mirror of https://github.com/istio/istio.io.git
291 lines
34 KiB
HTML
291 lines
34 KiB
HTML
<!doctype html><html lang=en itemscope itemtype=https://schema.org/WebPage><head><meta charset=utf-8><meta http-equiv=x-ua-compatible content="IE=edge"><meta name=viewport content="width=device-width,initial-scale=1,shrink-to-fit=no"><meta name=theme-color content="#466BB0"><meta name=title content="Monitoring Blocked and Passthrough External Service Traffic"><meta name=description content="How can you use Istio to monitor blocked and passthrough external traffic."><meta name=author content="Neeraj Poddar (Aspen Mesh)"><meta name=keywords content="microservices,services,mesh,monitoring,blackhole,passthrough"><meta property="og:title" content="Monitoring Blocked and Passthrough External Service Traffic"><meta property="og:type" content="website"><meta property="og:description" content="How can you use Istio to monitor blocked and passthrough external traffic."><meta property="og:url" content="/v1.14/blog/2019/monitoring-external-service-traffic/"><meta property="og:image" content="https://raw.githubusercontent.com/istio/istio.io/master/static/img/istio-whitelogo-bluebackground-framed.svg"><meta property="og:image:alt" content="Istio Logo"><meta property="og:image:width" content="1024"><meta property="og:image:height" content="1024"><meta property="og:site_name" content="Istio"><meta name=twitter:card content="summary"><meta name=twitter:site content="@IstioMesh"><title>Istioldie 1.14 / Monitoring Blocked and Passthrough External Service Traffic</title><script async src="https://www.googletagmanager.com/gtag/js?id=UA-98480406-2"></script>
|
|
<script>window.dataLayer=window.dataLayer||[];function gtag(){dataLayer.push(arguments)}gtag("js",new Date),gtag("config","UA-98480406-2")</script><link rel=alternate type=application/rss+xml title="Istio Blog" href=/v1.14/blog/feed.xml><link rel=alternate type=application/rss+xml title="Istio News" href=/v1.14/news/feed.xml><link rel=alternate type=application/rss+xml title="Istio Blog and News" href=/v1.14/feed.xml><link rel="shortcut icon" href=/v1.14/favicons/favicon.ico><link rel=apple-touch-icon href=/v1.14/favicons/apple-touch-icon-180x180.png sizes=180x180><link rel=icon type=image/png href=/v1.14/favicons/favicon-16x16.png sizes=16x16><link rel=icon type=image/png href=/v1.14/favicons/favicon-32x32.png sizes=32x32><link rel=icon type=image/png href=/v1.14/favicons/android-36x36.png sizes=36x36><link rel=icon type=image/png href=/v1.14/favicons/android-48x48.png sizes=48x48><link rel=icon type=image/png href=/v1.14/favicons/android-72x72.png sizes=72x72><link rel=icon type=image/png href=/v1.14/favicons/android-96x96.png sizes=96xW96><link rel=icon type=image/png href=/v1.14/favicons/android-144x144.png sizes=144x144><link rel=icon type=image/png href=/v1.14/favicons/android-192x192.png sizes=192x192><link rel=icon type=image/svg+xml href=/v1.14/favicons/favicon.svg><link rel=icon type=image/png href=/v1.14/favicons/favicon.png><link rel=mask-icon href=/v1.14/favicons/safari-pinned-tab.svg color=#466bb0><link rel=manifest href=/v1.14/manifest.json><meta name=apple-mobile-web-app-title content="Istio"><meta name=application-name content="Istio"><meta name=msapplication-config content="/browserconfig.xml"><meta name=msapplication-TileColor content="#466BB0"><meta name=theme-color content="#466BB0"><link rel=stylesheet href=/v1.14/css/all.css><link rel=preconnect href=https://fonts.gstatic.com><link rel=stylesheet href="https://fonts.googleapis.com/css2?family=Barlow:ital,wght@0,400;0,500;0,600;0,700;1,400;1,600&display=swap"><script src=/v1.14/js/themes_init.min.js></script></head><body class="language-unknown archive-site"><script>const branchName="release-1.14",docTitle="Monitoring Blocked and Passthrough External Service Traffic",iconFile="/v1.14/img/icons.svg",buttonCopy="Copy to clipboard",buttonPrint="Print",buttonDownload="Download"</script><script src="https://www.google.com/cse/brand?form=search-form" defer></script>
|
|
