Access external services from an ASM instance - Alibaba Cloud Service Mesh

To configure the access to external services from a Service Mesh (ASM) instance, you can configure a policy for accessing external services, create a service entry, or deny access from a specific CIDR block. This topic describes how to access external services from an ASM instance. External services are services that are not registered in Istio.

Configure a policy for accessing external services

In the ASM console, you can set the External Access Policy parameter for an ASM instance to configure a policy for accessing external services from the ASM instance.

Note

Log on to the ASM console. Click the name of the ASM instance for which you want to configure a policy for accessing external services. In the left-side navigation pane, choose ASM Instance > Instances Status to view the services that are defined in the internal service registry of Istio.

If the External Access Policy parameter is set to ALLOW_ANY, sidecar proxies in the ASM instance allow all outbound traffic to pass without checking where the traffic is to be sent. This allows services in the ASM instance to access all external services. However, traffic to external services is not monitored or controlled.
If the External Access Policy parameter is set to REGISTRY_ONLY, sidecar proxies in the ASM instance deny the access of hosts for which no HTTP service or service entry is defined in the ASM instance.

Log on to the ASM console.
In the left-side navigation pane, choose Service Mesh > Mesh Management.
On the Mesh Management page, find the ASM instance that you want to configure. Click the name of the ASM instance or click Manage in the Actions column.
On the details page of the ASM instance, choose Sidecar Management(Data Plane) > Sidecar Proxy Setting in the left-side navigation pane.

On the global tab of the Sidecar Proxy Setting page, click External service access strategy, set the External Access Policy parameter to ALLOW_ANY, and then click Update Settings.

In a pod into which a sidecar proxy is injected, run the curl -I command to access an external HTTP or HTTPS service. Success responses are returned, as shown in the following examples:

Example: Access an external HTTP service. A success response is returned.

curl -I  http://www.aliyun.com/

Expected output:

HTTP/1.1 301 Moved Permanently
server: envoy
date: Mon, 07 Sep 2020 09:28:54 GMT
content-type: text/html
content-length: 239
location: https://www.aliyun.com/
eagleeye-traceid: 0be3e0a615994709353116335ea5ea
timing-allow-origin: *
x-envoy-upstream-service-time: 67

Example: Access an external HTTPS service. A success response is returned.

curl -I  https://www.aliyun.com/

Expected output:

HTTP/2 200
server: Tengine
date: Mon, 07 Sep 2020 09:16:31 GMT
content-type: text/html; charset=utf-8
vary: Accept-Encoding
vary: Accept-Encoding
strict-transport-security: max-age=31536000
x-download-options: noopen
x-content-type-options: nosniff
x-xss-protection: 1; mode=block
x-readtime: 0
eagleeye-traceid: 0b57ff8715994701916963132ec7ad
strict-transport-security: max-age=0
timing-allow-origin: *

Create a service entry

If the External Access Policy parameter of an ASM instance is set to REGISTRY_ONLY, run the curl -I command in a pod into which a sidecar proxy is injected to access an external HTTP or HTTPS service. The request is rejected by the sidecar proxy of the pod, as shown in the following examples:

Example: Access an external HTTP service. The request is rejected.

curl -I  http://www.aliyun.com/

Expected output:

HTTP/1.1 502 Bad Gateway
date: Mon, 07 Sep 2020 09:25:58 GMT
server: envoy
transfer-encoding: chunked

Example: Access an external HTTPS service. The request is rejected.

curl -I https://www.aliyun.com/

Expected output:

curl: (35) LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to www.aliyun.com:443

In this case, you can create a service entry for the external service to allow access to the external service. In this method, traffic to the external service is monitored and controlled by Istio.

