Configure an egress gateway to route all outbound traffic in ASM - Alibaba Cloud Service Mesh

Service Mesh (ASM) allows you to configure an egress gateway through which all the applications in an ASM instance access specific external services. This feature helps you improve O&M efficiency by using the observability and security capabilities provided by ASM. This topic describes how to configure an egress gateway.

Prerequisites

The cluster is added to the ASM instance. For more information, see Add a cluster to an ASM instance.
Automatic sidecar injection is enabled. For more information, see Enable automatic sidecar injection by using multiple methods.

Procedure

Step 1: Deploy a sample application

Deploy a sleep application.

Create a sleep.yaml file that contains the following content:

apiVersion: v1
kind: ServiceAccount
metadata:
  name: sleep
---
apiVersion: v1
kind: Service
metadata:
  name: sleep
  labels:
    app: sleep
    service: sleep
spec:
  ports:
  - port: 80
    name: http
  selector:
    app: sleep
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: sleep
spec:
  replicas: 1
  selector:
    matchLabels:
      app: sleep
  template:
    metadata:
      labels:
        app: sleep
    spec:
      terminationGracePeriodSeconds: 0
      serviceAccountName: sleep
      containers:
      - name: sleep
        image: curlimages/curl
        command: ["/bin/sleep", "infinity"]
        imagePullPolicy: IfNotPresent
        volumeMounts:
        - mountPath: /etc/sleep/tls
          name: secret-volume
      volumes:
      - name: secret-volume
        secret:
          secretName: sleep-secret
          optional: true
---

Run the following command to deploy the sleep application:
```
kubectl apply -f sleep.yaml
```

Run the following command to access the external service from the pod where the sleep application resides:
```
kubectl exec -it ${Name of the pod where the sleep application resides} -- /bin/sh
curl aliyun.com -I
```
Sample output:
```
HTTP/1.1 301 Moved Permanently
server: envoy
date: Wed, 30 Nov 2022 06:31:49 GMT
content-type: text/html
content-length: 239
location: https://aliyun.com/
eagleeye-traceid: 0be3e0ca16697899092851326e****
timing-allow-origin: *
x-envoy-upstream-service-time: 28
```
If 301 is returned, it indicates that the application in the ASM instance can access the external service. In this example, an HTTP access request is initiated by default. The web server returns a 301 response to redirect the request.
Note
By default, ASM uses the ALLOW_ANY policy to allow applications in an ASM instance to access all external services. In this case, you cannot implement permission control or use the observability capabilities provided by ASM. We recommend that you change the policy to REGISTRY_ONLY to allow applications in the ASM instance to access only specific external services, and that you use an egress gateway to route all the outbound traffic.

(Optional) Step 2: Set the policy for accessing external services to REGISTRY_ONLY

By default, ASM uses the ALLOW_ANY policy for accessing external services. We recommend that you change the policy to REGISTRY_ONLY. After you change the policy to REGISTRY_ONLY, sidecar proxies block access to the following types of services: HTTP services whose hosts are not defined in the ASM instance and services that are not declared by using service entries.

Note

If you have changed the policy to REGISTRY_ONLY but have not created a service entry, access requests to external services are denied.
If you have not changed the policy to REGISTRY_ONLY or created a service entry, access requests to external services are allowed but they are not directed from the egress gateway.

Expand to view how to change the policy to REGISTRY_ONLY.

Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.
On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose Dataplane Component Management > Sidecar Proxy Setting.
On the Sidecar Proxy Setting page, click the global tab, expand External service access strategy, select REGISTEY_ONLY for External Access Policy, and then click Update Settings.
Run the following command to access the external service from the pod where the sleep application resides:
```
kubectl exec -it ${Name of the pod where the sleep application resides} -- /bin/sh
curl aliyun.com -I
```
Sample output:
```
HTTP/1.1 502 Bad Gateway
date: Wed, 30 Nov 2022 06:57:16 GMT
server: envoy
transfer-encoding: chunked
```
A 502 error code is returned, indicating that the application in the ASM instance cannot access an external service that is not defined in the service registry of the ASM instance.

Step 3: Create a service entry to define the external service

You need to create a service entry to define an external service so that applications in the ASM instance can access the external service by using the egress gateway.

Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.
On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose Cluster & Workload Management > External Service(ServiceEntry). On the page that appears, click Create from YAML.