<script src=/v1.14/js/all.min.js data-manual defer></script><header class=main-navigation><nav class="main-navigation-wrapper container-l"><div class=main-navigation-header><a id=brand href=/v1.14/ aria-label=logotype><span class=logo><svg xmlns="http://www.w3.org/2000/svg" width="128" height="60" viewBox="0 0 128 60"><path d="M58.434 48.823A.441.441.0 0158.3 48.497V22.583a.444.444.0 01.134-.326.446.446.0 01.327-.134h3.527a.447.447.0 01.325.134.447.447.0 01.134.326v25.914a.443.443.0 01-.134.326.444.444.0 01-.325.134h-3.527a.444.444.0 01-.327-.134z"/><path d="m70.969 48.477a6.556 6.556.0 01-2.818-1.955 4.338 4.338.0 01-1-2.78v-.345a.443.443.0 01.134-.326.444.444.0 01.326-.135h3.374a.444.444.0 01.326.135.445.445.0 01.134.326v.077a2.014 2.014.0 001.054 1.667 4.672 4.672.0 002.664.709 4.446 4.446.0 002.492-.633 1.862 1.862.0 00.958-1.591 1.426 1.426.0 00-.786-1.322 12.7 12.7.0 00-2.549-.939l-1.457-.46a21.526 21.526.0 01-3.3-1.227 6.57 6.57.0 01-2.262-1.783 4.435 4.435.0 01-.92-2.894 5.081 5.081.0 012.109-4.275 8.993 8.993.0 015.558-1.591 10.445 10.445.0 014.1.748 6.3 6.3.0 012.722 2.07 5 5 0 01.958 3.009.441.441.0 01-.134.326.441.441.0 01-.325.134h-3.258a.441.441.0 01-.326-.134.443.443.0 01-.134-.326 1.974 1.974.0 00-.978-1.667 4.647 4.647.0 00-2.665-.671 4.741 4.741.0 00-2.435.556 1.724 1.724.0 00-.938 1.553 1.512 1.512.0 00.9 1.4 15.875 15.875.0 003.01 1.055l.843.229a27.368 27.368.0 013.412 1.246 6.67 6.67.0 012.338 1.763 4.387 4.387.0 01.958 2.933 4.988 4.988.0 01-2.146 4.275 9.543 9.543.0 01-5.712 1.552 11.626 11.626.0 01-4.227-.709z"/><path d="m97.039 32.837a.443.443.0 01-.326.135h-3.911a.169.169.0 00-.191.192v9.239a2.951 2.951.0 00.632 2.108 2.7 2.7.0 002.013.652h1.15a.444.444.0 01.325.134.441.441.0 01.134.326v2.875a.471.471.0 01-.459.5l-1.994.039a8 8 0 01-4.524-1.035q-1.495-1.035-1.533-3.91V33.166A.17.17.0 0088.164 32.974H85.978A.441.441.0 0185.652 32.839.441.441.0 0185.518 32.513V29.83a.441.441.0 01.134-.326.444.444.0 01.326-.135h2.186a.169.169.0 00.191-.192v-4.485a.438.438.0 01.134-.326.44.44.0 01.325-.134h3.336a.443.443.0 01.325.134.442.442.0 01.135.326v4.485a.169.169.0 00.191.192h3.911a.446.446.0 01.326.135.446.446.0 01.134.326v2.683a.446.446.0 01-.133.324z"/><path d="m101.694 25.917a2.645 2.645.0 01-.767-1.955 2.65 2.65.0 01.767-1.955 2.65 2.65.0 011.955-.767 2.65 2.65.0 011.955.767 2.652 2.652.0 01.767 1.955 2.647 2.647.0 01-.767 1.955 2.646 2.646.0 01-1.955.767 2.645 2.645.0 01-1.955-.767zm-.211 22.906a.441.441.0 01-.134-.326V29.79a.444.444.0 01.134-.326.446.446.0 01.326-.134h3.527a.446.446.0 01.326.134.445.445.0 01.134.326v18.707a.443.443.0 01-.134.326.443.443.0 01-.326.134h-3.527a.443.443.0 01-.326-.134z"/><path d="m114.019 47.734a8.1 8.1.0 01-3.047-4.255 14.439 14.439.0 01-.652-4.37 14.3 14.3.0 01.614-4.371A7.869 7.869.0 01114 30.56a9.072 9.072.0 015.252-1.5 8.543 8.543.0 015.041 1.5 7.985 7.985.0 013.009 4.14 12.439 12.439.0 01.69 4.37 13.793 13.793.0 01-.651 4.37 8.255 8.255.0 01-3.028 4.275 8.475 8.475.0 01-5.1 1.553 8.754 8.754.0 01-5.194-1.534zm7.629-3.1a4.536 4.536.0 001.476-2.262 11.335 11.335.0 00.383-3.221 10.618 10.618.0 00-.383-3.22 4.169 4.169.0 00-1.457-2.243 4.066 4.066.0 00-2.531-.785 3.942 3.942.0 00-2.453.785 4.376 4.376.0 00-1.5 2.243 11.839 11.839.0 00-.383 3.22 11.84 11.84.0 00.383 3.221 4.222 4.222.0 001.476 2.262 4.075 4.075.0 002.549.8 3.8 3.8.0 002.44-.809z"/><path d="m15.105 32.057v15.565a.059.059.0 01-.049.059L.069 50.25A.06.06.0 01.005 50.167l14.987-33.47a.06.06.0 01.114.025z"/><path d="m17.631 23.087v24.6a.06.06.0 00.053.059l22.449 2.507a.06.06.0 00.061-.084L17.745.032a.06.06.0 00-.114.024z"/><path d="m39.961 52.548-24.833 7.45a.062.062.0 01-.043.0L.079 52.548a.059.059.0 01.026-.113h39.839a.06.06.0 01.017.113z"/></svg></span></a><button id=hamburger class=main-navigation-toggle aria-label="Open navigation"><svg class="icon menu-hamburger"><use xlink:href="/v1.14/img/icons.svg#menu-hamburger"/></svg></button>
|
|
