Manage access from in-cluster clients to external services - Alibaba Cloud Service Mesh

When in-cluster applications access external services, traffic leaves the cluster without visibility or policy enforcement. Service Mesh (ASM) in Ambient mode routes egress traffic through a Waypoint proxy, giving you centralized L7 traffic policies, security controls, and full observability -- without changing application code.

This topic explains how ASM manages egress traffic and walks through a complete example: registering an external service, routing traffic through a Waypoint, and upgrading HTTP to HTTPS.

Use cases

Centralized egress management applies when your organization needs to:

Enforce security policies on outbound traffic -- Restrict which external services workloads can reach and apply L7 authorization policies.
Observe all outbound requests -- Collect logs, metrics, and traces for traffic leaving the cluster without instrumenting each application.
Upgrade HTTP to HTTPS transparently -- Send plaintext HTTP from applications while the Waypoint handles TLS origination, keeping the full path encrypted with mutual TLS (mTLS).

How egress traffic management works

L7 traffic capabilities

ASM provides L7 egress traffic management for HTTP services, including traffic routing, observability, and security. Applications must send HTTP plaintext requests. Depending on your configuration, ASM either forwards the requests directly or upgrades them to HTTPS.

Note

If an application sends a direct HTTPS request, the mesh proxy treats it as standard TLS traffic, which disables L7 capabilities. To use L7 features such as traffic mirroring, routing, and observability, ensure your application sends HTTP plaintext requests. Depending on your configuration, ASM either forwards the HTTP requests directly to external services or automatically upgrades them to HTTPS.

Traffic routing

To use L7 routing features for external services -- such as traffic mirroring and proportional traffic routing, and other features provided by virtual services -- create a ServiceEntry for the target service. If the external service uses HTTPS, also create a DestinationRule. These routing capabilities do not require an ASM egress gateway.

Observability

For plaintext HTTP traffic, ASM automatically collects logs, metrics, and traces with no extra configuration. For encrypted traffic, create a ServiceEntry and DestinationRule so the application sends plaintext while the sidecar encrypts and forwards it, preserving full L7 observability. Observability does not require an ASM egress gateway.

Traffic flow in Ambient mode

In Ambient mode, Ztunnel intercepts all traffic entering and leaving application pods. If Ztunnel has no information about a destination, it forwards traffic without modification. By default, requests to external services pass through unmodified.

To strictly control egress access:

Deny application pods from reaching IP addresses outside the cluster.
Register legitimate external services in the mesh using a ServiceEntry.
Enable a Waypoint for the ServiceEntry namespace.

All traffic to the registered ServiceEntry then flows through the Waypoint, which applies request transformations, security policies, and observability policies before forwarding to the external service.

Important

Do not restrict the external access of the Waypoint pod itself. The Waypoint must be able to reach external destinations to forward traffic on behalf of your applications.

Security considerations

When configuring egress controls, keep these points in mind:

Keep the Waypoint pod unrestricted. The Waypoint needs direct external access to forward traffic. Apply access restrictions only to application pods.
mTLS protects in-mesh segments. Traffic between the application pod and the Waypoint is encrypted with mTLS. For full end-to-end encryption, configure TLS origination at the Waypoint (see Step 4: Upgrade HTTP to HTTPS at the Waypoint).

Route egress traffic through a Waypoint

This example deploys a test application, creates a Waypoint in a dedicated namespace, registers an external service, and verifies that traffic flows through the Waypoint.

Prerequisites

Before you begin, make sure you have:

An ASM instance with Ambient mode enabled
kubectl access to the cluster
A namespace with Ambient mode enabled for the test application

Step 1: Deploy a test application

Apply the following manifest to deploy the sleep application.

Note

Ambient mode must be enabled for the namespace where the sleep application runs.

apiVersion: v1
kind: ServiceAccount
metadata:
  name: sleep
---
apiVersion: v1
kind: Service
metadata:
  name: sleep
  labels:
    app: sleep
    service: sleep
spec:
  ports:
  - port: 80
    name: http
  selector:
    app: sleep
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: sleep
spec:
  replicas: 1
  selector:
    matchLabels:
      app: sleep
  template:
    metadata:
      labels:
        app: sleep
    spec:
      terminationGracePeriodSeconds: 0
      serviceAccountName: sleep
      containers:
      - name: sleep
        image: registry-cn-hangzhou.ack.aliyuncs.com/ack-demo/curl:asm-sleep
        command: ["/bin/sleep", "infinity"]
        imagePullPolicy: IfNotPresent
        volumeMounts:
        - mountPath: /etc/sleep/tls
          name: secret-volume
      volumes:
      - name: secret-volume
        secret:
          secretName: sleep-secret
          optional: true

Verify that the application can reach an external service.

kubectl exec deployment/sleep -- curl aliyun.com -s -I

Expected output:

HTTP/1.1 301 Moved Permanently
Server: Tengine
Date: Wed, 20 Aug 2025 07:56:27 GMT
Content-Type: text/html
Content-Length: 239
Connection: keep-alive
Location: https://aliyun.com/

The Server: Tengine header confirms the request reached the external service directly, without passing through a Waypoint.

