istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
istio.io/archive/v0.7/blog/2018/egress-https.html

43 lines
38 KiB
HTML
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<!DOCTYPE html><html lang="en" itemscope itemtype="https://schema.org/WebPage"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"><meta name="theme-color" content="#466BB0"/><meta name="title" content="Consuming External Web Services"><meta name="description" content="Describes a simple scenario based on Istio Bookinfo sample"><meta name="og:title" content="Consuming External Web Services"><meta name="og:description" content="Describes a simple scenario based on Istio Bookinfo sample"><meta name="og:url" content="/blog/2018/egress-https.html"><meta name="og.site_name" content="Istio"><title>Istioldie 0.7 / Consuming External Web Services</title><script> window.ga=window.ga||function(){(ga.q=ga.q||[]).push(arguments)};ga.l=+new Date; ga('create', 'UA-98480406-2', 'auto'); ga('send', 'pageview'); </script> <script async src='https://www.google-analytics.com/analytics.js'></script><link rel="alternate" type="application/rss+xml" title="Istio Blog RSS" href="/v0.7/feed.xml"><link rel="shortcut icon" href="/v0.7/favicons/favicon.ico" ><link rel="apple-touch-icon" href="/v0.7/favicons/apple-touch-icon-180x180.png" sizes="180x180"><link rel="icon" type="image/png" href="/v0.7/favicons/favicon-16x16.png" sizes="16x16"><link rel="icon" type="image/png" href="/v0.7/favicons/favicon-32x32.png" sizes="32x32"><link rel="icon" type="image/png" href="/v0.7/favicons/android-36x36.png" sizes="36x36"><link rel="icon" type="image/png" href="/v0.7/favicons/android-48x48.png" sizes="48x48"><link rel="icon" type="image/png" href="/v0.7/favicons/android-72x72.png" sizes="72x72"><link rel="icon" type="image/png" href="/v0.7/favicons/android-96x196.png" sizes="96x196"><link rel="icon" type="image/png" href="/v0.7/favicons/android-144x144.png" sizes="144x144"><link rel="icon" type="image/png" href="/v0.7/favicons/android-192x192.png" sizes="192x192"><link rel="manifest" href="/v0.7/manifest.json"><meta name="apple-mobile-web-app-title" content="Istio"><meta name="application-name" content="Istio"><link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Roboto:400,100,100italic,300,300italic,400italic,500,500italic,700,700italic,900,900italic"><link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/css/bootstrap.min.css" integrity="sha384-Gn5384xqQ1aoWXA+058RXPxPg6fy4IWvTNh0E263XmFcJlSAwiGgFAW/dAiS6JXm" crossorigin="anonymous"><link rel="stylesheet" href="https://use.fontawesome.com/releases/v5.0.6/css/all.css"><link rel="stylesheet" href="/v0.7/css/light_theme.css" title="light"><link rel="alternate stylesheet" href="/v0.7/css/dark_theme.css" title="dark"> <script src="/v0.7/js/styleSwitcher.min.js"></script></head><body class="language-unknown theme-unknown"><header role="banner"><nav class="navbar navbar-expand-sm navbar-dark fixed-top bg-dark justify-content-between"> <a class="navbar-brand" href="/v0.7/" style="visibility: visible"> <img class="logo" src="/v0.7/img/istio-logo.svg" alt="Istio Logo"/> <span class="brand-name">Istioldie 0.7</span> </a> <button class="navbar-toggler" type="button" data-toggle="collapse" data-target="#navbarCollapse" aria-controls="navbarCollapse" aria-expanded="false" aria-label="Toggle navigation"> <span class="navbar-toggler-icon"></span> </button><div class="collapse navbar-collapse justify-content-end" id="navbarCollapse"><ul id="navbar-links" class="navbar-nav active"><li class="nav-item"> <a class="nav-link " href="/v0.7/docs/">Docs</a></li><li class="nav-item"> <a class="nav-link active" href="/v0.7/blog/2018/traffic-mirroring.html">Blog</a></li><li class="nav-item"> <a class="nav-link " href="/v0.7/help/">Help</a></li><li class="nav-item"> <a class="nav-link " href="/v0.7/community.html">Community</a></li><li class="nav-item"> <a class="nav-link " href="/v0.7/about/">About</a></li><li class="nav-item dropdown" id="gearDropdown" style="white-space: nowrap"> <a href="" class="nav-link" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <i style="width: 1em" class='fa fa-lg fa-cog'></i> </a><ul class="dropdown-menu dropdown-menu-right" aria-labelledby="gearDropdown"><h6 class="dropdown-header">Other versions of this site</h6><li> <a href="https://istio.io">Current Release</a></li><li> <a href="https://preliminary.istio.io">Next Release</a></li><li> <a href="https://archive.istio.io">Older Releases</a></li><li class="dropdown-divider"></li><li> <i class='fa fa-check light'></i> <a href="" onclick="setActiveStyleSheet('light');return false;">Light Theme</a></li><li> <i class='fa fa-check dark'></i> <a href="" onclick="setActiveStyleSheet('dark');return false;">Dark Theme</a></li><li