<button id=menu-close class=main-navigation-toggle aria-label="Close navigation"><svg class="icon menu-close"><use xlink:href="/v1.14/img/icons.svg#menu-close"/></svg></button></div><div id=header-links class=main-navigation-links-wrapper><ul class=main-navigation-links><li class=main-navigation-links-item><a class="main-navigation-links-link has-dropdown"><span>About</span><svg class="icon dropdown-arrow"><use xlink:href="/v1.14/img/icons.svg#dropdown-arrow"/></svg></a><ul class=main-navigation-links-dropdown><li class=main-navigation-links-dropdown-item><a href=/v1.14/about/service-mesh class=main-navigation-links-link>Service mesh</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.14/about/solutions class=main-navigation-links-link>Solutions</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.14/about/case-studies class=main-navigation-links-link>Case studies</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.14/about/ecosystem class=main-navigation-links-link>Ecosystem</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.14/about/deployment class=main-navigation-links-link>Deployment</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.14/about/faq class=main-navigation-links-link>FAQ</a></li></ul></li><li class=main-navigation-links-item><a href=/v1.14/blog/ class=main-navigation-links-link><span>Blog</span></a></li><li class=main-navigation-links-item><a href=/v1.14/news/ class=main-navigation-links-link><span>News</span></a></li><li class=main-navigation-links-item><a href=/v1.14/get-involved/ class=main-navigation-links-link><span>Get involved</span></a></li><li class=main-navigation-links-item><a href=/v1.14/docs/ class=main-navigation-links-link><span>Documentation</span></a></li></ul><div class=main-navigation-footer><button id=search-show class=search-show title="Search this site" aria-label=Search><svg class="icon magnifier"><use xlink:href="/v1.14/img/icons.svg#magnifier"/></svg></button>
|
|
<a href=/v1.14/docs/setup/getting-started class="btn btn--primary" id=try-istio>Try Istio</a></div></div><form id=search-form class=search name=cse role=search><input type=hidden name=cx value=002184991200833970123:iwwf17ikgf4>
|
|
<input type=hidden name=ie value=utf-8>
|
|
<input type=hidden name=hl value=en>
|
|
<input type=hidden id=search-page-url value=/search>
|
|
<input id=search-textbox class="search-textbox form-control" name=q type=search aria-label="Search this site" placeholder=Search>
|
|
<button id=search-close title="Cancel search" type=reset aria-label="Cancel search"><svg class="icon menu-close"><use xlink:href="/v1.14/img/icons.svg#menu-close"/></svg></button></form></nav></header><div class=banner-container></div><article class=post itemscope itemtype=http://schema.org/BlogPosting><div class=header-content><h1>Monitoring Blocked and Passthrough External Service Traffic</h1><p>How can you use Istio to monitor blocked and passthrough external traffic.</p></div><p class=post-author>Sep 28, 2019 <span>|</span> By Neeraj Poddar - Aspen Mesh</p><div><p>Understanding, controlling and securing your external service access is one
|
|
of the key benefits that you get from a service mesh like Istio. From a security
|
|
and operations point of view, it is critical to monitor what external service traffic
|
|
is getting blocked as they might surface possible misconfigurations or a
|
|
security vulnerability if an application is attempting to communicate with a
|
|
service that it should not be allowed to. Similarly, if you currently have a
|
|
policy of allowing any external service access, it is beneficial to monitor
|
|
the traffic so you can incrementally add explicit Istio configuration to allow
|
|
access and better secure your cluster. In either case, having visibility into this
|
|
traffic via telemetry is quite helpful as it enables you to create alerts and
|
|
dashboards, and better reason about your security posture. This was a highly
|
|
requested feature by production users of Istio and we are excited that the
|
|
support for this was added in release 1.3.</p><p>To implement this, the Istio <a href=https://istio.io/v1.6/docs/reference/config/policy-and-telemetry/metrics>default
|
|
metrics</a> are augmented with
|
|
explicit labels to capture blocked and passthrough external service traffic.
