Service Mesh (ASM) offers flexible and efficient solutions for egress traffic management that support application security, observability, and reliability. This topic describes the egress traffic management features of ASM and explains the benefits of using an ASM egress gateway.
Rich egress traffic management capabilities
Service Mesh provides a rich set of capabilities for managing Layer 7 (L7) egress traffic, such as traffic routing, observability, and security. You can configure these features as needed.
If an application sends a direct HTTPS request, the mesh proxy treats it as standard TLS traffic, which disables the L7 capabilities of the mesh. Therefore, you must ensure that your application sends HTTP plaintext requests. Depending on your configuration, the mesh either forwards the HTTP requests directly to external services or automatically upgrades them to HTTPS requests.
Traffic routing
When you access HTTP services outside a cluster, you only need to configure a corresponding Service Entry in Service Mesh to use advanced capabilities, such as egress Mirrored traffic and egress proportional traffic routing, and other features provided by virtual services. If the service that you access uses the HTTPS protocol, you must also configure a corresponding DestinationRule. Traffic routing capabilities do not depend on the ASM egress gateway.
Observe egress traffic
If the request is plaintext traffic, you can observe egress traffic using logs, metrics, and tracing without any additional configuration. If the traffic requires encryption, you must configure a Service Entry and a DestinationRule. The application sends plaintext traffic, and the sidecar automatically encrypts and forwards it. This lets you use the full observability capabilities of the mesh. This feature does not depend on an ASM egress gateway.
Introduction to external service management
In Ambient mode, Ztunnel intercepts all traffic that enters and exits application pods. If Ztunnel does not have information about the destination service for the outgoing traffic from an application pod, it forwards the traffic without modification.
By default, when a client sends a request to an external service, Ztunnel does not have information about this service and forwards the request directly.
To strictly control access to external services, you must first deny the application pod from accessing any IP addresses outside the cluster.
After you prevent application pods from directly accessing external services, you can register legitimate external services in the mesh using a ServiceEntry and then enable a Waypoint for it. Ensure that you do not restrict the external access of the Waypoint pod. All traffic to the ServiceEntry is then forwarded to the Waypoint. The Waypoint executes request transformations, security policies, and observability policies, and then forwards the traffic to the actual external service. The traffic path is shown in the following figure:
Example
Step 1: Deploy the test application
Deploy the sample application.
apiVersion: v1 kind: ServiceAccount metadata: name: sleep --- apiVersion: v1 kind: Service metadata: name: sleep labels: app: sleep service: sleep spec: ports: - port: 80 name: http selector: app: sleep --- apiVersion: apps/v1 kind: Deployment metadata: name: sleep spec: replicas: 1 selector: matchLabels: app: sleep template: metadata: labels: app: sleep spec: terminationGracePeriodSeconds: 0 serviceAccountName: sleep containers: - name: sleep image: registry-cn-hangzhou.ack.aliyuncs.com/ack-demo/curl:asm-sleep command: ["/bin/sleep", "infinity"] imagePullPolicy: IfNotPresent volumeMounts: - mountPath: /etc/sleep/tls name: secret-volume volumes: - name: secret-volume secret: secretName: sleep-secret optional: true ---NoteEnsure that Ambient mode is enabled for the namespace where the test application resides.
Test access to an external service.
kubectl exec deployment/sleep -- curl aliyun.com -s -IExpected output:
HTTP/1.1 301 Moved Permanently Server: Tengine Date: Wed, 20 Aug 2025 07:56:27 GMT Content-Type: text/html Content-Length: 239 Connection: keep-alive Location: https://aliyun.com/ EagleEye-TraceId: 0b87b7b217556765878011141ee221 Timing-Allow-Origin: *
Step 3: Use ASM to centrally manage access to external services
In the ASM console, create a namespace named istio-egress and enable Ambient mode for it.