class="dropdown-divider"></li><li><a href="https://github.com/istio/istio.github.io/issues/new?title=Issue with _blog/2018/egress-https.md">Report Site Bugs</a></li><li><a href="https://github.com/istio/istio.github.io/edit/master/_blog/2018/egress-https.md">Edit this Page on GitHub</a></li></ul></li><li class="nav-item"> <a id="search_show" class="nav-link" href=""><i style="width: 1em" class="fa fa-lg fa-search"></i></a></li></ul><form name="cse" id="search_form" class="form-inline mr-sm-2" role="search"> <input type="hidden" name="cx" value="013699703217164175118:iwwf17ikgf4" /> <input type="hidden" name="ie" value="utf-8" /> <input type="hidden" name="hl" value="en" /> <input id="search_textbox" class="form-control" name="q" type="text" /> <button id="search_close" type="reset"><i class="far fa-lg fa-times-circle"></i></button> </form></div></nav></header><div class="container-fluid blog"><div class="row row-offcanvas row-offcanvas-left"><div class="col-6 col-md-3 col-xl-2 sidebar-offcanvas"><nav class="sidebar"><div class="spacer"></div><div class="directory" role="tablist"><div class="card"><div class="card-header" role="tab" id="header1"> <a data-toggle="collapse" href="#collapse1" title="Blog posts for 2018" role="button" aria-controls="collapse1"><div> 2018 Posts</div></a></div><div id="collapse1" class="collapse show" data-parent="#sidebar" role="tabpanel" aria-labelledby="header1"><div class="card-body"><ul class="tree"><li> <a title="An introduction to safer, lower-risk deployments and release to production" href="/v0.7/blog/2018/traffic-mirroring.html">Traffic Mirroring with Istio for Testing in Production</a></li><li> <a title="Describes a simple scenario based on Istio Bookinfo sample" href="/v0.7/blog/2018/egress-tcp.html">Consuming External TCP Services</a></li><li> <span class="current" title="Describes a simple scenario based on Istio Bookinfo sample">Consuming External Web Services</span></li></ul></div></div></div><div class="card"><div class="card-header" role="tab" id="header5"> <a data-toggle="collapse" href="#collapse5" title="Blog posts for 2017" role="button" aria-controls="collapse5"><div> 2017 Posts</div></a></div><div id="collapse5" class="collapse" data-parent="#sidebar" role="tabpanel" aria-labelledby="header5"><div class="card-body"><ul class="tree"><li> <a title="Improving availability and reducing latency" href="/v0.7/blog/2017/mixer-spof-myth.html">Mixer and the SPOF Myth</a></li><li> <a title="Provides an overview of the Mixer plug-in architecture" href="/v0.7/blog/2017/adapter-model.html">Mixer Adapter Model</a></li><li> <a title="Istio 0.2 announcement" href="/v0.7/blog/2017/0.2-announcement.html">Announcing Istio 0.2</a></li><li> <a title="How Kubernetes Network Policy relates to Istio policy" href="/v0.7/blog/2017/0.1-using-network-policy.html">Using Network Policy with Istio</a></li><li> <a title="Using Istio to create autoscaled canary deployments" href="/v0.7/blog/2017/0.1-canary.html">Canary Deployments using Istio</a></li><li> <a title="Istio Auth 0.1 announcement" href="/v0.7/blog/2017/0.1-auth.html">Using Istio to Improve End-to-End Security</a></li><li> <a title="Istio 0.1 announcement" href="/v0.7/blog/2017/0.1-announcement.html">Introducing Istio</a></li></ul></div></div></div><div class="text-center" style="margin-top: 1em; font-size: 1.2em;" > <a href="/v0.7/feed.xml"> <img style="width: 1.4em;" src="/v0.7/img/rss.svg" alt="RSS"/> Subscribe </a></div></div></nav></div><div class="col-12 col-md-9 col-lg-7 col-xl-8"><p class="d-md-none"> <label class="sidebar-toggler" data-toggle="offcanvas"> <i class="fa fa-chevron-right"></i> </label></p><main role="main"><h1>Consuming External Web Services</h1><p class="subtitle">Egress Rules for HTTPS traffic</p><p class="byline"> By <span class="attribution">Vadim Eisenberg</span> / <span class="publish_date">January 31, 2018</span></p><p>In many cases, not all the parts of a microservices-based application reside in a <em>service mesh</em>. Sometimes, the microservices-based applications use functionality provided by legacy systems that reside outside the mesh. We may want to migrate these systems to the service mesh gradually. Until these systems are migrated, they must be accessed by the applications inside the mesh. In other cases, the applications use web services provided by external organizations, often over the World Wide Web.</p><p>In this blog post, I modify the <a href="/v0.7/docs/guides/bookinfo.html">Istio Bookinfo Sample Application</a> to fetch book details from an external web service (<a href="https://developers.google.com/books/docs/v1/getting_started">Google Books APIs</a>). I show how to enable external HTTPS traffic in Istio by using an <em>egress rule</em>. Finally, I explain the current issues related to the egress traffic control in Istio.