On the Create page, select the namespace in which the sleep application resides, select Access mesh external services for Template, configure a YAML file, and then click Create The following YAML file provides an example.

apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
  name: external-svc-http
spec:
  hosts:
  - aliyun.com
  location: MESH_EXTERNAL
  ports:
  - number: 80
    name: http
    protocol: HTTP
  resolution: DNS

Run the following command to access the external service from the pod where the sleep application resides:
```
kubectl exec -it ${Name of the pod where the sleep application resides} -- /bin/sh
curl aliyun.com -I
```
If 301 is returned, it indicates that the application in the ASM instance can access the external service. Because the aliyun.com domain name is defined in the service registry of the ASM instance, applications in the ASM instance can access this external service. In this case, the pod where the sleep application resides directly sends access requests to the external service without directing the requests through the egress gateway.

Step 4: Use an egress gateway to route all the requests to access external services

The following section describes how to use an egress gateway to route all the requests to access external services. By doing so, you can easily manage outbound traffic by using Istio capabilities on the egress gateway.

(Optional) Create an egress gateway

If you have created an egress gateway that uses port 80, skip this step.

Expand to view how to create an egress gateway.

On the details page of the ASM instance, choose ASM Gateways > Egress Gateway in the left-side navigation pane.
On the Egress Gateway page, click Create. On the Create page, configure the Name and Cluster parameters, select North-South EgressGateway for Gateway types, keep the default settings of other parameters, and then click Create.

Use the egress gateway to route all the requests to access external services

You have defined the aliyun.com domain name in the service entry of the ASM instance. Therefore, you can configure a virtual service and Istio gateway to manage the traffic to aliyun.com.

On the details page of the ASM instance, choose ASM Gateways > Gateway in the left-side navigation pane.
On the Gateway page, click Create, configure the parameters, and then click Create.
Select the namespace in which the sleep application resides. Configure other parameters as instructed in the following figure.

Create a virtual service

On the details page of the ASM instance, choose Traffic Management Center > VirtualService in the left-side navigation pane. On the page that appears, click Create from YAML.

On the Create page, select the namespace in which the sleep application resides, select a template, configure a YAML file, and then click Create. The following YAML file provides an example:

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: egressgateway-vs
spec:
  hosts:
  - aliyun.com
  gateways:
  -egress-gw # Name of the Istio gateway that you created. 
  - mesh
  http:
  - match:
    - gateways:
      - mesh
      port: 80
    route:
    - destination:
        host: istio-egressgateway.istio-system.svc.cluster.local
        port:
          number: 80
      weight: 100
  - match:
    - gateways:
      - egress-gwteway
      port: 80
    route:
    - destination:
        host: aliyun.com
        port:
          number: 80
      weight: 100

Access the external service to verify the configuration

Run the following command to access the external service from the pod where the sleep application resides:
```
kubectl exec -it ${Name of the pod where the sleep application resides} -- /bin/sh
curl aliyun.com -I
```
If 301 is returned, it indicates that the application in the ASM instance can access the external service. In this case, the application in the ASM instance does not directly access the external service from the pod where the application resides. Instead, the application accesses the external service through the egress gateway.

Run the following command to query access logs of the pod where the egress gateway resides.

Note

If your egress gateway pod has multiple replicas, the access logs are generated in one of them. You must run this command on these pod replicas in sequence to find the access logs.
If you have enabled the access log feature for the egress gateway, you can log on to the Log Service console to view access logs.

kubectl -n istio-system logs ${Name of the pod where the egress gateway resides} -c istio-proxy | grep aliyun.com | tail -n 1

Sample output:

{"trace_id":null,"upstream_host":"106.11.XXX.XX:80","downstream_remote_address":"10.34.0.140:47942","requested_server_name":null,"response_code":301,"upstream_service_time":"24","user_agent":"curl/7.86.0-DEV","path":"/","route_name":null,"bytes_sent":0,"response_flags":"-","upstream_local_address":"10.34.0.141:60388","duration":24,"upstream_cluster":"outbound|80||aliyun.com","upstream_transport_failure_reason":null,"authority":"aliyun.com","request_id":"55789d59-9b81-4e39-b64a-66baf44e****","protocol":"HTTP/1.1","bytes_received":0,"method":"HEAD","downstream_local_address":"10.34.0.141:80","start_time":"2022-11-30T08:03:01.315Z","istio_policy_status":null,"x_forwarded_for":"10.34.0.140"}

downstream_remote_address indicates the IP address of the pod where the sleep application resides.

After you complete the configurations, access requests to the specified external service are directed through the egress gateway. You can use the observability and security capabilities provided by ASM to manage outbound traffic on the egress gateway in an efficient manner.