All Products
Search

This Product

    Alibaba Cloud Service Mesh:Configure settings to allow traffic to bypass sidecar proxies

    Document Center

    Alibaba Cloud Service Mesh:Configure settings to allow traffic to bypass sidecar proxies

    Last Updated:Jan 26, 2024

    A sidecar proxy is used to improve the network security, reliability, and observability of service calls. However, in scenarios where traffic is not required to pass through sidecar proxies, you can configure settings by using different methods to allow traffic to bypass sidecar proxies. This topic describes how to configure settings to allow inbound and outbound traffic or the traffic forwarded to a specific CIDR block to bypass sidecar proxies.

    Prerequisites

    Configure settings to allow inbound and outbound traffic to bypass sidecar proxies

    In some scenarios, high performance is required, and the security authentication such as mutual TLS authentication (mTLS) and tracing analysis features provided by Service Mesh (ASM) are unnecessary. In such scenarios, you can specify whether to allow the inbound and outbound traffic to pass through sidecar proxies. In this example, settings are configured to allow the inbound traffic over ports 7001, 7002, and 7005 to bypass sidecar proxies, and the outbound traffic to pass through sidecar proxies. In this case, the inbound traffic that is vital to performance can bypass the sidecar proxy that runs alongside Pod A. This reduces the resources required by the istio-proxy sidecar proxy and improves overall performance. The outbound traffic is allowed to pass through the sidecar proxy that runs alongside Pod B. Therefore, you can use the capabilities such as load balancing of ASM.

    Configure a blocking policy for sidecar proxies in a namespace

    Method 1: Configure a blocking policy for sidecar proxies in the ASM console

    In this example, the default namespace is used. You can configure a blocking policy for sidecar proxies in the default namespace by specifying the ports to allow the outbound traffic to pass through sidecar proxies and the ports to allow the inbound traffic to bypass sidecar proxies.

    1. Log on to the ASM console.

    2. In the left-side navigation pane, choose Service Mesh > Mesh Management.

    3. On the Mesh Management page, find the ASM instance that you want to configure. Click the name of the ASM instance or click Manage in the Actions column.

    4. On the details page of the ASM instance, choose Data Plane Component Management > Sidecar Proxy Setting in the left-side navigation pane.

    5. On the Sidecar Proxy Setting page, click the Namespace tab.

    6. On the Namespace tab, select the default namespace from the Namespace drop-down list. Click the Right arrow icon on the left side of enable/disable Sidecar proxy by port or address, set the required parameters, and then click Update Settings. The following table describes the parameters.

      Parameter

      Description

      outbound ports for which traffic redirected to Envoy

      The ports over which you want the outbound traffic to pass through sidecar proxies. In this example, set this parameter to 7001,7002,7005.

      Set the port numbers to prevent InboundTraffic from passing through the sidecar proxy

      The ports over which you want the inbound traffic to bypass sidecar proxies. In this example, set this parameter to 7001,7002,7005.

    7. Restart a pod for the settings of sidecar proxies to take effect.

      1. Log on to the ACK console.

      2. In the left-side navigation pane of the ACK console, click Clusters.

      3. On the Clusters page, find the cluster that you want to manage and click the name of the cluster or click Details in the Actions column. The details page of the cluster appears.

      4. In the left-side navigation pane of the details page, choose Workloads > Pods.

      5. On the Pods page, find the pod that you want to manage and click More > Delete in the Actions column.

      6. In the Note message, click OK.

        Wait until the pod restarts. The settings take effect after the pod restarts.

    Method 2: Configure a blocking policy for sidecar proxies in the ACK console

    A Deployment is used in this example. Annotations are added to the YAML file of a pod to configure a blocking policy for sidecar proxies. For more information, see Configure a sidecar proxy by adding resource annotations.

    1. Log on to the ACK console.

    2. In the left-side navigation pane of the ACK console, click Clusters.

    3. On the Clusters page, find the cluster that you want to manage and click the name of the cluster or click Details in the Actions column. The details page of the cluster appears.

    4. In the left-side navigation pane of the details page, choose Workloads > Deployments.

    5. On the Deployments page, find the application that you want to manage and click Details in the Actions column.

    6. In the upper-right corner of the application details page, click View in YAML.

    7. In the Edit YAML dialog box, add the following content to the spec.template.metadata parameter and click Update. 

      annotations:
  traffic.sidecar.istio.io/excludeInboundPorts: '7001,7002,7005'
  traffic.sidecar.istio.io/includeOutboundPorts: '7001,7002,7005'

      Annotation

    8. Restart a pod for the settings of sidecar proxies to take effect.

      1. Log on to the ACK console.

      2. In the left-side navigation pane of the ACK console, click Clusters.

      3. On the Clusters page, find the cluster that you want to manage and click the name of the cluster or click Details in the Actions column. The details page of the cluster appears.