</p><h2 id="bookinfo-sample-application-with-external-details-web-service">Bookinfo sample application with external details web service</h2><h3 id="initial-setting">Initial setting</h3><p>To demonstrate the scenario of consuming an external web service, I start with a Kubernetes cluster with <a href="/v0.7/docs/setup/kubernetes/quick-start.html#installation-steps">Istio installed</a>. Then I deploy <a href="/v0.7/docs/guides/bookinfo.html">Istio Bookinfo Sample Application</a>. This application uses the <em>details</em> microservice to fetch book details, such as the number of pages and the publisher. The original <em>details</em> microservice provides the book details without consulting any external service.</p><p>The example commands in this blog post work with Istio version 0.2+, with or without <a href="/v0.7/docs/concepts/security/mutual-tls.html">Mutual TLS</a> enabled.</p><p>The Bookinfo configuration files required for the scenario of this post appear starting from <a href="https://github.com/istio/istio/releases/tag/0.5.0">Istio release version 0.5</a>. The Bookinfo configuration files reside in the <code class="highlighter-rouge">samples/bookinfo/kube</code> directory of the Istio release archive.</p><p>Here is a copy of the end-to-end architecture of the application from the original <a href="/v0.7/docs/guides/bookinfo.html">Bookinfo Guide</a>.</p><div class="figure" style="width: 80%;"><div class="wrapper-with-intrinsic-ratio" style="padding-bottom: 59.08%"><figure> <a href="/v0.7/docs/guides/img/bookinfo/withistio.svg"> <img class="element-to-stretch" src="/v0.7/docs/guides/img/bookinfo/withistio.svg" alt="The Original Bookinfo Application" title="The Original Bookinfo Application" /> </a></figure></div><p>The Original Bookinfo Application</p></div><h3 id="bookinfo-with-details-version-2">Bookinfo with details version 2</h3><p>Lets add a new version of the <em>details</em> microservice, <em>v2</em>, that fetches the book details from <a href="https://developers.google.com/books/docs/v1/getting_started">Google Books APIs</a>.</p><div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>kubectl apply <span class="nt">-f</span> &lt;<span class="o">(</span>istioctl kube-inject <span class="nt">-f</span> samples/bookinfo/kube/bookinfo-details-v2.yaml<span class="o">)</span>
</code></pre></div></div><p>The updated architecture of the application now looks as follows:</p><div class="figure" style="width: 80%;"><div class="wrapper-with-intrinsic-ratio" style="padding-bottom: 65.16%"><figure> <a href="./img/bookinfo-details-v2.svg"> <img class="element-to-stretch" src="./img/bookinfo-details-v2.svg" alt="The Bookinfo Application with details V2" title="The Bookinfo Application with details V2" /> </a></figure></div><p>The Bookinfo Application with details V2</p></div><p>Note that the Google Books web service is outside the Istio service mesh, the boundary of which is marked by a dashed line.</p><p>Now lets direct all the traffic destined to the <em>details</em> microservice, to <em>details version v2</em>, using the following <em>route rule</em>:</p><div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nb">cat</span> <span class="o">&lt;&lt;</span><span class="no">EOF</span><span class="sh"> | istioctl create -f -
apiVersion: config.istio.io/v1alpha2
kind: RouteRule
metadata:
name: details-v2
namespace: default
spec:
destination:
name: details
route:
- labels:
version: v2
</span><span class="no">EOF
</span></code></pre></div></div><p>Lets access the web page of the application, after <a href="/v0.7/docs/guides/bookinfo.html#determining-the-ingress-ip-and-port">determining the ingress IP and port</a>.</p><p>Oops… Instead of the book details we have the <em>Error fetching product details</em> message displayed:</p><div class="figure" style="width: 80%;"><div class="wrapper-with-intrinsic-ratio" style="padding-bottom: 36.01%"><figure> <a href="./img/errorFetchingBookDetails.png"> <img class="element-to-stretch" src="./img/errorFetchingBookDetails.png" alt="The Error Fetching Product Details Message" title="The Error Fetching Product Details Message" /> </a></figure></div><p>The Error Fetching Product Details Message</p></div><p>The good news is that our application did not crash. With a good microservice design, we do not have <strong>failure propagation</strong>. In our case, the failing <em>details</em> microservice does not cause the <em>productpage</em> microservice to fail. Most of the functionality of the application is still provided, despite the failure in the <em>details</em> microservice. We have <strong>graceful service degradation</strong>: as you can see, the reviews and the ratings are displayed correctly, and the application is still useful.