To allow the pods in a Service Mesh (ASM) instance to access external services, you can configure a policy for accessing external services, create a service entry, or configure a CIDR block of external services to which access is intercepted. This topic describes how to access external services from an ASM instance. External services are services that are not registered in Istio.
Configure a policy for accessing external services
In the ASM console, you can set the Outbound Traffic Policy parameter for an ASM instance to configure a policy for accessing external services from the ASM instance.
Log on to the ASM console. Click the name of the ASM instance for which you want to configure a policy for accessing external services. In the left-side navigation pane, choose to view the services that are defined in the internal service registry of Istio.
If the Outbound Traffic Policy parameter is set to ALLOW_ANY, sidecar proxies in the ASM instance allow all outbound traffic to pass without checking where the traffic is to be sent. This allows services in the ASM instance to access all external services. However, traffic to external services is not monitored or controlled.
ImportantWhen the Outbound Traffic Policy parameter is set to ALLOW_ANY and no service entry is defined for external services, sidecar proxies allow TCP traffic from the ASM instance to be sent to any IP address and port. However, this method lacks explicit flow control and may lead to unexpected traffic behavior, especially when multiple services listen on the same port. To avoid access conflicts, we strongly recommend that you do not use this method to access external services, such as databases.
We recommend that you define service entries for external services to explicitly control the destination of traffic and avoid potential issues and conflicts.
If the Outbound Traffic Policy parameter is set to REGISTRY_ONLY, sidecar proxies in the ASM instance deny access to external services that are not defined in the service registry of the ASM instance.
Log on to the ASM console.
In the left-side navigation pane, choose .
On the Mesh Management page, find the ASM instance that you want to configure. Click the name of the ASM instance or click Manage in the Actions column.
On the details page of the ASM instance, choose in the left-side navigation pane.
On the global tab of the Sidecar Proxy Setting page, click Outbound Traffic Policy, set the Outbound Traffic Policy parameter to ALLOW_ANY, and then click Update Settings.
In a pod into which a sidecar proxy is injected, run the curl -I command to access an external HTTP or HTTPS service. Success responses are returned, as shown in the following examples:
Example: Access an external HTTP service. A success response is returned.
curl -I http://www.aliyun.com/Expected output:
HTTP/1.1 301 Moved Permanently server: envoy date: Mon, 07 Sep 2020 09:28:54 GMT content-type: text/html content-length: 239 location: https://www.aliyun.com/ eagleeye-traceid: 0be3e0a615994709353116335ea5ea timing-allow-origin: * x-envoy-upstream-service-time: 67Example: Access an external HTTPS service. A success response is returned.
curl -I https://www.aliyun.com/Expected output:
HTTP/2 200 server: Tengine date: Mon, 07 Sep 2020 09:16:31 GMT content-type: text/html; charset=utf-8 vary: Accept-Encoding vary: Accept-Encoding strict-transport-security: max-age=31536000 x-download-options: noopen x-content-type-options: nosniff x-xss-protection: 1; mode=block x-readtime: 0 eagleeye-traceid: 0b57ff8715994701916963132ec7ad strict-transport-security: max-age=0 timing-allow-origin: *
Create a service entry
If the Outbound Traffic Policy parameter of an ASM instance is set to REGISTRY_ONLY, run the curl -I command in a pod into which a sidecar proxy is injected to access an external HTTP or HTTPS service. The request is rejected by the sidecar proxy of the pod, as shown in the following examples:
Example: Access an external HTTP service. The request is rejected.
curl -I http://www.aliyun.com/Expected output:
HTTP/1.1 502 Bad Gateway date: Mon, 07 Sep 2020 09:25:58 GMT server: envoy transfer-encoding: chunkedExample: Access an external HTTPS service. The request is rejected.
curl -I https://www.aliyun.com/Expected output:
curl: (35) LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to www.aliyun.com:443
In this case, you can create a service entry for the external service to allow access to the external service. In this method, traffic to the external service is monitored and controlled by Istio.
Create a service entry.
Log on to the ASM console.
In the left-side navigation pane, choose .
On the Mesh Management page, find the ASM instance that you want to configure. Click the name of the ASM instance or click Manage in the Actions column.
On the details page of the ASM instance, choose in the left-side navigation pane. On the page that appears, click Create from YAML.
On the Create page, select a namespace as required, copy the following content to the code editor, and then click Create.
