ASMEgressTrafficPolicy CRD description - Alibaba Cloud Service Mesh

In Service Mesh (ASM) instances version 1.16.4 and later, you can use the ASMEgressTrafficPolicy CustomResourceDefinition (CRD). This CRD defines how an egress gateway manages access to external traffic. You can use a combination of sidecar proxies and authorization policies to enhance traffic shaping. This topic provides YAML examples and describes the fields of the ASMEgressTrafficPolicy CRD.

YAML examples

Example 1: Allow access to a specific external service through an egress gateway

The sleep-a service in the mytest namespace can access http://www.httpbin.org on port 80 of the egress gateway named egressgateway-a.

apiVersion: istio.alibabacloud.com/v1beta1
kind: ASMEgressTrafficPolicy
metadata:
  name: egress-by-egressgateway-a  # Naming convention: The name must be the same as that of the egress gateway.
  namespace: istio-egress                # Namespace convention: The namespace must be istio-egress.
spec:
  byEgressGateway:
    name: egressgateway-a
  egressRules:
  - from:
    - namespace: mytest
      workloadSelector:
        app: sleep-a
    to:
    - name: httpbin-service-http
      hosts:
      - www.httpbin.org  # The multiple domain names must be resolved to the same IP address by DNS.
      - httpbin.org      # The multiple domain names must be resolved to the same IP address by DNS.
      port:
        name: http
        number: 80
        protocol: HTTP
      byEgressGateway:
        port: 80        # Sidecar → 80 Gateway → 80 Service (httpbin.org)

Example 2: Allow some services to access specific external services through an egress gateway and upgrade HTTP requests to HTTPS requests

The sleep-a service in the mytest namespace can access http://www.httpbin.org on port 80 of the egress gateway named egressgateway-a. The egress gateway upgrades the HTTP requests to HTTPS.
The sleep-a service in the mytest namespace can access https://www.httpbin.org on port 444 of the egress gateway named egressgateway-a.
The sleep-b service in the mytest namespace can access https://www.aliyun.com on port 445 of the egress gateway named egressgateway-a.

apiVersion: istio.alibabacloud.com/v1beta1
kind: ASMEgressTrafficPolicy
metadata:
  name: egress-by-egressgateway-a  # Naming convention: The name must be the same as that of the egress gateway.
  namespace: istio-egress                # Namespace convention: The namespace must be istio-egress.
spec:
  byEgressGateway:
    name: egressgateway-a
  egressRules:
  - from:
     - namespace: mytest
       workloadSelector:
          app: sleep-a
    to:
    - name: httpbin-service-http
      hosts:
      - www.httpbin.org  # The multiple domain names must be resolved to the same IP address by DNS.
      - httpbin.org      # The multiple domain names must be resolved to the same IP address by DNS.
      port:
        name: http
        number: 80
        protocol: HTTP
      byEgressGateway:
        port: 80        # Sidecar → 80 Gateway → 80 Service (httpbin.org)
      httpsUpgrade:
        enabled: true   # If enabled is set to false, the port specified in httpsUpgrade does not take effect.
        port: 443       # Sidecar → 80 Gateway → 443 Service (httpbin.org)
    - name: httpbin-service-https
      hosts:
      - www.httpbin.org
      - httpbin.org
      port:
        name: https
        number: 443
        protocol: HTTPS
      byEgressGateway:
        port: 444
  - from:
     - namespace: mytest
       workloadSelector:
          app: sleep-b
    to:
    - name: aliyun-service-https
      hosts:
      - www.aliyun.com
      port:
        name: https
        number: 443
        protocol: HTTPS
      byEgressGateway:
        port: 445

Example 3: Access external services over HTTP and TCP and automatically assign egress gateway ports

Starting from version 1.24.6.45, you can use ASMEgressTrafficPolicy to configure external services that use TCP. Because different TCP services require different egress gateway ports, ASM supports automatic assignment of redirection ports for egress gateways. The default port range for assignment is 10000 to 20000. You do not need to manually modify these ports. These ports do not affect your services. The following sample code provides an example:

apiVersion: istio.alibabacloud.com/v1beta1
kind: ASMEgressTrafficPolicy
metadata:
  name: egress-by-egressgateway-a  # Naming convention: The name must be the same as that of the egress gateway.
  namespace: istio-egress                # Namespace convention: The namespace must be istio-egress.
spec:
  byEgressGateway:
    name: egressgateway-a
  egressRules:
  - from:
    - namespace: default
      workloadSelector:
        app: sleep
    to:
    - name: aliyun-com-http  # http route
      hosts:
      - aliyun.com
      port:
        name: http
        number: 80
        protocol: HTTP
    - name: aliyun-https    # https route
      hosts:
      - aliyun.com
      port:
        name: https
        number: 443
        protocol: HTTPS
    - name: https-upgrade  # http upgrade to https
      hosts:
      - taobao.com
      port:
        name: http
        protocol: HTTP
        number: 80
      httpsUpgrade:
        enabled: true
        port: 443
    - name: tcp-svc1      # tcp svc 1
      hosts:
      - 1.1.1.1
      port:
        name: tcp
        protocol: TCP
        number: 44
    - name: tcp-svc2      # tcp svc 2
      hosts:
      - test-tcp.com
      port:
        name: tcp
        protocol: TCP
        number: 444

Important

To use a domain name to access an external TCP service, make sure that the ASM DNS proxy feature is enabled. For more information, see Use DNS proxy in ASM.

Field descriptions

Spec

Field	Type	Required	Description
byEgressGateway	ByEgressGateway	Yes	The egress gateway that is used to access external services.
egressRules	EgressRule[]	Yes	The egress traffic rules.

ByEgressGateway

Field

Type

Required

Description

name

string

Yes

The name of the egress gateway. We recommend that the gateway name does not exceed 32 characters.

For the byEgressGateway field under Spec, you only need to specify the name, not the port.

port

uint32

A port of the egress gateway.

For the byEgressGateway field in To, you only need to specify the port, not the name.

EgressRule

Field	Type	Required	Description
name	string	No	The name of the rule.
from	From[]	Yes	The source of egress traffic, which is the request initiator.
to	To[]	Yes	The destination of egress traffic, which is the external target service of the request.

From

Field	Type	Required	Description
namespace	string	Yes	The namespace where the service that initiates the requests resides.
workloadSelector	map[string]string	No	The filter that is used to select source services of egress traffic based on labels.

To

Field	Type	Required	Description
name	string	Yes	The name of the external service.
hosts	string[]	Yes	The domain name of the external service. You can configure multiple domain names, but they must point to the same site.
port	Port	Yes	The port of the external service.
byEgressGateway	ByEgressGateway	Yes	Accesses the external service through a specific port of the egress gateway. Starting from ASM 1.24.6.45, if all byEgressGateway fields in the To sections of an ASMEgressTrafficPolicy are empty, ASM automatically assigns ports for all services.
httpsUpgrade	HttpsUpgrade	No	Specifies whether to upgrade requests to HTTPS. The HTTP requests that are initiated by a service to access an external service are upgraded to HTTPS requests by the egress gateway.

HttpsUpgrade

Field	Type	Required	Description
enabled	bool	Yes	Specifies whether to upgrade requests to HTTPS.
port	uint32	Yes	The HTTPS port of the external service.

Alibaba Cloud Service Mesh:ASMEgressTrafficPolicy CRD description