</p><p>So what might have gone wrong? Ah… The answer is that I forgot to enable traffic from inside the mesh to an external service, in this case to the Google Books web service. By default, the Istio sidecar proxies (<a href="https://www.envoyproxy.io">Envoy proxies</a>) <strong>block all the traffic to destinations outside the cluster</strong>. To enable such traffic, we must define an <a href="/v0.7/docs/reference/config/istio.routing.v1alpha1.html#EgressRule">egress rule</a>.</p><h3 id="egress-rule-for-google-books-web-service">Egress rule for Google Books web service</h3><p>No worries, lets define an <strong>egress rule</strong> and fix our application:</p><div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nb">cat</span> <span class="o">&lt;&lt;</span><span class="no">EOF</span><span class="sh"> | istioctl create -f -
apiVersion: config.istio.io/v1alpha2
kind: EgressRule
metadata:
name: googleapis
namespace: default
spec:
destination:
service: "*.googleapis.com"
ports:
- port: 443
protocol: https
</span><span class="no">EOF
</span></code></pre></div></div><p>Now accessing the web page of the application displays the book details without error:</p><div class="figure" style="width: 80%;"><div class="wrapper-with-intrinsic-ratio" style="padding-bottom: 34.82%"><figure> <a href="./img/externalBookDetails.png"> <img class="element-to-stretch" src="./img/externalBookDetails.png" alt="Book Details Displayed Correctly" title="Book Details Displayed Correctly" /> </a></figure></div><p>Book Details Displayed Correctly</p></div><p>Note that our egress rule allows traffic to any domain matching <em>*.googleapis.com</em>, on port 443, using the HTTPS protocol. Lets assume for the sake of the example that the applications in our Istio service mesh must access multiple subdomains of <em>gooogleapis.com</em>, for example <em>www.googleapis.com</em> and also <em>fcm.googleapis.com</em>. Our rule allows traffic to both <em>www.googleapis.com</em> and <em>fcm.googleapis.com</em>, since they both match <em>*.googleapis.com</em>. This <strong>wildcard</strong> feature allows us to enable traffic to multiple domains using a single egress rule.</p><p>We can query our egress rules:</p><div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>istioctl get egressrules
</code></pre></div></div><p>and see our new egress rule in the output:</p><div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>NAME KIND NAMESPACE
googleapis EgressRule.v1alpha2.config.istio.io default
</code></pre></div></div><p>We can delete our egress rule:</p><div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>istioctl delete egressrule googleapis <span class="nt">-n</span> default
</code></pre></div></div><p>and see in the output of <em>istioctl delete</em> that the egress rule is deleted:</p><div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>Deleted config: egressrule googleapis
</code></pre></div></div><p>Accessing the web page after deleting the egress rule produces the same error that we experienced before, namely <em>Error fetching product details</em>. As we can see, the egress rules are defined <strong>dynamically</strong>, as many other Istio configuration artifacts. The Istio operators can decide dynamically which domains they allow the microservices to access. They can enable and disable traffic to the external domains on the fly, without redeploying the microservices.</p><h2 id="issues-with-istio-egress-traffic-control">Issues with Istio egress traffic control</h2><h3 id="tls-origination-by-istio">TLS origination by Istio</h3><p>There is a caveat to this story. In HTTPS, all the HTTP details (hostname, path, headers etc.) are encrypted, so Istio cannot know the destination domain of the encrypted requests. Well, Istio could know the destination domain by the <a href="https://tools.ietf.org/html/rfc3546#section-3.1">SNI</a> (<em>Server Name Indication</em>) field. This feature, however, is not yet implemented in Istio. Therefore, currently Istio cannot perform filtering of HTTPS requests based on the destination domains.</p><p>To allow Istio to perform filtering of egress requests based on domains, the microservices must issue HTTP requests. Istio then opens an HTTPS connection to the destination (performs TLS origination). The code of the microservices must be written differently or configured differently, according to whether the microservice runs inside or outside an Istio service mesh. This contradicts the Istio design goal of <a href="/v0.7/docs/concepts/what-is-istio/goals.html">maximizing transparency</a>. Sometimes we need to compromise…</p><p>The diagram below shows how the HTTPS traffic to external services is performed. On the top, a microservice outside an Istio service mesh sends regular HTTPS requests, encrypted end-to-end. On the bottom, the same microservice inside an Istio service mesh must send unencrypted HTTP requests inside a pod, which are intercepted by the sidecar Envoy proxy. The sidecar proxy performs TLS origination, so the traffic between the pod and the external service is encrypted.