Create a service entry.
1. Log on to the ASM console.
2. In the left-side navigation pane, choose Service Mesh > Mesh Management.
3. On the Mesh Management page, find the ASM instance that you want to configure. Click the name of the ASM instance or click Manage in the Actions column.
4. On the details page of the ASM instance, choose Cluster & Workload Management > External Service(ServiceEntry) in the left-side navigation pane. On the page that appears, click Create from YAML.
5. On the Create page, select a namespace as required, copy the following content to the code editor, and then click Create.
  Set the hosts parameter based on your business requirements. In this example, the hosts parameter is set to www.aliyun.com.
```
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: aliyun-com-ext
spec:
  hosts:
  - 'www.aliyun.com'
  ports:
  - number: 80
    name: http
    protocol: HTTP
  - number: 443
    name: https
    protocol: HTTPS  
  resolution: DNS
  location: MESH_EXTERNAL
```

In a pod into which a sidecar proxy is injected, run the curl -I command to access an external HTTP or HTTPS service. Success responses are returned, as shown in the following examples:

Example: Access an external HTTP service. A success response is returned.

curl -I  http://www.aliyun.com/

Expected output:

HTTP/1.1 301 Moved Permanently
server: envoy
date: Mon, 07 Sep 2020 09:49:17 GMT
content-type: text/html
content-length: 239
location: https://www.aliyun.com/
eagleeye-traceid: 0be3e0a915994721583014504e7b31
timing-allow-origin: *
x-envoy-upstream-service-time: 66

Example: Access an external HTTPS service. A success response is returned.

curl -I https://www.aliyun.com/

Expected output:

HTTP/2 200
server: Tengine
date: Mon, 07 Sep 2020 09:49:31 GMT
content-type: text/html; charset=utf-8
vary: Accept-Encoding
vary: Accept-Encoding
strict-transport-security: max-age=31536000
x-download-options: noopen
x-content-type-options: nosniff
x-xss-protection: 1; mode=block
x-readtime: 1
eagleeye-traceid: 0be3e0b115994721709577294ed9e8
strict-transport-security: max-age=0
timing-allow-origin: *

Create a virtual service.
1. Log on to the ASM console.
2. In the left-side navigation pane, choose Service Mesh > Mesh Management.
3. On the Mesh Management page, find the ASM instance that you want to configure. Click the name of the ASM instance or click Manage in the Actions column.
4. On the details page of the ASM instance, choose Traffic Management Center > VirtualService in the left-side navigation pane. On the page that appears, click Create from YAML.
5. On the Create page, select a namespace as required, copy the following content to the code editor, and then click Create.
  Create a virtual service for the external service so that you can configure a routing rule for the external service. In the following code, the fixedDelay parameter is set to specify that each request for the www.aliyun.com external service receives a response with a fixed latency.
```
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: aliyun-com-ext
spec:
  hosts:
    - 'www.aliyun.com'
  http:
  - fault:
      delay:
        percent: 100
        fixedDelay: 5s
    route:
      - destination:
          host: www.aliyun.com
        weight: 100
```
Check whether the routing rule takes effect.
In the response, the value of the real parameter is 5.07s. This means that the routing rule takes effect.
```
time curl -o /dev/null -s -w "%{http_code}\n" http://www.aliyun.com/
```
Expected output:
```
301
real  0m 5.07s
user  0m 0.00s
sys 0m 0.00s
```

Deny access from a specific CIDR block

You can configure a sidecar proxy in an ASM instance to deny access from a specific CIDR block. This way, access traffic from other CIDR blocks bypasses the sidecar proxy and is directly routed to destination services without being denied by the sidecar proxy.

For an ASM instance, you can specify a CIDR block from which access to external services is denied. Generally, you can deny access from the service CIDR block of the Kubernetes clusters on the data plane of the ASM instance. This way, access to destination services in the Kubernetes clusters is denied by the sidecar proxy. Access to destination services outside the Kubernetes clusters bypasses the sidecar proxy.

Log on to the ASM console.
In the left-side navigation pane, choose Service Mesh > Mesh Management.
On the Mesh Management page, find the ASM instance that you want to configure. Click the name of the ASM instance or click Manage in the Actions column.
On the details page of the ASM instance, choose Sidecar Management(Data Plane) > Sidecar Proxy Setting in the left-side navigation pane.
On the global tab of the Sidecar Proxy Setting page, click enable/disable Sidecar proxy by port or address, enter a CIDR block in the Blocked Addresses for External Access field, and then click Update Settings. This way, access to external services from the specified CIDR block is denied.
You can also enter a CIDR block in the Address range that does not block external access field. This way, access to external services from all CIDR blocks except for the specified CIDR block is denied.
Note
The default value in the Blocked Addresses for External Access field is *. This means that access to external services from all IP addresses is denied. You can enter a CIDR block based on your business requirements. Generally, you can enter the service CIDR block of the Kubernetes clusters on the data plane of the ASM instance.