By Xining Wang
To allow the pods in a Service Mesh (ASM) instance to access external services, you can configure a policy for accessing external services, create a service entry, or configure a CIDR block of external services to which access is intercepted. This article describes how to access external services from an ASM instance.
In the ASM console, you can set the Outbound Traffic Policy parameter for an ASM instance to configure a policy for accessing external services (External services are services that are not registered in Istio) from the ASM instance.
• If the Outbound Traffic Policy parameter is set to REGISTRY_ONLY, sidecar proxies in the ASM instance block any host without an HTTP service or service entry defined within the mesh.
• If the Outbound Traffic Policy parameter is set to ALLOW_ANY, the sidecar proxies in the ASM instance let calls to unknown services pass through. This allows services in the ASM instance to access external services. However, traffic to external services is not monitored or controlled.
Note: When the Outbound Traffic Policy parameter is set to ALLOW_ANY and no service entry is defined for external services, the Envoy proxy allows TCP traffic to be sent from the ASM instance to any IP address and port. However, this method lacks explicit flow control and may lead to unexpected traffic behavior, especially when multiple services listen on the same port. To avoid access conflicts, we strongly advise against using this method to access external services, such as databases.
We advise that you define service entries for external services to explicitly control the destination of traffic and avoid potential issues and conflicts.
Procedure:
• Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.
• On the Mesh Management page, find the ASM instance that you want to configure. Click the name of the ASM instance or click Manage in the Actions column.
• On the details page of the ASM instance, choose Data Plane Component Management > Sidecar Proxy Setting in the left-side navigation pane.
• On the global tab of the Sidecar Proxy Setting page, click External service access strategy, set the External Access Policy parameter to ALLOW_ANY, and then click Update Settings.
In a pod into which a sidecar proxy is injected, run the curl -I command to access an external HTTP or HTTPS service. Success responses are returned, as shown in the following examples:
curl -I http://www.aliyun.com/Expected output:
HTTP/1.1 301 Moved Permanently
server: envoy
date: Mon, 07 Sep 2020 09:28:54 GMT
content-type: text/html
content-length: 239
location: https://www.aliyun.com/
eagleeye-traceid: 0be3e0a615994709353116335ea5ea
timing-allow-origin: *
x-envoy-upstream-service-time: 67curl -I https://www.aliyun.com/Expected output:
HTTP/2 200
server: Tengine
date: Mon, 07 Sep 2020 09:16:31 GMT
content-type: text/html; charset=utf-8
vary: Accept-Encoding
vary: Accept-Encoding
strict-transport-security: max-age=31536000
x-download-options: noopen
x-content-type-options: nosniff
x-xss-protection: 1; mode=block
x-readtime: 0
eagleeye-traceid: 0b57ff8715994701916963132ec7ad
strict-transport-security: max-age=0
timing-allow-origin: *If the Outbound Traffic Policy parameter of an ASM instance is set to REGISTRY_ONLY, run the curl command in a pod into which a sidecar proxy is injected to access an external HTTP or HTTPS service. The request is rejected by the sidecar proxy of the pod, as shown in the following examples:
curl -I http://www.aliyun.com/Expected output:
HTTP/1.1 502 Bad Gateway
date: Mon, 07 Sep 2020 09:25:58 GMT
server: envoy
transfer-encoding: chunkedcurl -I https://www.aliyun.com/Expected output:
curl: (35) LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to www.aliyun.com:443In this case, you can create a service entry for the external service to allow access to the external service. In this method, traffic to the external service is monitored and controlled by Istio.
Procedure:
• On the details page of the ASM instance, choose Cluster & Workload Management > ServiceEntry. On the page that appears, click Create from YAML.
• On the Create page, select a namespace as required, copy the following content to the code editor, and then click Create.
Set the hosts parameter based on your business requirements. In this example, the hosts parameter is set to www.aliyun.com.