      4. In the left-side navigation pane of the details page, choose Workloads > Pods.

      5. On the Pods page, find the pod that you want to manage and click More > Delete in the Actions column.

      6. In the Note message, click OK.

        Wait until the pod restarts. The settings take effect after the pod restarts.

    Configure settings to allow the traffic forwarded to a specific CIDR block to bypass sidecar proxies

    In this example, the traffic forwarded to the CIDR block 47.XX.XX.144/32 is allowed to bypass sidecar proxies. You can use the following methods as needed:

    Method 1: Configure a blocking policy for sidecar proxies in the ASM console

    1. Log on to the ASM console.

    2. In the left-side navigation pane, choose Service Mesh > Mesh Management.

    3. On the Mesh Management page, find the ASM instance that you want to configure. Click the name of the ASM instance or click Manage in the Actions column.

    4. On the details page of the ASM instance, choose Data Plane Component Management > Sidecar Proxy Setting in the left-side navigation pane.

    5. Configure a blocking policy for sidecar proxies at the global or namespace level.

      • Global level

        1. On the Sidecar Proxy Setting page, click the global tab.

        2. Click the Right arrow icon on the left side of enable/disable Sidecar proxy by port or address, set the Address range that does not block external access parameter to 47.XX.XX.144/32, and then click Update Settings.

      • Namespace level

        1. On the Sidecar Proxy Setting page, click the Namespace tab.

        2. On the Namespace tab, select default from the Namespace drop-down list. Click the Right arrow icon on the left side of enable/disable Sidecar proxy by port or address, set the Address range that does not block external access parameter to 47.XX.XX.144/32, and then click Update Settings.

    6. Restart a pod for the settings of sidecar proxies to take effect.

      1. Log on to the ACK console.

      2. In the left-side navigation pane of the ACK console, click Clusters.

      3. On the Clusters page, find the cluster that you want to manage and click the name of the cluster or click Details in the Actions column. The details page of the cluster appears.

      4. In the left-side navigation pane of the details page, choose Workloads > Pods.

      5. On the Pods page, find the pod that you want to manage and click More > Delete in the Actions column.

      6. In the Note message, click OK.

        Wait until the pod restarts. The settings take effect after the pod restarts.

    Method 2: Configure a blocking policy for sidecar proxies in the ACK console

    A Deployment is used in this example. Annotations are added to the YAML file of a pod to configure a blocking policy for sidecar proxies. For more information, see Configure a sidecar proxy by adding resource annotations.

    1. Log on to the ACK console.

    2. In the left-side navigation pane of the ACK console, click Clusters.

    3. On the Clusters page, find the cluster that you want to manage and click the name of the cluster or click Details in the Actions column. The details page of the cluster appears.

    4. In the left-side navigation pane of the details page, choose Workloads > Deployments.

    5. On the Deployments page, click the name of the application that you want to manage.

    6. In the upper-right corner of the application details page, click View in YAML.

    7. In the Edit YAML dialog box, add the following content to the spec.template.metadata parameter and click Update. 

      annotations:
  traffic.sidecar.istio.io/excludeOutboundIPRanges: 47.XX.XX.144/32

      Configure settings to allow the traffic forwarded to a specific CIDR block to bypass sidecar proxies

    8. Restart a pod for the settings of sidecar proxies to take effect.

      1. Log on to the ACK console.

      2. In the left-side navigation pane of the ACK console, click Clusters.

      3. On the Clusters page, find the cluster that you want to manage and click the name of the cluster or click Details in the Actions column. The details page of the cluster appears.

      4. In the left-side navigation pane of the details page, choose Workloads > Pods.

      5. On the Pods page, find the pod that you want to manage and click More > Delete in the Actions column.

      6. In the Note message, click OK.

        Wait until the pod restarts. The settings take effect after the pod restarts.

    Verify the result

    You can select REGISTRY_ONLY as External Access Policy on the Sidecar Proxy Setting page. This way, you can check whether the traffic passes through sidecar proxies. In REGISTRY_ONLY mode, if the traffic passes through sidecar proxies, the access to the destination CIDR block is blocked. If the traffic bypasses sidecar proxies, the access is successful.

    1. Log on to the ASM console. Go to the Sidecar Proxy Setting page and click the global tab.

    2. Click the Right arrow icon on the left side of External service access strategy, select REGISTRY_ONLY as External Access Policy, and then click Update Settings.

    3. Run the following command to access the http://47.XX.XX.144/productpage URL: 

      curl -I http://47.XX.XX.144/productpage

      Expected outputConfigure a blocking policy for sidecar proxiesAfter you configure settings to allow the traffic forwarded to the CIDR block 47.XX.XX.144/32 to bypass sidecar proxies, the access to the http://47.XX.XX.144/productpage URL is successful. You can specify a CIDR block to which the traffic is allowed to bypass sidecar proxies based on your business requirements.