You can add an entry for an external service to the internal service registry of an Alibaba Cloud Service Mesh (ASM) instance so that services in the ASM instance can access the external service. A service entry describes the properties such as the domain name, port, protocol, and endpoint of a service. This topic describes how to create, modify, and delete a service entry.

Usage notes

  • To prevent port conflicts with sidecars, do not use the following ports that are used by Envoy when you create service entries.
    Port Protocol Used by Description
    15000 TCP Envoy The admin port of Envoy.
    15001 TCP Envoy The outbound port of Envoy.
    15006 TCP Envoy The inbound port of Envoy.
    15020 HTTP Envoy The port used for merged Prometheus telemetry from the Istio agent, Envoy, and application.
    15021 HTTP Envoy The port used for health checks.
    15090 HTTP Envoy The port used for Envoy Prometheus telemetry.
  • The following table describes the conventions for naming ports in service entries.
    Protocol Port name Port name with a suffix
    HTTP http http-<Suffix>
    HTTP2 http2 http2-<Suffix>
    HTTPS https https-<Suffix>
    TLS tls tls-<Suffix>
    gRPC grpc grpc-<Suffix>
    TCP tcp tcp-<Suffix>
    UDP UDP udp-<Suffix>
    Mongo mongo mongo-<Suffix>
    MySQL mysql mysql-<Suffix>
    Redis redis redis-<Suffix>
  • Take note of the following items if you use HTTP, HTTPS, TLS, or TCP:
    • If you use HTTP, HTTPS, or TLS, you must specify the host in a service entry.
      apiVersion: networking.istio.io/v1alpha3
      kind: ServiceEntry
      metadata:
        name: aliyun
      spec:
        hosts:
        - www.aliyun.com
        ports:
        - number: 443
          name: https
          protocol: HTTPS
        resolution: DNS
        location: MESH_EXTERNAL
    • If you use TCP, you must specify the IP address range in a service entry.
      apiVersion: networking.istio.io/v1alpha3
      kind: ServiceEntry
      metadata:
        name: mysql-external
      spec:
        hosts:
        - mysql-01.foo.bar
        addresses:
        - 10.0.0.5/32
        - 10.0.0.6/32
        ports:
        - name: tcp
          number: 3306
          protocol: tcp
        location: MESH_EXTERNAL
  • If multiple external services share the same TCP port, you must distinguish the IP addresses of the services.
    • External service 1
      apiVersion: networking.istio.io/v1beta1
      kind: ServiceEntry
      metadata:
        name: external-svc-1
        namespace: default
      spec:
        hosts:
        - fqdna.fqdn.com
        addresses:
        - 10.0.0.0/8
        location: MESH_EXTERNAL
        ports:
        - name: TCP
          number: 3306
          protocol: TCP
        resolution: DNS
    • External service 2
      apiVersion: networking.istio.io/v1beta1
      kind: ServiceEntry
      metadata:
        name: external-svc-2
        namespace: default
      spec:
        hosts:
        - fqdnb.fqdn.com
        addresses:
        - 10.1.0.0/8
        location: MESH_EXTERNAL
        ports:
        - name: TCP
          number: 3306
          protocol: TCP
        resolution: DNS
  • By default, the entry that you create for an external service in an ASM instance is valid in all namespaces. To allow only services in the namespace in which you create an entry for an external service to access the external service, you can add the exportTo parameter and set the parameter to "." when you create the service entry.
    apiVersion: networking.istio.io/v1alpha3
    kind: ServiceEntry
    metadata:
      name: aliyun
    spec:
      hosts:
      - www.aliyun.com
      exportTo:
      - "."
      ports:
      - number: 443
        name: https
        protocol: HTTPS
      resolution: DNS
      location: MESH_EXTERNAL
  • We recommend that you enable Domain Name System (DNS) resolution. The DNS resolution feature ignores the original destination IP address, directs traffic to the specified host, and then performs a DNS query to obtain the IP address of the host.
    apiVersion: networking.istio.io/v1alpha3
    kind: ServiceEntry
    metadata:
      name: aliyun
    spec:
      hosts:
      - '*.aliyun.com'
      addresses:
       - 192.168.0.0/16
       - 172.16.0.0/16
      location: MESH_EXTERNAL
      ports:
      - number: 443
        protocol: https
        name: https
      resolution: DNS

    resolution: To enable DNS resolution, set this parameter to DNS. To disable DNS resolution, set this parameter to NONE.

Create a service entry

  1. Log on to the ASM console.
  2. In the left-side navigation pane, choose Service Mesh > Mesh Management.
  3. On the Mesh Management page, find the ASM instance that you want to configure. Click the name of the ASM instance or click Manage in the Actions column.
  4. On the details page of the ASM instance, choose Cluster & Workload Management > ServiceEntry in the left-side navigation pane. On the ServiceEntry page, click Create from YAML.
  5. Set the parameters for creating a service entry by using one of the following methods:
    • On the Create page, select a namespace from the Namespace drop-down list, select a template that is used to create a service entry from the Template drop-down list, modify the configurations of the template in the YAML code editor, and then click Create.
    • On the Create page, select a namespace from the Namespace drop-down list, select no template from the Template drop-down list, customize the configurations of a service entry in the YAML code editor, and then click Create.

What to do next

Modify a service entry

On the details page of the ASM instance, choose Cluster & Workload Management > ServiceEntry in the left-side navigation pane. On the ServiceEntry page, find the service entry that you want to modify and click YAML in the Actions column. In the Edit panel, modify the configurations of the service entry and click OK.

Delete a service entry

On the details page of the ASM instance, choose Cluster & Workload Management > ServiceEntry in the left-side navigation pane. On the ServiceEntry page, find the service entry that you want to delete and click Delete in the Actions column. In the Submit message, click OK.