This topic describes how to configure a Microservices Engine (MSE) cloud-native gateway as an egress gateway.
An egress gateway is an edge gateway that connects internal and external networks. An egress gateway is used to control network traffic and enable remote access and communications. An MSE cloud-native gateway offers the advantages of high performance, high integration, elasticity, and rolling updates. An MSE cloud-native gateway can also be used as an egress gateway.
MSE cloud-native gateways provide managed gateway services and are deployed in standalone mode. MSE cloud-native gateways are not affected by Container Service for Kubernetes (ACK) clusters and provide high stability.
MSE cloud-native gateways provide a variety of Layer-7 HTTP protocol governance capabilities, including IP address blacklists and whitelists, throttling, load balancing, Transport Layer Security (TLS) offloading, traffic mirroring, and header control.
You do not need to enable Internet access for all pods in an ACK cluster. You need to only enable Internet access for the MSE cloud-native gateway to provide higher access control capabilities. If you enable Internet access for the MSE cloud-native gateway, you must enable Source Network Address Translation (SNAT) for the vSwitch to which the gateway is attached.
Step 1: Install MSE Ingress Controller
Install MSE Ingress Controller in an existing ACK or Serverless Kubernetes (ASK) cluster. You can also install MSE Ingress Controller when you create a cluster. For more information, see the "Install the MSE Ingress Controller component" section in Manage the MSE Ingress Controller component.
Step 2: Create an MseIngressConfig resource to create an MSE cloud-native gateway or associate the created MseIngressConfig resource with an existing MSE cloud-native gateway
MseIngressConfig is a CustomResourceDefinition (CRD) that is provided by MSE Ingress Controller. You can create an MseIngressConfig resource and use the created MseIngressConfig resource to create an MSE cloud-native gateway. You can also associate the created MseIngressConfig resource with an existing MSE cloud-native gateway. For more information, see the "Create a cloud-native gateway" section in Configure an MseIngressConfig.
You need to only create an internal-facing Classic Load Balancer (CLB) instance when you create a gateway. Sample configuration:
- "vsw-xxxx" # The ID of the vSwitch that is associated with the MSE cloud-native gateway. You must configure the vSwitch ID when you create a gateway.
If you do not select Configure SNAT for VPC when you create an ACK or ACK Serverless cluster, the created cluster cannot access the Internet. You must configure SNAT for the MSE cloud-native gateway to support Internet access.
To support Internet access, you must use SNAT entries of a network address translation (NAT) gateway. For more information about how to create a NAT gateway, see Use the SNAT feature of an Internet NAT gateway to access the Internet. Perform Step 3: Create an SNAT entry to create an SNAT entry. In this operation, select Specify vSwitch and add the vSwitch ID in the MseIngressConfig resource to the entry.
Step 3: Create a Kubernetes service of the ExternalName type and associate the service with an external service
Create a Kubernetes service of the ExternalName type and map the service name to the name of the external Domain Name System (DNS). For example, if you want to access the Alibaba Cloud MSE product page from the Kubernetes cluster, you can use the following configuration:
- name: port1
- name: port2
Step 4: Configure a routing rule for the service of the ExternalName type created in Step 3
- host: www.aliyun.com # The domain name.
name: aliyun-svc-external # The name of the service of the ExternalName type.
path: /product/aliware/mse # The MSE access path.
- ip: 192.168.2.130
After you save the preceding configuration as a file named mse-ingress.yaml, run the
kubectl apply -f mse-ingress.yaml command to apply the configuration. Then, run the
kubectl get ingress mse-ingress -o yaml command to view information about Ingress resources and obtain the CLB IP address of the MSE cloud-native gateway. Sample configuration:
nginx.ingress.kubernetes.io/backend-protocol: HTTPS # The HTTPS protocol that is used for the service routing from the gateway to the backend Alibaba Cloud services.
- host: www.aliyun.com
- ip: xx.xx.xx.xx # The CLB IP address of the MSE cloud-native gateway.
Step 5: Test access to MSE by using a pod
curl http://www.aliyun.com/product/aliware/mse --resolve www.aliyun.com:80:xx.xx.xx.xx
xx.xx.xx.xx indicates the CLB IP address that is obtained in Step 4.
Advanced features of MSE cloud-native gateways
For more information about how to use other advanced features of MSE cloud-native gateways based on Ingress resources, see Advanced usage of MSE Ingress.