To configure the access to external services from an Alibaba Cloud Service Mesh (ASM) instance, you can configure a policy for accessing external services, create a service entry, or block access from a specific Classless Inter-Domain Routing (CIDR) block. This topic describes how to access external services from an ASM instance. External services are services that are not registered in Istio.

Configure a policy for accessing external services

In the ASM console, you can set the External Access Policy parameter for an ASM instance to configure a policy for accessing external services from the ASM instance.
Note To view registered services in an ASM instance, perform the following steps: Log on to the ASM console. In the left-side navigation pane, click Overview. On the Overview page, select the ASM instance. The services that are registered in Istio appear in the table below.
  • If the External Access Policy parameter is set to ALLOW_ANY, Envoy proxies in the ASM instance allow all outbound traffic to pass without checking where the traffic is to be sent. This allows services in the ASM instance to access all external services. However, traffic to external services is not monitored or controlled.
  • If the External Access Policy parameter is set to REGISTRY_ONLY, Envoy proxies in the ASM instance block hosts for which no HTTP service or service entry is defined in the ASM instance.
  1. Log on to the ASM console.
  2. In the left-side navigation pane, choose Service Mesh > Mesh Management.
  3. On the Mesh Management page, find the ASM instance that you want to configure. Click the name of the ASM instance or click Manage in the Actions column of the ASM instance.
  4. On the management page of the ASM instance, click Settings in the upper-right corner.
  5. In the Settings Update panel, click Show Advanced Settings. Set External Access Policy to ALLOW_ANY and click OK.
    In a pod into which an Envoy proxy is injected, run the curl -I command to send an HTTP or HTTPS request for an external service. Successful responses are returned, as shown in the following examples:
    Note
    • Example: Send an HTTP request for an external service. A successful response is returned.
      curl -I  http://www.aliyun.com/
      HTTP/1.1 301 Moved Permanently
      server: envoy
      date: Mon, 07 Sep 2020 09:28:54 GMT
      content-type: text/html
      content-length: 239
      location: https://www.aliyun.com/
      eagleeye-traceid: 0be3e0a615994709353116335ea5ea
      timing-allow-origin: *
      x-envoy-upstream-service-time: 67
    • Example: Send an HTTPS request for an external service. A successful response is returned.
      curl -I  https://www.aliyun.com/
      HTTP/2 200
      server: Tengine
      date: Mon, 07 Sep 2020 09:16:31 GMT
      content-type: text/html; charset=utf-8
      vary: Accept-Encoding
      vary: Accept-Encoding
      strict-transport-security: max-age=31536000
      x-download-options: noopen
      x-content-type-options: nosniff
      x-xss-protection: 1; mode=block
      x-readtime: 0
      eagleeye-traceid: 0b57ff8715994701916963132ec7ad
      strict-transport-security: max-age=0
      timing-allow-origin: *

Create a service entry

Assume that the External Access Policy parameter of an ASM instance is set to REGISTRY_ONLY. In a pod into which an Envoy proxy is injected, run the curl -I command to send an HTTP or HTTPS request for an external service. The request is rejected by the Envoy proxy of the pod, as shown in the following examples:
  • Example: Send an HTTP request for an external service. The request is rejected.
    curl -I  http://www.aliyun.com/
    HTTP/1.1 502 Bad Gateway
    date: Mon, 07 Sep 2020 09:25:58 GMT
    server: envoy
    transfer-encoding: chunked
  • Example: Send an HTTPS request for an external service. The request is rejected.
    curl -I https://www.aliyun.com/
    curl: (35) LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to www.aliyun.com:443

In this case, you can create a service entry for the external service to allow access to the external service. In this method, traffic to the external service is monitored and controlled by Istio.

  1. Create a service entry for an external service by using the following code. For more information, see Manage service entries.

