External Services

An Istio service mesh has a few different ways of reaching services that are external to the mesh. External services are everything that are not defined in Istio’s internal service registry, that is, services which are outside of the mesh. By default Istio permits requests to unknown or external services. While using permissive configuration for testing purposes is ok, in a production environment a stricter configuration might be necessary.

Control access to external services Control access to external services

Note: Service Mesh Manager is using Istio’s - and therefore Envoy’s - egress control feature under the hood.

Change the default policy

You can change the default policy for outbound traffic by running the smm istio outbound-traffic-policy <setting> command.

  • To restrict outbound traffic to known endpoints, run the following command.

    smm istio outbound-traffic-policy restricted
    

    Expected output:

    mesh wide outbound traffic policy is set to 'REGISTRY_ONLY'
    

    To permit access to an external service, see Allow access only to registered services.

  • To permit all outbound traffic without restrictions, run the following command. (This is the default setting.)

    smm istio outbound-traffic-policy allowed
    

    Expected output:

    mesh wide outbound traffic policy is set to 'ALLOW_ANY'
    

    Note: Running smm istio outbound-traffic-policy returns the current setting of the traffic policy. If you haven’t changed the outbound traffic policy yet, it returns “mesh wide outbound traffic policy is not found”, which means that the default Istio setting is used, which is ALLOW_ANY (permits outbound traffic without any restrictions).

Allow access only to registered services

To allow access only to registered external services, complete the following steps.

Note: Accessing external HTTPS services comes with a few constrains.

  • All the HTTP-related information like method, URL path, response code, is encrypted so Istio cannot see and cannot monitor that information for HTTPS.
  • Service Mesh Manager’s dashboard shows HTTPS as TCP since detailed HTTP-related information is not available.
  1. Change the default outbound traffic policy to block unknown services.

    smm istio outbound-traffic-policy restricted
    
  2. Create ServiceEntry resources for the services you want to permit access to.

    ServiceEntry resources add additional entries into Istio’s internal service registry, so that auto-discovered services in the mesh can access/route to these manually specified services. A service entry describes the properties of a service (DNS name, VIPs, ports, protocols, endpoints). These services could be external to the mesh (for example, web APIs) or mesh-internal services that are not part of the platform’s service registry. For more information, see the documentation of the ServiceEntry resource.

    For example, the following command creates a ServiceEntry resource that allows HTTP access to the httpbin.org site from the smm-demo namespace.

    kubectl apply -f - <<EOF
    apiVersion: networking.istio.io/v1alpha3
    kind: ServiceEntry
    metadata:
      name: httpbin.org
      namespace: smm-demo
    spec:
      hosts:
      - httpbin.org
      - www.httpbin.org
      ports:
      - number: 80
        name: http
        protocol: HTTP
      resolution: DNS
      location: MESH_EXTERNAL
      EOF
    
  3. (Optional) Test that your pods can access the external service. For example, if you have installed the SMM demo application, you can change the notifications-v1 deployment by running:

    kubectl -n smm-demo set env deployment/notifications-v1 'REQUESTS=http://httpbin.org/get#1'
    

    Expected output:

    deployment.extensions/notifications-v1 env updated
    

    Once the notifications pods are restarted, the Service Mesh Manager Dashboard displays outgoing calls to httpbin.org

Note: To route outgoing traffic through an egress gateway, see Create egress gateway.

Remove access to an external service

To remove access to an external service, delete the ServiceEntry resource of the service, for example:

kubectl delete serviceentry -n smm-demo httpbin.org

Expected output:

serviceentry.networking.istio.io "httpbin.org" deleted

Traffic optimization with SD-WAN

Modern microservices applications rely on an efficient network. Also, these microservices often communicate not only among themselves but also with external services, which in many cases are offered by a third party. Optimizing the network between the local application components and the remote services they might be consuming is critical.

Fortunately, in the Istio service mesh these external dependencies are well defined, making it possible for modern Software-Defined Wide Area Network (SD-WAN) solutions to automatically consume information about those external application dependencies and optimize the connectivity between the service mesh and the external services.

Integrate Istio with SD-WAN Integrate Istio with SD-WAN

Why use SD-WAN with Istio

Istio allows you to improve the security of your infrastructure by managing access to external services. In addition to that, integrating Istio with an SD-WAN solution provides the following benefits:

  • Traffic optimization: automatically select the best path for the traffic
  • Minimized external service latency: Latency can be optimized per service and per location
  • Increased external service availability: SD-WAN provides transparent path failover in case of an error
  • No extra Istio configuration is needed: After an initial setup everything is automatic, based on the Istio ServiceEntry custom resources with MESH_EXTERNAL values

Integrate Istio with SD-WAN

To integrate your Service Mesh Manager deployment with Cisco SD-WAN, follow the documentation of the open source Egress-Watcher. The integration consists of the following high level steps:

  1. Configure Cisco vManage (a component of Cisco SD-WAN).
  2. Download and install Egress-Watcher on your primary Service Mesh Manager cluster.
  3. Configure Egress-Watcher.