|
|
This blog will cover how you can use these augmented metrics to monitor all
|
|
external service traffic.</p><p>The Istio control plane configures the sidecar proxy with
|
|
predefined clusters called BlackHoleCluster and Passthrough which block or
|
|
allow all traffic respectively. To understand these clusters, let’s start with
|
|
what external and internal services mean in the context of Istio service mesh.</p><h2 id=external-and-internal-services>External and internal services</h2><p>Internal services are defined as services which are part of your platform
|
|
and are considered to be in the mesh. For internal services, Istio control
|
|
plane provides all the required configuration to the sidecars by default.
|
|
For example, in Kubernetes clusters, Istio configures the sidecars for all
|
|
Kubernetes services to preserve the default Kubernetes behavior of all
|
|
services being able to communicate with other.</p><p>External services are services which are not part of your platform i.e. services
|
|
which are outside of the mesh. For external services, Istio provides two
|
|
options, first to block all external service access (enabled by setting
|
|
<code>global.outboundTrafficPolicy.mode</code> to <code>REGISTRY_ONLY</code>) and
|
|
second to allow all access to external service (enabled by setting
|
|
<code>global.outboundTrafficPolicy.mode</code> to <code>ALLOW_ANY</code>). The default option for this
|
|
setting (as of Istio 1.3) is to allow all external service access. This
|
|
option can be configured via <a href=/v1.14/docs/reference/config/istio.mesh.v1alpha1/#MeshConfig-OutboundTrafficPolicy-Mode>mesh configuration</a>.</p><p>This is where the BlackHole and Passthrough clusters are used.</p><h2 id=what-are-blackhole-and-passthrough-clusters>What are BlackHole and Passthrough clusters?</h2><ul><li><strong>BlackHoleCluster</strong> - The BlackHoleCluster is a virtual cluster created
|
|
in the Envoy configuration when <code>global.outboundTrafficPolicy.mode</code> is set to
|
|
<code>REGISTRY_ONLY</code>. In this mode, all traffic to external service is blocked unless
|
|
<a href=/v1.14/docs/reference/config/networking/service-entry>service entries</a>
|
|
are explicitly added for each service. To implement this, the default virtual
|
|
outbound listener at <code>0.0.0.0:15001</code> which uses
|
|
<a href=https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/service_discovery#original-destination>original destination</a>
|
|
is setup as a TCP Proxy with the BlackHoleCluster as the static cluster.
|
|
The configuration for the BlackHoleCluster looks like this:</li></ul><pre><code class=language-json data-expandlinks=true data-repo=istio>{
|
|
"name": "BlackHoleCluster",
|
|
"type": "STATIC",
|
|
"connectTimeout": "10s"
|
|
}
|
|
</code></pre><p>As you can see, this cluster is static with no endpoints so all the traffic
|
|
will be dropped. Additionally, Istio creates unique listeners for every
|
|
port/protocol combination of platform services which gets hit instead of the
|
|
virtual listener if the request is made to an external service on the same port.
