All Products
Document Center

Alibaba Cloud Service Mesh:Why does the service authentication fail when business services in an ASM instance can access external databases?

Last Updated:Jun 05, 2023

The service authentication may fail even when business services in a Service Mesh (ASM) instance can access external databases. This topic describes the cause of this issue and provides two solutions.

Problem description

You use an ASM instance of V1.10 or earlier. You want to use a business service, such as Service A, to access different external databases, and the authentication information used to log on to the databases is different. After you add Service A to the ASM instance and enable sidecar injection for the pods that host Service A, you receive an error message that indicates an authentication failure when Service A attempts to access an external database. Database


You may have used a Service of the ExternalName type to add a CNAME record for a Transmission Control Protocol (TCP) network service database that is outside your Container Service for Kubernetes (ACK) cluster. After Service A is added to the ASM instance, requests from Service A to the external database are sent based on the matched port because the IP address of the ACK cluster is not mapped to the domain name of the external database. This may cause issues where requests to the external database are sent to another database. Then, the authentication fails because the two databases require different authentication information for logon.


Solution 1: Update the version of the ASM instance

You can update the version of the ASM instance to V1.11 or later to resolve this issue. For more information, see Procedure.

Solution 2: Use service entries

You can create service entries in the ASM instance so that services in the instance can access the databases that are identified by the IP addresses specified in the service entries. You can also create service entries in a specific namespace. This way, service entries take effect only in the namespace.

  1. Log on to the ASM console.

  2. In the left-side navigation pane, choose Service Mesh > Mesh Management.

  3. On the Mesh Management page, find the ASM instance that you want to configure. Click the name of the ASM instance or click Manage in the Actions column.

  4. On the details page of the ASM instance, choose Cluster & Workload Management > External Service(ServiceEntry) in the left-side navigation pane. On the page that appears, click Create from YAML.

  5. On the Create page, select istio-system from the Namespace drop-down list, select a template, replace the content in the YAML field with the following code, and then click Create:

    kind: ServiceEntry
      name: mysql-demo
      - 172.1.xx.xx
      - address: 172.1.xx.xx
      location: MESH_EXTERNAL
      - name: tcp
        number: 3306
        protocol: TCP
      resolution: STATIC
    • addresses: the IP address of the database to be accessed.

    • number: the port of the database to be accessed.