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: aliyun-com-ext
spec:
hosts:
- 'www.aliyun.com'
ports:
- number: 80
name: http
protocol: HTTP
- number: 443
name: https
protocol: HTTPS
resolution: DNS
location: MESH_EXTERNALIn a pod into which a sidecar proxy is injected, run the curl -I command to access an external HTTP or HTTPS service. Success responses are returned, as shown in the following examples:
curl -I http://www.aliyun.com/Expected output:
HTTP/1.1 301 Moved Permanently
server: envoy
date: Mon, 07 Sep 2020 09:49:17 GMT
content-type: text/html
content-length: 239
location: https://www.aliyun.com/
eagleeye-traceid: 0be3e0a915994721583014504e7b31
timing-allow-origin: *
x-envoy-upstream-service-time: 66curl -I https://www.aliyun.com/Expected output:
HTTP/2 200
server: Tengine
date: Mon, 07 Sep 2020 09:49:31 GMT
content-type: text/html; charset=utf-8
vary: Accept-Encoding
vary: Accept-Encoding
strict-transport-security: max-age=31536000
x-download-options: noopen
x-content-type-options: nosniff
x-xss-protection: 1; mode=block
x-readtime: 1
eagleeye-traceid: 0be3e0b115994721709577294ed9e8
strict-transport-security: max-age=0
timing-allow-origin: *You can configure a sidecar proxy in an ASM instance to intercept access to a specific CIDR block. This way, access traffic to other CIDR blocks bypasses the sidecar proxy and is directly routed to destination services without being intercepted by the sidecar proxy.
For an ASM instance, you can set the Addresses to Which External Access Is Redirected to Sidecar Proxy parameter to the service CIDR block of the Kubernetes clusters on the data plane of the ASM instance. This way, access to destination services in the Kubernetes clusters is intercepted by the sidecar proxy. Access to destination services outside the Kubernetes clusters bypasses the sidecar proxy.
Procedure:
• In the left-side navigation pane, choose Service Mesh > Mesh Management.
• On the Mesh Management page, find the ASM instance that you want to configure. Click the name of the ASM instance or click Manage in the Actions column.
• On the details page of the ASM instance, choose Data Plane Component Management > Sidecar Proxy Setting in the left-side navigation pane.
• On the global tab of the Sidecar Proxy Setting page, click Enable/Disable Sidecar Proxy by Ports or IP Addresses, enter a CIDR block in the Addresses to Which External Access Is Redirected to Sidecar Proxy field, and then click Update Settings. This way, access to the specified CIDR block is intercepted.
• You can also enter a CIDR block in the Addresses to Which External Access Is Not Redirected to Sidecar Proxy field. This way, access to all CIDR blocks except for the specified CIDR block is intercepted.
Notes: The default value in the Addresses to Which External Access Is Redirected to Sidecar Proxy field is *. This indicates that access to all CIDR blocks is intercepted. You can enter a CIDR block based on your business requirements. Generally, you can enter the service CIDR block of the Kubernetes clusters on the data plane of the ASM instance.
Development Practice of ACK Serverless: On-demand Use of Heterogeneous Resources
The Age of Cloud-native: Building Efficient CI Pipeline from Jenkins to Argo Workflows
164 posts | 29 followers
FollowAlibaba Cloud Indonesia - April 10, 2023
Alibaba Container Service - September 14, 2022
Xi Ning Wang(王夕宁) - May 26, 2023
Xi Ning Wang(王夕宁) - May 26, 2023
Alibaba Container Service - September 14, 2022
Alibaba Developer - September 22, 2020
164 posts | 29 followers
Follow
Alibaba Cloud Service Mesh
Alibaba Cloud Service Mesh (ASM) is a fully managed service mesh platform that is compatible with Istio.
Learn More
ACK One
Provides a control plane to allow users to manage Kubernetes clusters that run based on different infrastructure resources
Learn More
Container Service for Kubernetes
Alibaba Cloud Container Service for Kubernetes is a fully managed cloud container management service that supports native Kubernetes and integrates with other Alibaba Cloud products.
Learn More
Container Registry
A secure image hosting platform providing containerized image lifecycle management
Learn MoreMore Posts by Alibaba Container Service