|
|
In that case, the route configuration of every virtual route in Envoy is augmented to
|
|
add the BlackHoleCluster like this:</p><pre><code class=language-json data-expandlinks=true data-repo=istio>{
|
|
"name": "block_all",
|
|
"domains": [
|
|
"*"
|
|
],
|
|
"routes": [
|
|
{
|
|
"match": {
|
|
"prefix": "/"
|
|
},
|
|
"directResponse": {
|
|
"status": 502
|
|
}
|
|
}
|
|
]
|
|
}
|
|
</code></pre><p>The route is setup as <a href=https://www.envoyproxy.io/docs/envoy/latest/api-v2/api/v2/route/route_components.proto#envoy-api-field-route-route-direct-response>direct response</a>
|
|
with <code>502</code> response code which means if no other routes match the Envoy proxy
|
|
will directly return a <code>502</code> HTTP status code.</p><ul><li><strong>PassthroughCluster</strong> - The PassthroughCluster is a virtual cluster created
|
|
in the Envoy configuration when <code>global.outboundTrafficPolicy.mode</code> is set to
|
|
<code>ALLOW_ANY</code>. In this mode, all traffic to any external service external is allowed.
|
|
To implement this, the default virtual outbound listener at <code>0.0.0.0:15001</code>
|
|
which uses <code>SO_ORIGINAL_DST</code>, is setup as a TCP Proxy with the PassthroughCluster
|
|
as the static cluster.
|
|
The configuration for the PassthroughCluster looks like this:</li></ul><pre><code class=language-json data-expandlinks=true data-repo=istio>{
|
|
"name": "PassthroughCluster",
|
|
"type": "ORIGINAL_DST",
|
|
"connectTimeout": "10s",
|
|
"lbPolicy": "ORIGINAL_DST_LB",
|
|
"circuitBreakers": {
|
|
"thresholds": [
|
|
{
|
|
"maxConnections": 102400,
|
|
"maxRetries": 1024
|
|
}
|
|
]
|
|
}
|
|
}
|
|
</code></pre><p>This cluster uses the <a href=https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/service_discovery#original-destination>original destination load balancing</a>
|
|
policy which configures Envoy to send the traffic to the
|
|
original destination i.e. passthrough.</p><p>Similar to the BlackHoleCluster, for every port/protocol based listener the
|
|
virtual route configuration is augmented to add the PassthroughCluster as the
|
|
default route:</p><pre><code class=language-json data-expandlinks=true data-repo=istio>{
|
|
"name": "allow_any",
|
|
"domains": [
|
|
"*"
|
|
],
|
|
"routes": [
|
|
{
|
|
"match": {
|
|
"prefix": "/"
|
|
},
|
|
"route": {
|
|
"cluster": "PassthroughCluster"
|
|
}
|
|
}
|
|
]
|
|
}
|
|
</code></pre><p>Prior to Istio 1.3, there were no metrics reported or if metrics were reported
|
|
there were no explicit labels set when traffic hit these clusters, resulting in
|
|
lack of visibility in traffic flowing through the mesh.</p><p>The next section covers how to take advantage of this enhancement as the metrics
|
|
and labels emitted are conditional on whether the virtual outbound or explicit port/protocol
|
|
listener is being hit.</p><h2 id=using-the-augmented-metrics>Using the augmented metrics</h2><p>To capture all external service traffic in either of the cases (BlackHole or
|
|
Passthrough), you will need to monitor <code>istio_requests_total</code> and
|
|
<code>istio_tcp_connections_closed_total</code> metrics. Depending upon the Envoy listener
|
|
type i.e. TCP proxy or HTTP proxy that gets invoked, one of these metrics
|
|
will be incremented.</p><p>Additionally, in case of a TCP proxy listener in order to see the IP address of
|
|
the external service that is blocked or allowed via BlackHole or Passthrough
|
|
cluster, you will need to add the <code>destination_ip</code> label to the
|
|
<code>istio_tcp_connections_closed_total</code> metric. In this scenario, the host name of
|
|
the external service is not captured. This label is not added by default and can
|
|
be easily added by augmenting the Istio configuration for attribute generation
|
|
and Prometheus handler. You should be careful about cardinality explosion in
|
|
time series if you have many services with non-stable IP addresses.</p><h3 id=passthroughcluster-metrics>PassthroughCluster metrics</h3><p>This section explains the metrics and the labels emitted based on the listener
|
|
