All Products
Search

This Product

    Alibaba Cloud Service Mesh:Manage service entries

    Document Center

    Alibaba Cloud Service Mesh:Manage service entries

    Last Updated:Mar 27, 2024

    You can add an entry for an external service to the internal service registry of a Service Mesh (ASM) instance so that services in the ASM instance can access the external service. A service entry describes the properties such as the domain name, port, protocol, and endpoint of a service. This topic describes how to create, modify, and delete a service entry.

    Usage notes

    • To prevent port conflicts with sidecars, do not use the following ports that are used by Envoy when you create service entries.

      Port

      Protocol

      Used by

      Description

      15000

      TCP

      Envoy

      The admin port of Envoy.

      15001

      TCP

      Envoy

      The outbound port of Envoy.

      15006

      TCP

      Envoy

      The inbound port of Envoy.

      15020

      HTTP

      Envoy

      The port used for merged Prometheus telemetry from the Istio proxy, Envoy, and application.

      15021

      HTTP

      Envoy

      The port used for health checks.

      15090

      HTTP

      Envoy

      The port used for Envoy Prometheus telemetry.

    • The following table describes the conventions for naming ports in service entries for external services.

      Protocol

      Port name

      Port name with a suffix

      HTTP

      http

      http-<Suffix>

      HTTP2

      http2

      http2-<Suffix>

      HTTPS

      https

      https-<Suffix>

      TLS

      tls

      tls-<Suffix>

      gRPC

      grpc

      grpc-<Suffix>

      TCP

      tcp

      tcp-<Suffix>

      UDP

      UDP

      udp-<Suffix>

      Mongo

      mongo

      mongo-<Suffix>

      MySQL

      mysql

      mysql-<Suffix>

      Redis

      redis

      redis-<Suffix>

    • Take note of the following items if you use HTTP, HTTPS, TLS, or TCP:

      • If you use HTTP, HTTPS, or TLS, you must specify the host in a service entry. 

        apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: aliyun
spec:
  hosts:
  - www.aliyun.com
  - aliyun.com
  ports:
  - number: 443
    name: https
    protocol: HTTPS
  resolution: DNS
  location: MESH_EXTERNAL

      • If you use TCP, you must specify the IP address range in a service entry. 

        apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: mysql-external
spec:
  hosts:
  - mysql-01.foo.bar
  addresses:
  - 10.0.0.5/32
  - 10.0.0.6/32
  ports:
  - name: tcp
    number: 3306
    protocol: tcp
  location: MESH_EXTERNAL

    • If multiple external services share the same TCP port, you must distinguish the IP addresses of the services.

      • External service 1

        apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
  name: external-svc-1
  namespace: default
spec:
  hosts:
  - fqdna.fqdn.com
  addresses:
  - 10.0.0.0
  location: MESH_EXTERNAL
  ports:
  - name: TCP
    number: 3306
    protocol: TCP
  resolution: DNS

      • External service 2

        apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
  name: external-svc-2
  namespace: default
spec:
  hosts:
  - fqdnb.fqdn.com
  addresses:
  - 10.1.0.0
  location: MESH_EXTERNAL
  ports:
  - name: TCP
    number: 3306
    protocol: TCP
  resolution: DNS

    • By default, the entry that you create for an external service in an ASM instance is valid in all namespaces. To allow only services in the namespace in which you create an entry for an external service to access the external service, you can add the exportTo parameter and set the parameter to "." when you create the service entry. 

      apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: aliyun
spec:
  hosts:
  - www.aliyun.com
  exportTo:
  - "."
  ports:
  - number: 443
    name: https
    protocol: HTTPS
  resolution: DNS
  location: MESH_EXTERNAL

    • We recommend that you enable Domain Name System (DNS) resolution. The DNS resolution feature ignores the original destination IP address, directs traffic to the specified host, and then performs a DNS query to obtain the IP address of the specified host. 

      apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: aliyun
spec:
  hosts:
  - '*.aliyun.com'
  addresses:
   - 192.168.0.0
   - 172.16.0.0
  location: MESH_EXTERNAL
  ports:
  - number: 443
    protocol: https
    name: https
  resolution: DNS

      resolution: To enable DNS resolution, set this parameter to DNS. To disable DNS resolution, set this parameter to NONE.

    Create a service entry

    1. Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.

    2. On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose Cluster & Workload Management > External Service(ServiceEntry). On the page that appears, click Create from YAML.

    3. On the Create page, select a namespace and a scenario template, modify the configuration in the YAML code editor based on your business requirements, and then click Create.

      For more information about fields, see Service Entry.

    Modify a service entry

    1. On the details page of the ASM instance, choose Cluster & Workload Management > External Service(ServiceEntry) in the left-side navigation pane.

    2. On the External Service(ServiceEntry) page, find the service entry that you want to modify and click YAML in the Actions column.

    3. In the Edit dialog box, modify the configurations of the service entry and click OK.

    Delete a service entry

    1. On the details page of the ASM instance, choose Cluster & Workload Management > External Service(ServiceEntry) in the left-side navigation pane.

    2. On the External Service(ServiceEntry) page, find the service entry that you want to delete and click Delete in the Actions column.

    3. In the Submit message, click OK.