All Products
Search

This Product

    Alibaba Cloud Service Mesh:Deny egress traffic from a namespace to an external website

    Document Center

    Alibaba Cloud Service Mesh:Deny egress traffic from a namespace to an external website

    Last Updated:Mar 11, 2026

    Kubernetes NetworkPolicy provides L3/L4 network isolation but cannot enforce application-level access control. Service Mesh (ASM) uses a zero-trust model: you create authorization policies that dynamically allow or deny egress traffic from services in a namespace to external websites, without code changes.

    This walkthrough blocks HTTP egress from all services in the demo-frontend namespace to www.aliyun.com. The same pattern applies to any namespace and external host.

    Prerequisites

    Before you begin, make sure that you have:

    Step 1: Deploy a test service

    Deploy a sleep service in the demo-frontend namespace to generate egress traffic for testing.

    1. Connect to the cluster with kubectl. For more information, see Obtain the kubeconfig file of a cluster and use kubectl to connect to the cluster.

    2. Save the following YAML as sleep.yaml:

      sleep.yaml

      apiVersion: v1
kind: ServiceAccount
metadata:
  name: sleep
---
apiVersion: v1
kind: Service
metadata:
  name: sleep
  labels:
    app: sleep
    service: sleep
spec:
  ports:
  - port: 80
    name: http
  selector:
    app: sleep
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: sleep
spec:
  replicas: 1
  selector:
    matchLabels:
      app: sleep
  template:
    metadata:
      labels:
        app: sleep
    spec:
      terminationGracePeriodSeconds: 0
      serviceAccountName: sleep
      containers:
      - name: sleep
        image: curlimages/curl
        command: ["/bin/sleep", "3650d"]
        imagePullPolicy: IfNotPresent
        volumeMounts:
        - mountPath: /etc/sleep/tls
          name: secret-volume
      volumes:
      - name: secret-volume
        secret:
          secretName: sleep-secret
          optional: true

    3. Apply the manifest:

      kubectl apply -f sleep.yaml -n demo-frontend

    4. Verify that the sidecar proxy is injected:

      1. Log on to the ACK console. In the left-side navigation pane, click Clusters.

      2. On the Clusters page, click the name of the target cluster. In the left-side navigation pane, choose Workloads > Pods.

      3. Select demo-frontend from the Namespace drop-down list, then click the pod name of the sleep service.

      4. On the Container tab, confirm that a container named istio-proxy exists. This indicates that the sidecar proxy is running.

    Step 2: Create an egress gateway

    An egress gateway centralizes outbound traffic from the mesh so that authorization policies can enforce access control at a single point. Create an egress gateway named egressgateway. For detailed instructions, see Create an egress gateway.

    Step 3: Restrict outbound traffic and register the external host

    By default, services in an ASM instance can reach any external endpoint. Switch the mesh-level outbound traffic policy to REGISTRY_ONLY to block access to hosts not registered as service entries.

    Set the outbound traffic policy

    1. Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.

    2. On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose Dataplane Component Management > Sidecar Proxy Setting.

    3. On the global tab, set Outbound Traffic Policy to REGISTRY_ONLY, then click Update Settings.

    Register www.aliyun.com as a service entry

    1. On the ASM instance details page, in the left-side navigation pane, choose Cluster & Workload Management > External Service(ServiceEntry).

    2. Click Create from YAML. Select istio-system from the Namespace drop-down list and paste the following YAML:

      apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
  name: aliyuncom-ext
  namespace: istio-system
spec:
  hosts:
    - www.aliyun.com
  location: MESH_EXTERNAL
  ports:
    - name: http
      number: 80
      protocol: HTTP
    - name: tls
      number: 443
      protocol: TLS
  resolution: DNS

    3. Click Create.

    Step 4: Route egress traffic through the gateway

    Create three Istio resources to route traffic from the demo-frontend namespace through the egress gateway to www.aliyun.com. The Gateway and DestinationRule enforce mutual TLS (mTLS) between the sidecar proxy and the egress gateway.

    Istio gateway

    Create the following gateway in the istio-system namespace. For more information, see Manage Istio gateways.

    apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
  name: istio-egressgateway
  namespace: istio-system
spec:
  selector:
    istio: egressgateway
  servers:
    - port:
        number: 80
        name: http
        protocol: HTTPS
      tls:
        mode: ISTIO_MUTUAL     # Requires mTLS for all egress traffic
      hosts:
        - '*'

    Setting mode to ISTIO_MUTUAL means that services must pass mesh-managed mTLS authentication before reaching any external host.

    Destination rule

    Create the following destination rule in the demo-frontend namespace. For more information, see Manage destination rules.

    apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
  name: target-egress-gateway
  namespace: demo-frontend
spec:
  host: istio-egressgateway.istio-system.svc.cluster.local
  subsets:
    - name: target-egress-gateway-mTLS
      trafficPolicy:
        loadBalancer:
          simple: ROUND_ROBIN
        tls:
          mode: ISTIO_MUTUAL   # mTLS to the egress gateway

    Virtual service

    Create the following virtual service in the demo-frontend namespace. For more information, see Manage virtual services.

    Virtual service YAML

    apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: example-com-through-egress-gateway
  namespace: demo-frontend
spec:
  exportTo:
    - istio-system
    - demo-frontend
  gateways:
    - mesh
    - istio-system/istio-egressgateway
  hosts:
    - www.aliyun.com
  http:
    - match:
        - gateways:
            - mesh              # Matches traffic from sidecar proxies
          port: 80
      route:
        - destination:
            host: istio-egressgateway.istio-system.svc.cluster.local
            port:
              number: 80
            subset: target-egress-gateway-mTLS
          weight: 100
    - match:
        - gateways:
            - istio-system/istio-egressgateway   # Matches traffic at the egress gateway
          port: 80
      route:
        - destination:
            host: www.aliyun.com
            port:
              number: 80
          weight: 100

    The http section defines two routing rules:

    RuleGateway matchBehavior
    Sidecar-to-gatewaymeshForwards traffic from pods in demo-frontend to the egress gateway
    Gateway-to-externalistio-system/istio-egressgatewayForwards traffic from the egress gateway to www.aliyun.com

    Step 5: Create a DENY authorization policy

    Create an authorization policy that instructs the egress gateway to deny all traffic originating from the demo-frontend namespace.

    1. Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.

    2. On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose Mesh Security Center > AuthorizationPolicy. Click Create.

    3. Configure the following parameters:

      ParameterValue
      NameA descriptive name for the policy
      Policy TypeDENY
      ASM Gateway (on the Gateway Scope tab)egressgateway
      Request Matching RulesIn Add Request Source, enable Namespaces and set the value to demo-frontend

    4. Click Create.

    Step 6: Verify the policy

    Confirm that services in the demo-frontend namespace can no longer reach www.aliyun.com.

    1. Log on to the ACK console. In the left-side navigation pane, click Clusters.

    2. On the Clusters page, click the cluster name. In the left-side navigation pane, choose Workloads > Pods.

    3. Select demo-frontend from the Namespace drop-down list. Find the sleep pod and click Terminal > sleep in the Actions column.

    4. Run the following command:

      curl -I http://www.aliyun.com

      Expected output:

      HTTP/1.1 403 Forbidden
content-length: 19
content-type: text/plain
date: Thu, 12 Oct 2023 07:14:09 GMT
server: envoy
x-envoy-upstream-service-time: 4

      The 403 Forbidden response confirms that the authorization policy blocks egress traffic from the demo-frontend namespace to www.aliyun.com. The server: envoy header indicates that the Envoy-based egress gateway intercepted the request, not the external host.

    See also