An Istio service mesh has a few different ways of reaching services that are external to the mesh. External services are everything that are not defined in Istio’s internal service registry, that is, services which are outside of the mesh. By default Istio permits requests to unknown or external services. While using permissive configuration for testing purposes is ok, in a production environment a stricter configuration might be necessary.
Note: Service Mesh Manager is using Istio’s - and therefore Envoy’s - egress control feature under the hood.
Change the default policy
You can change the default policy for outbound traffic by running the
smm istio outbound-traffic-policy <setting> command.
To restrict outbound traffic to known endpoints, run the following command.
smm istio outbound-traffic-policy restricted
mesh wide outbound traffic policy is set to 'REGISTRY_ONLY'
To permit access to an external service, see Allow access only to registered services.
To permit all outbound traffic without restrictions, run the following command. (This is the default setting.)
smm istio outbound-traffic-policy allowed
mesh wide outbound traffic policy is set to 'ALLOW_ANY'
smm istio outbound-traffic-policyreturns the current setting of the traffic policy. If you haven’t changed the outbound traffic policy yet, it returns “mesh wide outbound traffic policy is not found”, which means that the default Istio setting is used, which is ALLOW_ANY (permits outbound traffic without any restrictions).
Allow access only to registered services
To allow access only to registered external services, complete the following steps.
Note: Accessing external HTTPS services comes with a few constrains.
- All the HTTP-related information like method, URL path, response code, is encrypted so Istio cannot see and cannot monitor that information for HTTPS.
- Service Mesh Manager’s dashboard shows HTTPS as TCP since detailed HTTP-related information is not available.
Change the default outbound traffic policy to block unknown services.
smm istio outbound-traffic-policy restricted
Create ServiceEntry resources for the services you want to permit access to.
ServiceEntry resources add additional entries into Istio’s internal service registry, so that auto-discovered services in the mesh can access/route to these manually specified services. A service entry describes the properties of a service (DNS name, VIPs, ports, protocols, endpoints). These services could be external to the mesh (for example, web APIs) or mesh-internal services that are not part of the platform’s service registry. For more information, see the documentation of the ServiceEntry resource.
For example, the following command creates a
ServiceEntryresource that allows HTTP access to the httpbin.org site from the smm-demo namespace.
kubectl apply -f - <<EOF apiVersion: networking.istio.io/v1alpha3 kind: ServiceEntry metadata: name: httpbin.org namespace: smm-demo spec: hosts: - httpbin.org - www.httpbin.org ports: - number: 80 name: http protocol: HTTP resolution: DNS location: MESH_EXTERNAL EOF
(Optional) Test that your pods can access the external service. For example, if you have installed the SMM demo application, you can change the notifications-v1 deployment by running:
kubectl -n smm-demo set env deployment/notifications-v1 'REQUESTS=http://httpbin.org/get#1'
deployment.extensions/notifications-v1 env updated
Once the notifications pods are restarted, the Service Mesh Manager Dashboard displays outgoing calls to httpbin.org
Note: To route outgoing traffic through an egress gateway, see Create egress gateway.
Remove access to an external service
To remove access to an external service, delete the ServiceEntry resource of the service, for example:
kubectl delete serviceentry -n smm-demo httpbin.org
serviceentry.networking.istio.io "httpbin.org" deleted
Traffic optimization with SD-WAN
Modern microservices applications rely on an efficient network. Also, these microservices often communicate not only among themselves but also with external services, which in many cases are offered by a third party. Optimizing the network between the local application components and the remote services they might be consuming is critical.
Fortunately, in the Istio service mesh these external dependencies are well defined, making it possible for modern Software-Defined Wide Area Network (SD-WAN) solutions to automatically consume information about those external application dependencies and optimize the connectivity between the service mesh and the external services.
Why use SD-WAN with Istio
Istio allows you to improve the security of your infrastructure by managing access to external services. In addition to that, integrating Istio with an SD-WAN solution provides the following benefits:
- Traffic optimization: automatically select the best path for the traffic
- Minimized external service latency: Latency can be optimized per service and per location
- Increased external service availability: SD-WAN provides transparent path failover in case of an error
- No extra Istio configuration is needed: After an initial setup everything is automatic, based on the Istio ServiceEntry custom resources with MESH_EXTERNAL values
Integrate Istio with SD-WAN
To integrate your Service Mesh Manager deployment with Cisco SD-WAN, follow the documentation of the open source Egress-Watcher. The integration consists of the following high level steps:
- Configure Cisco vManage (a component of Cisco SD-WAN).
- Download and install Egress-Watcher on your primary Service Mesh Manager cluster.
- Configure Egress-Watcher.