-age=0
      timing-allow-origin: *
  3. Create a virtual service for the external service by creating a file that contains the following code. For more information, see Manage virtual services.
    Create a virtual service for the external service so that you can configure a routing rule for the external service. In the following code, the fixedDelay parameter is set to specify that each request for the www.aliyun.com external service receives a response with a fixed latency.
    apiVersion: networking.istio.io/v1alpha3
    kind: VirtualService
    metadata:
      name: aliyun-com-ext
    spec:
      hosts:
        - 'www.aliyun.com'
      http:
      - fault:
          delay:
            percent: 100
            fixedDelay: 5s
        route:
          - destination:
              host: www.aliyun.com
            weight: 100
  4. Check whether the routing rule takes effect.

    In the response, the value of the real parameter is 5.07s. This means that the routing rule takes effect.

    time curl -o /dev/null -s -w "%{http_code}\n" http://www.aliyun.com/
    301
    real  0m 5.07s
    user  0m 0.00s
    sys 0m 0.00s

Block access from a specific CIDR block

You can configure a sidecar proxy in an ASM instance to block access from a specific CIDR block. This way, access traffic from other CIDR blocks bypasses the sidecar proxy and is directly routed to destination services without being blocked by the sidecar proxy.

For an ASM instance, you can specify a CIDR block from which access to external services is blocked. Generally, you can block access from the service CIDR block of the Kubernetes clusters on the data plane of the ASM instance. This way, access to destination services in the Kubernetes clusters is blocked by the sidecar proxy. Access to destination services outside the Kubernetes clusters bypasses the sidecar proxy.

  1. Log on to the ASM console.
  2. In the left-side navigation pane, choose Service Mesh > Mesh Management.
  3. On the Mesh Management page, find the ASM instance that you want to configure. Click the name of the ASM instance or click Manage in the Actions column of the ASM instance.
  4. On the management page of the ASM instance, click Settings in the upper-right corner.
  5. In the Settings Update panel, click Show Advanced Settings. Enter a CIDR block in the Blocked Addresses for External Access field and click OK.
    Note The default value in the Blocked Addresses for External Access field is *. This means that access to external services from all IP addresses is blocked. You can enter a CIDR block based on your needs. Generally, you can enter the service CIDR block of the Kubernetes clusters on the data plane of the ASM instance.