All Products
Search

This Product

    Alibaba Cloud Service Mesh:Manage service entries

    Document Center

    Alibaba Cloud Service Mesh:Manage service entries

    Last Updated:Mar 11, 2026

    You can add an entry for an external service to the internal service registry of a Service Mesh (ASM) instance so that services in the ASM instance can access the external service. A service entry describes the properties of a service, such as the domain name, port, protocol, and endpoint.

    This topic describes how to create, modify, and delete a service entry.

    Before you begin

    Avoid reserved Envoy ports

    Do not use ports reserved by the Envoy sidecar for service entries.

    PortProtocolDescription
    15000TCPEnvoy admin
    15001TCPEnvoy outbound
    15006TCPEnvoy inbound
    15020HTTPMerged Prometheus telemetry (Istio proxy, Envoy, and application)
    15021HTTPHealth checks
    15090HTTPEnvoy Prometheus telemetry

    Follow port naming conventions

    Istio uses port names to determine the protocol. Name each port using the format below.

    ProtocolPort nameWith suffix
    HTTPhttphttp-\
    HTTP2http2http2-\
    HTTPShttpshttps-\
    TLStlstls-\
    gRPCgrpcgrpc-\
    TCPtcptcp-\
    UDPudpudp-\
    Mongomongomongo-\
    MySQLmysqlmysql-\
    Redisredisredis-\

    Protocol-specific requirements

    HTTP, HTTPS, and TLS

    Specify the hostname in the hosts field so that Envoy can match traffic by the Host header or SNI value.

    apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: aliyun
spec:
  hosts:
  - www.aliyun.com
  - aliyun.com
  ports:
  - number: 443
    name: https
    protocol: HTTPS
  resolution: DNS
  location: MESH_EXTERNAL

    TCP

    Specify IP addresses or CIDR ranges in the addresses field so that Envoy can match traffic by destination IP.

    apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: mysql-external
spec:
  hosts:
  - mysql-01.foo.bar
  addresses:
  - 10.0.0.5/32
  - 10.0.0.6/32
  ports:
  - name: tcp
    number: 3306
    protocol: tcp
  location: MESH_EXTERNAL

    Multiple TCP services on the same port

    When two or more external services share a TCP port (for example, port 3306), assign a distinct virtual IP address to each service entry so that Envoy can differentiate between them.

    External service 1:

    apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
  name: external-svc-1
  namespace: default
spec:
  hosts:
  - fqdna.fqdn.com
  addresses:
  - 10.0.0.0
  location: MESH_EXTERNAL
  ports:
  - name: TCP
    number: 3306
    protocol: TCP
  resolution: DNS

    External service 2:

    apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
  name: external-svc-2
  namespace: default
spec:
  hosts:
  - fqdnb.fqdn.com
  addresses:
  - 10.1.0.0
  location: MESH_EXTERNAL
  ports:
  - name: TCP
    number: 3306
    protocol: TCP
  resolution: DNS

    Limit namespace visibility

    By default, a service entry is visible to all namespaces in the mesh. To restrict access to the namespace where the service entry is created, set exportTo to ".".

    apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: aliyun
spec:
  hosts:
  - www.aliyun.com
  exportTo:
  - "."
  ports:
  - number: 443
    name: https
    protocol: HTTPS
  resolution: DNS
  location: MESH_EXTERNAL

    Enable DNS resolution

    For most external services, set resolution to DNS. In this mode, Envoy ignores the original destination IP, routes traffic to the host specified in the service entry, and resolves the IP address through an asynchronous DNS lookup.

    apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: aliyun
spec:
  hosts:
  - '*.aliyun.com'
  addresses:
  - 192.168.0.0
  - 172.16.0.0
  location: MESH_EXTERNAL
  ports:
  - number: 443
    protocol: https
    name: https
  resolution: DNS

    To disable DNS resolution, set resolution to NONE. In this mode, Envoy forwards traffic to the original destination IP without performing a DNS lookup.

    Create a service entry

    1. Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.

    2. On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose Cluster & Workload Management > External Service(ServiceEntry), and then click Create from YAML.

    3. Select a namespace and a scenario template, edit the YAML configuration based on your requirements, and then click Create.

    For more information about fields, see or ServiceEntry.

    Modify a service entry

    1. On the ASM instance details page, choose Cluster & Workload Management > External Service(ServiceEntry) in the left-side navigation pane.

    2. Find the target service entry and click YAML in the Actions column.

    3. In the Edit dialog box, update the configuration and click OK.

    Delete a service entry

    1. On the ASM instance details page, choose Cluster & Workload Management > External Service(ServiceEntry) in the left-side navigation pane.

    2. Find the target service entry and click Delete in the Actions column.

    3. In the Submit message, click OK.