</p><div class="figure" style="width: 80%;"><div class="wrapper-with-intrinsic-ratio" style="padding-bottom: 65.16%"><figure> <a href="./img/https_from_the_app.svg"> <img class="element-to-stretch" src="./img/https_from_the_app.svg" alt="HTTPS traffic to external services, from outside vs. from inside an Istio service mesh" title="HTTPS traffic to external services, from outside vs. from inside an Istio service mesh" /> </a></figure></div><p>HTTPS traffic to external services, from outside vs. from inside an Istio service mesh</p></div><p>Here is how we code this behavior in the <a href="https://github.com/istio/istio/blob/master/samples/bookinfo/src/details/details.rb">the Bookinfo details microservice code</a>, using the Ruby <a href="https://docs.ruby-lang.org/en/2.0.0/Net/HTTP.html">net/http module</a>:</p><div class="language-ruby highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">uri</span> <span class="o">=</span> <span class="no">URI</span><span class="p">.</span><span class="nf">parse</span><span class="p">(</span><span class="s1">'https://www.googleapis.com/books/v1/volumes?q=isbn:'</span> <span class="o">+</span> <span class="n">isbn</span><span class="p">)</span>
<span class="n">http</span> <span class="o">=</span> <span class="no">Net</span><span class="o">::</span><span class="no">HTTP</span><span class="p">.</span><span class="nf">new</span><span class="p">(</span><span class="n">uri</span><span class="p">.</span><span class="nf">host</span><span class="p">,</span> <span class="n">uri</span><span class="p">.</span><span class="nf">port</span><span class="p">)</span>
<span class="o">...</span>
<span class="k">unless</span> <span class="no">ENV</span><span class="p">[</span><span class="s1">'WITH_ISTIO'</span><span class="p">]</span> <span class="o">===</span> <span class="s1">'true'</span> <span class="k">then</span>
<span class="n">http</span><span class="p">.</span><span class="nf">use_ssl</span> <span class="o">=</span> <span class="kp">true</span>
<span class="k">end</span>
</code></pre></div></div><p>Note that the port is derived by the <code class="highlighter-rouge">URI.parse</code> from the URIs schema (https://) to be <code class="highlighter-rouge">443</code>, the default HTTPS port. The microservice, when running inside an Istio service mesh, must issue HTTP requests to the port <code class="highlighter-rouge">443</code>, which is the port the external service listens to.</p><p>When the <code class="highlighter-rouge">WITH_ISTIO</code> environment variable is defined, the request is performed without SSL (plain HTTP).</p><p>We set the <code class="highlighter-rouge">WITH_ISTIO</code> environment variable to <em>“true”</em> in the <a href="https://github.com/istio/istio/blob/master/samples/bookinfo/kube/bookinfo-details-v2.yaml">Kubernetes deployment spec of <em>details v2</em></a>, the <code class="highlighter-rouge">container</code> section:</p><div class="language-yaml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="na">env</span><span class="pi">:</span>
<span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">WITH_ISTIO</span>
<span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">true"</span>
</code></pre></div></div><h4 id="relation-to-istio-mutual-tls">Relation to Istio mutual TLS</h4><p>Note that the TLS origination in this case is unrelated to <a href="/v0.7/docs/concepts/security/mutual-tls.html">the mutual TLS</a> applied by Istio. The TLS origination for the external services will work, whether the Istio mutual TLS is enabled or not. The <strong>mutual</strong> TLS secures service-to-service communication <strong>inside</strong> the service mesh and provides each service with a strong identity. In the case of the <strong>external services</strong>, we have <strong>one-way</strong> TLS, the same mechanism used to secure communication between a web browser and a web server. TLS is applied to the communication with external services to verify the identity of the external server and to encrypt the traffic.</p><h3 id="malicious-microservices-threat">Malicious microservices threat</h3><p>Another issue is that the egress rules are currently <strong>not a security feature</strong>; they only <strong>enable</strong> traffic to external services. For HTTP-based protocols, the rules are based on domains. Istio does not check that the destination IP of the request matches the <em>Host</em> header. This means that a malicious microservice inside a service mesh could trick Istio to allow traffic to a malicious IP. The attack is to set one of the domains allowed by some existing Egress Rule as the <em>Host</em> header of the malicious request.