Step 2: Set up a Waypoint in a dedicated namespace

In the ASM console, create a namespace named istio-egress and enable Ambient mode for it.

Deploy a Waypoint in the istio-egress namespace.

kubectl apply -n istio-egress -f - <<EOF
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: waypoint
spec:
  gatewayClassName: istio-waypoint
  listeners:
  - name: mesh
    port: 15008
    protocol: HBONE
EOF

Activate the Waypoint for the namespace.

kubectl label namespace istio-egress istio.io/use-waypoint=waypoint --overwrite

Step 3: Register an external service and test

Create a ServiceEntry to register the external service in the mesh.

kubectl apply -n istio-egress -f - <<EOF
apiVersion: networking.istio.io/v1
kind: ServiceEntry
metadata:
  name: external-svc-aliyun
spec:
  hosts:
  - aliyun.com
  location: MESH_EXTERNAL
  ports:
  - number: 80
    name: http
    protocol: HTTP
  - number: 443
    name: https
    protocol: HTTPS
  resolution: DNS
EOF

Test the access.

kubectl exec deployment/sleep -- curl aliyun.com -s -I

Expected output:

HTTP/1.1 301 Moved Permanently
server: envoy
date: Mon, 18 Aug 2025 09:36:30 GMT
content-type: text/html
content-length: 239
location: https://aliyun.com/
x-envoy-upstream-service-time: 27

Two changes confirm the request now flows through the Waypoint:

The server header changed from Tengine to envoy.
The response includes x-envoy-upstream-service-time.

View the Waypoint access logs for more detail.

kubectl -n istio-egress logs deployments/waypoint | tail -1 | jq

Expected output:

{
  "authority_for": "aliyun.com",
  "bytes_received": 0,
  "bytes_sent": 239,
  "downstream_local_address": "240.240.0.7:80",
  "downstream_remote_address": "172.16.5.26:33356",
  "duration": 24,
  "method": "GET",
  "path": "/",
  "protocol": "HTTP/1.1",
  "response_code": 301,
  "route_name": "default",
  "upstream_cluster": "inbound-vip|80|http|aliyun.com;",
  "upstream_host": "140.205.135.3:80",
  "upstream_response_time": "23",
  "upstream_service_time": "23",
  "user_agent": "curl/8.8.0"
}

The log entry shows the request reached aliyun.com at port 80 and returned a 301 response, confirming the Waypoint processed the request.

Step 4: Upgrade HTTP to HTTPS at the Waypoint

By default, the Waypoint forwards requests using the protocol it receives. If an application sends HTTPS directly, the Waypoint cannot inspect L7 information because the payload is already encrypted -- it can only apply TCP-level policies.

A better approach: send HTTP from the application and let the Waypoint upgrade the connection to HTTPS. The path between the application and the Waypoint is protected by mTLS, so the entire traffic path stays encrypted.

Update the ServiceEntry to map port 80 to the external service's port 443.

kubectl apply -n istio-egress -f - <<EOF
apiVersion: networking.istio.io/v1
kind: ServiceEntry
metadata:
  name: external-svc-aliyun
spec:
  hosts:
  - aliyun.com
  location: MESH_EXTERNAL
  ports:
  - number: 80
    name: http
    protocol: HTTP
    targetPort: 443
  - number: 443
    name: https
    protocol: HTTPS
  resolution: DNS
EOF

Create a DestinationRule to instruct the Waypoint to initiate a TLS connection.

kubectl apply -n istio-egress -f - <<EOF
apiVersion: networking.istio.io/v1
kind: DestinationRule
metadata:
  name: aliyun-com
spec:
  host: aliyun.com
  trafficPolicy:
    portLevelSettings:
    - port:
        number: 80
      tls:
        mode: SIMPLE
EOF

Verify the upgrade.

kubectl exec deployment/sleep -- curl aliyun.com -s -I

Expected output:

HTTP/1.1 301 Moved Permanently
server: envoy
date: Mon, 18 Aug 2025 09:36:30 GMT
content-type: text/html
content-length: 239
location: https://aliyun.com/
x-envoy-upstream-service-time: 27

Check the Waypoint logs to confirm the request was forwarded to port 443 instead of port 80.

What to do next

Configure traffic mirroring for egress traffic
Set up proportional traffic routing for external services