Service Mesh (ASM) instances of version 1.16.4 and later allow you to use CustomResourceDefinition (CRD) fields to define an egress traffic policy. An egress traffic policy defines how an egress gateway manages egress traffic. By using a combination of sidecar proxies and authorization policies, you can control egress traffic in a comprehensive manner. This topic provides YAML code examples and describes the CRD fields in an egress traffic policy.
YAML code examples
Example 1: Allow a service to access a specific external service through an egress gateway
The sleep-a service in the mytest namespace is allowed to access http://www.httpbin.org over port 80 of the egress gateway named egressgateway-a.
apiVersion: istio.alibabacloud.com/v1beta1
kind: ASMEgressTrafficPolicy
metadata:
name: egress-by-egressgateway-a # Naming convention: corresponds to the egress gateway.
namespace: istio-egress # Namespace convention: fixed to the istio-egress namespace.
spec:
byEgressGateway:
name: egressgateway-a
egressRules:
- from:
- namespace: mytest
workloadSelector:
app: sleep-a
to:
- name: httpbin-service-http
hosts:
- www.httpbin.org # Multiple domain names correspond to the same DNS resolution address.
- httpbin.org # Multiple domain names correspond to the same DNS resolution address.
port:
name: http
number: 80
protocol: HTTP
byEgressGateway:
port: 80 # Sidecar → 80 Gateway → 80 Service (httpbin.org)Example 2: Allow some services to access specific external services through an egress gateway and upgrade HTTP requests to HTTPS requests
The sleep-a service in the mytest namespace is allowed to access http://www.httpbin.org over port 80 of the egress gateway named egressgateway-a. The HTTP requests that are sent to port 80 of the egress gateway are upgraded to HTTPS requests by the egress gateway.
The sleep-a service in the mytest namespace is allowed to access https://www.httpbin.org over port 444 of the egress gateway named egressgateway-a.
The sleep-b service in the mytest namespace is allowed to access https://www.aliyun.com over port 445 of the egress gateway named egressgateway-a.
apiVersion: istio.alibabacloud.com/v1beta1
kind: ASMEgressTrafficPolicy
metadata:
name: egress-by-egressgateway-a # Naming convention: corresponds to the egress gateway.
namespace: istio-egress # Namespace convention: fixed to the istio-egress namespace.
spec:
byEgressGateway:
name: egressgateway-a
egressRules:
- from:
- namespace: mytest
workloadSelector:
app: sleep-a
to:
- name: httpbin-service-http
hosts:
- www.httpbin.org # Multiple domain names correspond to the same DNS resolution address.
- httpbin.org # Multiple domain names correspond to the same DNS resolution address.
port:
name: http
number: 80
protocol: HTTP
byEgressGateway:
port: 80 # Sidecar → 80 Gateway → 80 Service (httpbin.org)
httpsUpgrade:
enabled: true # If enabled is false, the port configured in httpsUpgrade will not take effect.
port: 443 # Sidecar → 80 Gateway → 443 Service (httpbin.org)
- name: httpbin-service-https
hosts:
- www.httpbin.org
- httpbin.org
port:
name: https
number: 443
protocol: HTTPS
byEgressGateway:
port: 444
- from:
- namespace: mytest
workloadSelector:
app: sleep-b
to:
- name: aliyun-service-https
hosts:
- www.aliyun.com
port:
name: https
number: 443
protocol: HTTPS
byEgressGateway:
port: 445Example 3: Access external services with HTTP and TCP protocols and assign egress gateway ports
From version 1.24.6.45, ASMEgressTrafficPolicy supports configuring external services with TCP protocol. As different TCP services need to use different egress gateway ports, ASM supports automatic allocation of forwarding ports for egress gateways (the default allocation range is 10000 to 20000). You do not need to manually modify these ports, they will not affect your business. For example:
apiVersion: istio.alibabacloud.com/v1beta1
kind: ASMEgressTrafficPolicy
metadata:
name: egress-by-egressgateway-a # Naming convention: corresponds to the egress gateway.
namespace: istio-egress # Namespace convention: fixed to the istio-egress namespace.
spec:
byEgressGateway:
name: egressgateway-a
egressRules:
- from:
- namespace: default
workloadSelector:
app: sleep
to:
- name: aliyun-com-http # http route
hosts:
- aliyun.com
port:
name: http
number: 80
protocol: HTTP
- name: aliyun-https # https route
hosts:
- aliyun.com
port:
name: https
number: 443
protocol: HTTPS
- name: https-upgrade # http upgrade to https
hosts:
- taobao.com
port:
name: http
protocol: HTTP
number: 80
httpsUpgrade:
enabled: true
port: 443
- name: tcp-svc1 # tcp svc 1
hosts:
- 1.1.1.1
port:
name: tcp
protocol: TCP
number: 44
- name: tcp-svc2 # tcp svc 2
hosts:
- test-tcp.com
port:
name: tcp
protocol: TCP
number: 444CRD fields
Spec
Field | Type | Required | Description |
byEgressGateway | Yes | Indicates that an egress gateway is used to control access to external services. | |
egressRules | Yes | Egress traffic rules. |
ByEgressGateway
Field | Type | Required | Description |
name | string | Yes | The egress gateway through which external services are accessed. We recommend that the gateway name do not exceed 32 characters in length. |
port | uint32 | No | The port of the egress gateway over which traffic passes. |
EgressRule
Field | Type | Required | Description |
name | string | No | The name of the rule. |
from | From[] | Yes | The source of egress traffic, which is the request initiator. |
to | To[] | Yes | The destination of egress traffic, which is the external target service of the request. |
From
Field | Type | Required | Description |
namespace | string | Yes | The namespace where the service that initiates the requests resides. |
workloadSelector | map[string]string | No | The selector that filters the access source service of the egress traffic by using a label. |
To
Field | Type | Required | Description |
name | string | Yes | The name of the external service. |
hosts | string[] | Yes | The domain name of the external service. Multiple domain names can be configured, but they must point to the same site. |
port | Yes | The port of the external service. | |
byEgressGateway | Yes | Indicates that traffic flows through a port on the egress gateway to the external service.
| |
httpsUpgrade | No | Specifies whether the egress gateway upgrades the HTTP requests that are initiated by a service to HTTPS requests. |
HttpsUpgrade
Field | Type | Required | Description |
enabled | bool | Yes | Whether to upgrade to HTTPS. |
port | uint32 | Yes | The HTTPS port of the external service. |