</p><p>Securing egress traffic is currently not supported in Istio and should be performed elsewhere, for example by a firewall or by an additional proxy outside Istio. Right now, were working to enable the application of Mixer security policies on the egress traffic and to prevent the attack described above.</p><h3 id="no-tracing-telemetry-and-no-mixer-checks">No tracing, telemetry and no mixer checks</h3><p>Note that currently no tracing and telemetry information can be collected for the egress traffic. Mixer policies cannot be applied. We are working to fix this in future Istio releases.</p><h2 id="future-work">Future work</h2><p>In my next blog posts I will demonstrate Istio egress rules for TCP traffic and will show examples of combining routing rules and egress rules.</p><p>In Istio, we are working on making Istio egress traffic more secure, and in particular on enabling tracing, telemetry, and Mixer checks for the egress traffic.</p><h2 id="conclusion">Conclusion</h2><p>In this blog post I demonstrated how the microservices in an Istio service mesh can consume external web services via HTTPS. By default, Istio blocks all the traffic to the hosts outside the cluster. To enable such traffic, egress rules must be created for the service mesh. It is possible to access the external sites by HTTPS, however the microservices must issue HTTP requests while Istio will perform TLS origination. Currently, no tracing, telemetry and Mixer checks are enabled for the egress traffic. Egress rules are currently not a security feature, so additional mechanisms are required for securing egress traffic. Were working to enable logging/telemetry and security policies for the egress traffic in future releases.</p><p>To read more about Istio egress traffic control, see <a href="/v0.7/docs/tasks/traffic-management/egress.html">Control Egress Traffic Task</a>.</p></main><br/><hr/><br/><div class="container-fluid"><div class="row"><div class="col-6"> <a href="/v0.7/blog/2017/mixer-spof-myth.html"><i class="fa fa-arrow-left"></i> Mixer and the SPOF Myth</a></div><div class="col-6" style="text-align: right"> <a href="/v0.7/blog/2018/egress-tcp.html">Consuming External TCP Services <i class="fa fa-arrow-right"></i></a></div></div></div></div><div class="col-12 col-md-2 d-none d-lg-block"><nav class="toc"><div class="spacer"></div><div class="directory" role="directory"><ul><li><a href="#bookinfo-sample-application-with-external-details-web-service">Bookinfo sample application with external details web service</a><ul><li><a href="#initial-setting">Initial setting</a></li><li><a href="#bookinfo-with-details-version-2">Bookinfo with details version 2</a></li><li><a href="#egress-rule-for-google-books-web-service">Egress rule for Google Books web service</a></li></ul></li><li><a href="#issues-with-istio-egress-traffic-control">Issues with Istio egress traffic control</a><ul><li><a href="#tls-origination-by-istio">TLS origination by Istio</a><ul><li><a href="#relation-to-istio-mutual-tls">Relation to Istio mutual TLS</a></li></ul></li><li><a href="#malicious-microservices-threat">Malicious microservices threat</a></li><li><a href="#no-tracing-telemetry-and-no-mixer-checks">No tracing, telemetry and no mixer checks</a></li></ul></li><li><a href="#future-work">Future work</a></li><li><a href="#conclusion">Conclusion</a></li></ul></div></nav></div></div></div><div class="footer"><footer><div class="container-fluid"><div class="row"><div class="col-6 col-lg-4" role="navigation"><div class="container-fluid"><div class="row justify-content-start"><div class="icon"> <a title="Join the istio-users@ mailing list to participate in discussions and get help troubleshooting problems" href="https://groups.google.com/forum/#!forum/istio-users"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 490 490"><path d="M480,410.248H10c-5.523,0-10-4.477-10-10V89.752c0-5.523,4.477-10,10-10h470c5.522,0,10,4.477,10,10v310.495 C490,405.771,485.522,410.248,480,410.248z M20,390.248h450V99.752H20V390.248z"/><path d="M245,286.131c-2.083,0-4.167-0.649-5.931-1.948L48.64,143.929c-4.446-3.275-5.396-9.535-2.121-13.982 c3.275-4.447,9.535-5.396,13.982-2.121L245,263.712l184.5-135.886c4.447-3.274,10.709-2.326,13.982,2.121 c3.275,4.447,2.325,10.707-2.121,13.982L250.931,284.183C249.167,285.482,247.083,286.131,245,286.131z"/> </svg> </a></div><div class="icon"> <a title="Follow us on Twitter to get the latest news" href="https://twitter.com/IstioMesh"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 310 310"><path