Set the hosts parameter based on your business requirements. In this example, the hosts parameter is set to www.aliyun.com.
apiVersion: networking.istio.io/v1alpha3 kind: ServiceEntry metadata: name: aliyun-com-ext spec: hosts: - 'www.aliyun.com' ports: - number: 80 name: http protocol: HTTP - number: 443 name: https protocol: HTTPS resolution: DNS location: MESH_EXTERNAL
In a pod into which a sidecar proxy is injected, run the curl -I command to access an external HTTP or HTTPS service. Success responses are returned, as shown in the following examples:
Example: Access an external HTTP service. A success response is returned.
curl -I http://www.aliyun.com/Expected output:
HTTP/1.1 301 Moved Permanently server: envoy date: Mon, 07 Sep 2020 09:49:17 GMT content-type: text/html content-length: 239 location: https://www.aliyun.com/ eagleeye-traceid: 0be3e0a915994721583014504e7b31 timing-allow-origin: * x-envoy-upstream-service-time: 66Example: Access an external HTTPS service. A success response is returned.
curl -I https://www.aliyun.com/Expected output:
HTTP/2 200 server: Tengine date: Mon, 07 Sep 2020 09:49:31 GMT content-type: text/html; charset=utf-8 vary: Accept-Encoding vary: Accept-Encoding strict-transport-security: max-age=31536000 x-download-options: noopen x-content-type-options: nosniff x-xss-protection: 1; mode=block x-readtime: 1 eagleeye-traceid: 0be3e0b115994721709577294ed9e8 strict-transport-security: max-age=0 timing-allow-origin: *
Create a virtual service.
Log on to the ASM console.
In the left-side navigation pane, choose .
On the Mesh Management page, find the ASM instance that you want to configure. Click the name of the ASM instance or click Manage in the Actions column.
On the details page of the ASM instance, choose in the left-side navigation pane. On the page that appears, click Create from YAML.
On the Create page, select a namespace as required, copy the following content to the code editor, and then click Create.
Create a virtual service for the external service so that you can configure a routing rule for the external service. In the following code, the fixedDelay parameter is set to specify that each request for the www.aliyun.com external service receives a response with a fixed latency.
apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: aliyun-com-ext spec: hosts: - 'www.aliyun.com' http: - fault: delay: percent: 100 fixedDelay: 5s route: - destination: host: www.aliyun.com weight: 100
Check whether the routing rule takes effect.
In the response, the value of the real parameter is 5.07s. This indicates that the routing rule takes effect.
time curl -o /dev/null -s -w "%{http_code}\n" http://www.aliyun.com/Expected output:
301 real 0m 5.07s user 0m 0.00s sys 0m 0.00s
Intercept access to a specific CIDR block
You can configure a sidecar proxy in an ASM instance to intercept access to a specific CIDR block. This way, access traffic to other CIDR blocks bypasses the sidecar proxy and is directly routed to destination services without being intercepted by the sidecar proxy.
For an ASM instance, you can set the Addresses to Which External Access Is Redirected to Sidecar Proxy parameter to the service CIDR block of the Kubernetes clusters on the data plane of the ASM instance. This way, access to destination services in the Kubernetes clusters is intercepted by the sidecar proxy. Access to destination services outside the Kubernetes clusters bypasses the sidecar proxy.
Log on to the ASM console.
In the left-side navigation pane, choose .
On the Mesh Management page, find the ASM instance that you want to configure. Click the name of the ASM instance or click Manage in the Actions column.
On the details page of the ASM instance, choose in the left-side navigation pane.
On the global tab of the Sidecar Proxy Setting page, click Enable/Disable Sidecar Proxy by Ports or IP Addresses, enter a CIDR block in the Addresses to Which External Access Is Redirected to Sidecar Proxy field, and then click Update Settings. This way, access to the specified CIDR block is intercepted.
You can also enter a CIDR block in the Addresses to Which External Access Is Not Redirected to Sidecar Proxy field. This way, access to all CIDR blocks except for the specified CIDR block is intercepted.
NoteThe default value in the Addresses to Which External Access Is Redirected to Sidecar Proxy field is *. This indicates that access to all CIDR blocks is intercepted. You can enter a CIDR block based on your business requirements. Generally, you can enter the service CIDR block of the Kubernetes clusters on the data plane of the ASM instance.