Restrict Outbound Traffic of Workloads

By default, each Envoy proxy receives information about every workload in the mesh. This can result in high memory usage in the Envoy proxies. Service Mesh Manager can help you limit the allowed outbound connections of a workload or a whole namespace to reduce the memory requirements, especially in larger meshes.

You can set a restriction manually, or you can rely on Service Mesh Manager to give you a recommended configuration based on the current network traffic. For details on how this works, see our blog post about the sidecar resource.

Service Mesh Manager is using Istio’s - and therefore Envoy’s - sidecar feature under the hood.

Restrict outbound traffic from the command line

The following sections describe how to manage outbound traffic restrictions using the smm command-line tool. If you want to use the Service Mesh Manager web interface instead, see Restrict outbound traffic using the UI.

Get an outbound traffic restriction recommendation

To get a recommendation for a specific workload based on the current traffic, run the following command. (Replace the smm-demo namespace and the name of the workload as needed for your environment.)
```
smm sidecar-proxy egress recommend smm-demo --workload payments-v1
```
Sample output:
```
Recommended sidecar egress rules for smm-demo/payments-v1

Sidecar               Selector        Hosts                                                        Bind  Port  Capture Mode
smm-demo-rmoy8  app="payments"  ./notifications.smm-demo.svc.cluster.local                   -
                    version="v1"    istio-system/istio-telemetry.istio-system.svc.cluster.local
```
In this case, the recommended configuration only allows connections from the smm-demo/payments-v1 workload to the istio-telemetry service in the istio-system namespace and to the notifications service in the current namespace (from the perspective of the workload).

To get a recommendation for the whole namespace (smm-demo in this case), run the following command.

smm sidecar-proxy egress recommend smm-demo

Sample output:

Recommended sidecar egress rules for namespace smm-demo

Sidecar               Selector  Hosts           Bind  Port  Capture Mode
smm-demo-zy8fq            istio-system/*        -
                                ./*

In this case, the recommendation restricts connections to the current and istio-system namespaces.

To apply the recommendations, run the same command again with the --apply switch, for example:

smm sidecar-proxy egress recommend smm-demo --workload payments-v1 --apply

smm sidecar-proxy egress recommend smm-demo --apply

Restrict outbound traffic using the UI

To restrict outbound traffic using the Service Mesh Manager web interface, complete the following steps. If you want to use the Service Mesh Manager command line tool instead, see Restrict outbound traffic from the command line.

Navigate to MENU > TOPOLOGY, or to MENU > WORKLOADS.
- To restrict outbound traffic for a workload, select a workload.
- To set outbound traffic restrictions for a namespace, click the name of the namespace (shown in capitals, for example, SMM-DEMO.
Click PROXY CONFIG > .
To get rule recommendations based on live traffic, click Automatic recommendation.
To add new rule manually, click Add, then select the destination namespace and service where you want to permit traffic.
To activate your changes, click Apply. The restrictions you configured are shown on the PROXY CONFIG page.