d="M302.973,57.388c-4.87,2.16-9.877,3.983-14.993,5.463c6.057-6.85,10.675-14.91,13.494-23.73 c0.632-1.977-0.023-4.141-1.648-5.434c-1.623-1.294-3.878-1.449-5.665-0.39c-10.865,6.444-22.587,11.075-34.878,13.783 c-12.381-12.098-29.197-18.983-46.581-18.983c-36.695,0-66.549,29.853-66.549,66.547c0,2.89,0.183,5.764,0.545,8.598 C101.163,99.244,58.83,76.863,29.76,41.204c-1.036-1.271-2.632-1.956-4.266-1.825c-1.635,0.128-3.104,1.05-3.93,2.467 c-5.896,10.117-9.013,21.688-9.013,33.461c0,16.035,5.725,31.249,15.838,43.137c-3.075-1.065-6.059-2.396-8.907-3.977 c-1.529-0.851-3.395-0.838-4.914,0.033c-1.52,0.871-2.473,2.473-2.513,4.224c-0.007,0.295-0.007,0.59-0.007,0.889 c0,23.935,12.882,45.484,32.577,57.229c-1.692-0.169-3.383-0.414-5.063-0.735c-1.732-0.331-3.513,0.276-4.681,1.597 c-1.17,1.32-1.557,3.16-1.018,4.84c7.29,22.76,26.059,39.501,48.749,44.605c-18.819,11.787-40.34,17.961-62.932,17.961 c-4.714,0-9.455-0.277-14.095-0.826c-2.305-0.274-4.509,1.087-5.294,3.279c-0.785,2.193,0.047,4.638,2.008,5.895 c29.023,18.609,62.582,28.445,97.047,28.445c67.754,0,110.139-31.95,133.764-58.753c29.46-33.421,46.356-77.658,46.356-121.367 c0-1.826-0.028-3.67-0.084-5.508c11.623-8.757,21.63-19.355,29.773-31.536c1.237-1.85,1.103-4.295-0.33-5.998 C307.394,57.037,305.009,56.486,302.973,57.388z"/> </svg> </a></div><div class="icon"> <a title="Stack Overflow is where you can ask questions and find curated answers on deploying, configuring, and using Istio" href="https://stackoverflow.com/questions/tagged/istio"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 120 120"><polygon points="84.4,93.8 84.4,70.6 92.1,70.6 92.1,101.5 22.6,101.5 22.6,70.6 30.3,70.6 30.3,93.8 "/><path d="M38.8,68.4l37.8,7.9l1.6-7.6l-37.8-7.9L38.8,68.4z M43.8,50.4l35,16.3l3.2-7l-35-16.4L43.8,50.4z M53.5,33.2 l29.7,24.7l4.9-5.9L58.4,27.3L53.5,33.2z M72.7,14.9l-6.2,4.6l23,31l6.2-4.6L72.7,14.9z M38,86h38.6v-7.7H38V86z"/> </svg> </a></div></div><div class="row justify-content-start d-none d-lg-flex"><p class="tag">for users</p></div></div></div><div class="col-6 col-lg-4"><p class="text-center copyright" role="contentinfo"> Istio Archive 0.7, Copyright &copy; 2018 Istio Authors<br> Archived on 05-May-2018</p></div><div class="col-6 col-lg-4 d-none d-lg-flex" role="navigation"><div class="container-fluid"><div class="row justify-content-end"><div class="icon"> <a title="Join the istio-dev@ mailing list to discuss development issues around the Istio project" href="https://groups.google.com/forum/#!forum/istio-dev"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 490 490"><path d="M480,410.248H10c-5.523,0-10-4.477-10-10V89.752c0-5.523,4.477-10,10-10h470c5.522,0,10,4.477,10,10v310.495 C490,405.771,485.522,410.248,480,410.248z M20,390.248h450V99.752H20V390.248z"/><path d="M245,286.131c-2.083,0-4.167-0.649-5.931-1.948L48.64,143.929c-4.446-3.275-5.396-9.535-2.121-13.982 c3.275-4.447,9.535-5.396,13.982-2.121L245,263.712l184.5-135.886c4.447-3.274,10.709-2.326,13.982,2.121 c3.275,4.447,2.325,10.707-2.121,13.982L250.931,284.183C249.167,285.482,247.083,286.131,245,286.131z"/> </svg> </a></div><div class="icon"> <a title="GitHub is where development takes place on Istio code" href="https://github.com/istio/community"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 478.165 478.165"><path d="M349.22,55.768c6.136,14.046,10.241,37.556,4.224,54.69 c24.426,20.999,33.073,71.904,21.079,113.704c35.006,2.73,76.666-1.235,103.642,9.484c-25.183-3.248-59.651-9.563-91.987-7.431 c-6.136,0.458-15.361-0.239-14.903,8.408c37.735,3.008,75.092,6.117,105.894,15.779c-30.702-4.981-67.74-12.552-105.894-13.668 c-15.54,30.921-47.239,46.262-90.991,49.49c4.682,10.261,13.847,14.066,15.879,30.702c3.267,24.406-4.881,60.328,3.208,76.686 c4.064,7.89,10.579,8.009,14.863,14.604c-10.699,12.871-37.257-1.395-40.186-14.604c-5.14-22.852,7.89-58.256-6.415-73.737 c0.996,24.865-5.718,59.85,0.996,82.145c2.789,8.806,10.659,12.113,8.647,20.063c-49.809,5.08-28.989-64.373-37.177-105.356 c-7.471,0.697-4.204,11.197-4.224,15.76c-0.199,40.106,8.189,94.836-34.846,89.556c-1.315-8.348,5.838-11.217,8.467-19.007 c7.91-22.434-1.454-56.045,2.112-83.161c-16.417,12.512,1.793,55.666-8.428,77.961c-5.838,12.671-24.785,18.27-39.19,12.651 c1.873-9.464,11.695-7.989,15.879-16.875c5.818-12.452,0.02-30.244,2.092-48.494c-30.423,6.097-53.993-0.877-65.608-20.023 c-5.12-8.507-6.356-18.708-12.632-26.219c-6.117-7.551-16.098-8.507-19.087-18.808c37.755-9.185,39.17,38.771,73.06,39.807 c10.44,0.418,15.799-2.909,25.402-5.16c2.749-12.113,8.428-21.039,16.875-27.494c-42.078-5.658-76.865-18.788-93.023-50.466 c-38.293,1.893-73.339,7.013-105.894,14.843c29.547-10.679,65.807-14.604,104.778-15.819c-2.351-13.807-22.434-10.022-34.866-9.543 C47.677,227.17,18.449,230.138,0,233.645c26.817-9.543,64.233-8.348,100.454-8.428c-11.038-34.767-7.232-90.014,17.015-110.615 