Create a Waypoint in the istio-egress namespace.
kubectl apply -n istio-egress -f - <<EOF apiVersion: gateway.networking.k8s.io/v1 kind: Gateway metadata: name: waypoint spec: gatewayClassName: istio-waypoint listeners: - name: mesh port: 15008 protocol: HBONE EOFEnable the Waypoint for the current namespace.
kubectl label namespace istio-egress istio.io/use-waypoint=waypoint --overwrite
Step 4: Create a ServiceEntry and test access
Create the ServiceEntry.
kubectl apply -n istio-egress -f - <<EOF apiVersion: networking.istio.io/v1 kind: ServiceEntry metadata: name: external-svc-aliyun spec: hosts: - aliyun.com location: MESH_EXTERNAL ports: - number: 80 name: http protocol: HTTP - number: 443 name: https protocol: HTTPS resolution: DNS EOFTest the access.
kubectl exec deployment/sleep -- curl aliyun.com -s -IExpected output:
HTTP/1.1 301 Moved Permanently server: envoy date: Mon, 18 Aug 2025 09:36:30 GMT content-type: text/html content-length: 239 location: https://aliyun.com/ eagleeye-traceid: 0be3e0ac17555097903637743e684e timing-allow-origin: * x-envoy-upstream-service-time: 27A 301 status code is returned as expected. This indicates that the request was forwarded through the Waypoint in the istio-egress namespace and successfully reached the external service. You can use the following command to view the Waypoint logs:
kubectl -n istio-egress logs deployments/waypoint | tail -1 | jqExpected output:
{ "authority_for": "aliyun.com", "bytes_received": 0, "bytes_sent": 239, "downstream_local_address": "240.240.0.7:80", "downstream_remote_address": "172.16.5.26:33356", "duration": 24, "istio_policy_status": null, "method": "GET", "path": "/", "protocol": "HTTP/1.1", "request_id": "234a2e8b-e170-42f6-b9db-693cd757974d", "requested_server_name": null, "response_code": 301, "response_flags": "-", "route_name": "default", "start_time": "2025-08-20T08:06:06.502Z", "trace_id": null, "upstream_cluster": "inbound-vip|80|http|aliyun.com;", "upstream_host": "140.205.135.3:80", "upstream_local_address": "172.16.5.23:34524", "upstream_response_time": "23", "upstream_service_time": "23", "upstream_transport_failure_reason": null, "user_agent": "curl/8.8.0", "x_forwarded_for": null }
Step 5: Configure Waypoint to upgrade HTTP requests to HTTPS
By default, Waypoint forwards requests using the same protocol it receives. For example, if an application sends an HTTP request, Waypoint uses HTTP to access the external service. If an application uses HTTPS, Waypoint directly forwards the HTTPS traffic.
However, because HTTPS traffic is encrypted, Waypoint cannot inspect its L7 information. It can only perform TCP-level authentication and traffic routing, and cannot use advanced L7 capabilities. In this scenario, you can send HTTP requests from the application and have Waypoint upgrade them to HTTPS for accessing the external service. Because the connection between the application and Waypoint uses mutual TLS (mTLS), the entire path remains encrypted.
Update the ServiceEntry so that if the application accesses port 80, Waypoint forwards the request to port 443 of the external service.
kubectl apply -n istio-egress -f - <<EOF apiVersion: networking.istio.io/v1 kind: ServiceEntry metadata: name: external-svc-aliyun spec: hosts: - aliyun.com location: MESH_EXTERNAL ports: - number: 80 name: http protocol: HTTP targetPort: 443 - number: 443 name: https protocol: HTTPS resolution: DNS EOFConfigure a DestinationRule to instruct Waypoint to upgrade the connection to HTTPS.
kubectl apply -n istio-egress -f - <<EOF apiVersion: networking.istio.io/v1 kind: DestinationRule metadata: name: aliyun-com spec: host: aliyun.com trafficPolicy: portLevelSettings: - port: number: 80 tls: mode: SIMPLE EOFTest the access.
kubectl exec deployment/sleep -- curl aliyun.com -s -IExpected output:
HTTP/1.1 301 Moved Permanently server: envoy date: Mon, 18 Aug 2025 09:36:30 GMT content-type: text/html content-length: 239 location: https://aliyun.com/ eagleeye-traceid: 0be3e0ac17555097903637743e684e timing-allow-origin: * x-envoy-upstream-service-time: 27Check the Waypoint logs again. You can see that the request was forwarded to port 443.