    Set the hosts parameter based on your actual needs. In this example, the hosts parameter is set to www.aliyun.com.

    apiVersion: networking.istio.io/v1alpha3
    kind: ServiceEntry
    metadata:
      name: aliyun-com-ext
    spec:
      hosts:
      - 'www.aliyun.com'
      ports:
      - number: 80
        name: http
        protocol: HTTP
      - number: 443
        name: https
        protocol: HTTPS  
      resolution: DNS
      location: MESH_EXTERNAL
  2. In a pod into which an Envoy proxy is injected, run the curl -I command to send an HTTP or HTTPS request for the external service. Successful responses are returned, as shown in the following examples:
    • Example: Send an HTTP request for the external service. A successful response is returned.
      curl -I  http://www.aliyun.com/
      HTTP/1.1 301 Moved Permanently
      server: envoy
      date: Mon, 07 Sep 2020 09:49:17 GMT
      content-type: text/html
      content-length: 239
      location: https://www.aliyun.com/
      eagleeye-traceid: 0be3e0a915994721583014504e7b31
      timing-allow-origin: *
      x-envoy-upstream-service-time: 66
    • Example: Send an HTTPS request for the external service. A successful response is returned.
      curl -I https://www.aliyun.com/
      HTTP/2 200
      server: Tengine
      date: Mon, 07 Sep 2020 09:49:31 GMT
      content-type: text/html; charset=utf-8
      vary: Accept-Encoding
      vary: Accept-Encoding
      strict-transport-security: max-age=31536000
      x-download-options: noopen
      x-content-type-options: nosniff
      x-xss-protection: 1; mode=block
      x-readtime: 1
      eagleeye-traceid: 0be3e0b115994721709577294ed9e8
      strict-transport-security: max-age=0
      timing-allow-origin: *
  3. Create a virtual service for the external service by using the following code. For more information, see Manage virtual services.
    Create a virtual service for the external service so that you can configure a routing rule for the external service. In the following code, the fixedDelay parameter is set to 5s. Namely, each request for the external service www.aliyun.com receives a response with a fixed five-second delay.
    apiVersion: networking.istio.io/v1alpha3
    kind: VirtualService
    metadata:
      name: aliyun-com-ext
    spec:
      hosts:
        - 'www.aliyun.com'
      http:
      - fault:
          delay:
            percent: 100
            fixedDelay: 5s
        route:
          - destination:
              host: www.aliyun.com
            weight: 100
  4. Run a curl command to check whether the routing rule takes effect.

    In the response, the value of the real parameter is 5.07s, which means that the routing rule takes effect.

    time curl -o /dev/null -s -w "%{http_code}\n" http://www.aliyun.com/
    301
    real  0m 5.07s
    user  0m 0.00s
    sys 0m 0.00s

Block access from a specific CIDR block

You can configure an Envoy proxy in an ASM instance to block access from a specific CIDR block. This way, access traffic from other CIDR blocks bypasses the Envoy proxy and is directly routed to destination services without being blocked by the Envoy proxy.

For an ASM instance, you can specify a CIDR block from which access to external services is blocked. Generally, you can block access from the service CIDR block of the Kubernetes clusters on the data plane of the ASM instance. This way, access to destination services in the Kubernetes clusters is blocked by the Envoy proxy. Access to destination services outside the Kubernetes clusters bypasses the Envoy proxy.

  1. Log on to the ASM console.
  2. In the left-side navigation pane, choose Service Mesh > Mesh Management.
  3. On the Mesh Management page, find the ASM instance that you want to configure. Click the name of the ASM instance or click Manage in the Actions column of the ASM instance.
  4. On the management page of the ASM instance, click Settings in the upper-right corner.
  5. In the Settings Update panel, click Show Advanced Settings. Enter a CIDR block in the Blocked Addresses for External Access field and click OK.
    Note The default value of the Blocked Addresses for External Access field is *. This means that access to external services from all IP addresses is blocked. You can enter a CIDR block based on your actual needs. Generally, you can enter the service CIDR block of the Kubernetes clusters on the data plane of the ASM instance.