c-6.854-17.254-4.722-45.346,4.184-58.834c27.036,1.175,43.374,12.891,60.388,24.247c21.019-6.017,43.035-9.045,71.904-7.451 c12.133,0.677,24.705,6.097,33.731,5.32c8.906-0.877,18.728-10.898,27.534-14.843C326.507,58.099,336.17,56.206,349.22,55.768z"/> </svg> </a></div><div class="icon"> <a title="Access our team drive if you'd like to take a look at the Istio technical design documents" href="https://groups.google.com/forum/#!forum/istio-team-drive-access"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 207.027 207.027"><path d="M69.866,15.557L0,138.919l28.732,52.552l143.288-0.029l35.008-59.588L136.39,15.735L69.866,15.557z M17.166,139.046 L74.268,38.205L91.21,67.783L33.24,168.447L17.166,139.046z M99.841,82.851l23.805,41.558l-47.732-0.006L99.841,82.851z M163.434,176.443l-117.332,0.024l21.53-37.065l64.606,0.008l0.067,0.119l52.865-0.085L163.434,176.443z M140.932,124.411 L90.157,35.767l-2.966-5.178l40.751,0.121l57.003,93.706L140.932,124.411z"/> </svg> </a></div><div class="icon"> <a title="If you'd like to contribute to the Istio project, consider participating in our working groups" href="https://github.com/istio/community/blob/master/WORKING-GROUPS.md"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 -45 439.833 439.833"><polygon points="246.048,195.833 299.966,235.085 319.497,227.296 276.278,195.833"/><polygon points="193.786,195.833 163.556,195.833 120.33,227.3 139.862,235.089"/><path d="M219.927,11.558c-23.854,0-37.057,12.362-36.814,36.182c0.348,32.623,14.211,52.414,36.814,52.068 c0,0,36.802,1.492,36.802-52.068C256.729,23.918,244.294,11.558,219.927,11.558z"/><path d="M285.017,124.567l-36.77-14.659l-8.608-7.256c-2.274-1.922-5.636-1.78-7.741,0.317l-11.973,11.904l-12.008-11.907 c-2.109-2.094-5.465-2.229-7.736-0.313l-8.611,7.256l-36.77,14.661c-11.842,4.715-11.83,46.647-12.848,50.497h155.93 C296.866,171.228,296.862,129.28,285.017,124.567z"/><path d="M77.976,228.568c0,0,36.801,1.492,36.801-52.068c0-23.82-12.434-36.182-36.801-36.182 c-23.854,0-37.057,12.362-36.814,36.182C41.509,209.124,55.372,228.915,77.976,228.568z"/><path d="M143.065,253.329l-36.77-14.658l-8.609-7.256c-2.275-1.923-5.635-1.781-7.742,0.315l-11.971,11.904l-12.008-11.908 c-2.109-2.094-5.465-2.229-7.736-0.312l-8.611,7.256l-36.77,14.66C1.006,258.045,1.018,299.977,0,303.827h155.93 C154.915,299.988,154.911,258.042,143.065,253.329z"/><path d="M361.878,228.568c0,0,36.801,1.492,36.801-52.068c0-23.82-12.434-36.182-36.801-36.182 c-23.854,0-37.057,12.362-36.812,36.182C325.411,209.124,339.274,228.915,361.878,228.568z"/><path d="M426.968,253.329l-36.77-14.658l-8.609-7.256c-2.273-1.923-5.635-1.781-7.742,0.315l-11.971,11.904l-12.008-11.908 c-2.109-2.094-5.465-2.229-7.736-0.312l-8.61,7.256l-36.771,14.66c-11.842,4.715-11.83,46.646-12.848,50.497h155.93 C438.817,299.988,438.812,258.042,426.968,253.329z"/> </svg> </a></div><div class="icon"> <a title="Interactively discuss development issues with the Istio community on Slack (invitation-only)" href="https://istio.slack.com"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 31.444 31.443"><path d="M31.202,16.369c-0.62-1.388-2.249-2.011-3.637-1.391l-1.325,0.594l-3.396-7.591l1.325-0.592 c1.388-0.622,2.01-2.25,1.389-3.637c-0.62-1.389-2.248-2.012-3.637-1.39l-1.324,0.593l-0.593-1.326 c-0.621-1.388-2.249-2.009-3.637-1.388c-1.388,0.62-2.009,2.247-1.389,3.637l0.593,1.325L7.98,8.598L7.388,7.273 c-0.621-1.39-2.249-2.009-3.637-1.39C2.363,6.504,1.742,8.132,2.362,9.52l0.592,1.324L1.63,11.438 c-1.388,0.621-2.01,2.247-1.389,3.636c0.62,1.388,2.249,2.01,3.637,1.39l1.325-0.594l3.394,7.592l-1.325,0.592 c-1.388,0.621-2.009,2.25-1.389,3.637c0.621,1.389,2.249,2.011,3.637,1.391l1.324-0.593l0.593,1.325 c0.621,1.389,2.249,2.01,3.637,1.389c1.387-0.62,2.009-2.248,1.388-3.636l-0.591-1.326l7.591-3.394l0.592,1.321 c0.621,1.391,2.248,2.013,3.637,1.392c1.388-0.619,2.01-2.248,1.389-3.637l-0.592-1.324l1.323-0.594 C31.201,19.384,31.823,17.757,31.202,16.369z M13.623,21.215l-3.395-7.593l7.591-3.394l3.395,7.591L13.623,21.215z"/> </svg> </a></div></div><div class="row justify-content-end text-right"><p class="text-right tag">for developers</p></div></div></div></div></div></footer></div><script src="https://code.jquery.com/jquery-3.2.1.slim.min.js" integrity="sha384-KJ3o2DKtIkvYIK3UENzmM7KCkRr/rE9/Qpg6aAZGJwFDMVNA/GpGFF93hXpG5KkN" crossorigin="anonymous"></script> <script src="https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/js/bootstrap.min.js" integrity="sha384-JZR6Spejh4U02d8jOt6vLEHfe/JQGiRRSQQxSfFWpi1MquVdAyjUar5+76PVCmYl" crossorigin="anonymous"></script> <script src="https://cdnjs.cloudflare.com/ajax/libs/clipboard.js/1.7.1/clipboard.min.js"></script> <script src="https://www.google.com/cse/brand?form=search_form"></script> <script src="/v0.7/js/misc.min.js"></script></body></html>
Reference in New Issue View Git Blame Copy Permalink