type invoked in Envoy.</p><ul><li>HTTP proxy listener: This happens when the port of the external service is
|
|
same as one of the service ports defined in the cluster. In this scenario,
|
|
when the PassthroughCluster is hit, <code>istio_requests_total</code> will get increased
|
|
like this:</li></ul><pre><code class=language-json data-expandlinks=true data-repo=istio>{
|
|
"metric": {
|
|
"__name__": "istio_requests_total",
|
|
"connection_security_policy": "unknown",
|
|
"destination_app": "unknown",
|
|
"destination_principal": "unknown",
|
|
"destination_service": "httpbin.org",
|
|
"destination_service_name": "PassthroughCluster",
|
|
"destination_service_namespace": "unknown",
|
|
"destination_version": "unknown",
|
|
"destination_workload": "unknown",
|
|
"destination_workload_namespace": "unknown",
|
|
"instance": "100.96.2.183:42422",
|
|
"job": "istio-mesh",
|
|
"permissive_response_code": "none",
|
|
"permissive_response_policyid": "none",
|
|
"reporter": "source",
|
|
"request_protocol": "http",
|
|
"response_code": "200",
|
|
"response_flags": "-",
|
|
"source_app": "sleep",
|
|
"source_principal": "unknown",
|
|
"source_version": "unknown",
|
|
"source_workload": "sleep",
|
|
"source_workload_namespace": "default"
|
|
},
|
|
"value": [
|
|
1567033080.282,
|
|
"1"
|
|
]
|
|
}
|
|
</code></pre><p>Note that the <code>destination_service_name</code> label is set to PassthroughCluster to
|
|
indicate that this cluster was hit and the <code>destination_service</code> is set to the
|
|
host of the external service.</p><ul><li>TCP proxy virtual listener - If the external service port doesn’t map to any
|
|
HTTP based service ports within the cluster, this listener is invoked and
|
|
<code>istio_tcp_connections_closed_total</code> is the metric that will be increased:</li></ul><pre><code class=language-json data-expandlinks=true data-repo=istio>{
|
|
"status": "success",
|
|
"data": {
|
|
"resultType": "vector",
|
|
"result": [
|
|
{
|
|
"metric": {
|
|
"__name__": "istio_tcp_connections_closed_total",
|
|
"connection_security_policy": "unknown",
|
|
"destination_app": "unknown",
|
|
"destination_ip": "52.22.188.80",
|
|
"destination_principal": "unknown",
|
|
"destination_service": "unknown",
|
|
"destination_service_name": "PassthroughCluster",
|
|
"destination_service_namespace": "unknown",
|
|
"destination_version": "unknown",
|
|
"destination_workload": "unknown",
|
|
"destination_workload_namespace": "unknown",
|
|
"instance": "100.96.2.183:42422",
|
|
"job": "istio-mesh",
|
|
"reporter": "source",
|
|
"response_flags": "-",
|
|
"source_app": "sleep",
|
|
"source_principal": "unknown",
|
|
"source_version": "unknown",
|
|
"source_workload": "sleep",
|
|
"source_workload_namespace": "default"
|
|
},
|
|
"value": [
|
|
1567033761.879,
|
|
"1"
|
|
]
|
|
}
|
|
]
|
|
}
|
|
}
|
|
</code></pre><p>In this case, <code>destination_service_name</code> is set to PassthroughCluster and
|
|
the <code>destination_ip</code> is set to the IP address of the external service.
|
|
The <code>destination_ip</code> label can be used to do a reverse DNS lookup and
|
|
get the host name of the external service. As this cluster is passthrough,
|
|
other TCP related metrics like <code>istio_tcp_connections_opened_total</code>,
|
|
<code>istio_tcp_received_bytes_total</code> and <code>istio_tcp_sent_bytes_total</code> are also
|
|
updated.</p><h3 id=blackholecluster-metrics>BlackHoleCluster metrics</h3><p>Similar to the PassthroughCluster, this section explains the metrics and the
|
|
labels emitted based on the listener type invoked in Envoy.</p><ul><li>HTTP proxy listener: This happens when the port of the external service is same
|
|
as one of the service ports defined in the cluster.
|
|
In this scenario, when the BlackHoleCluster is hit,
|
|
<code>istio_requests_total</code> will get increased like this:</li></ul><pre><code class=language-json data-expandlinks=true data-repo=istio>{
|
|
"metric": {
|
|
"__name__": "istio_requests_total",
|
|
"connection_security_policy": "unknown",
|
|
"destination_app": "unknown",
|
|
"destination_principal": "unknown",
|
|
"destination_service": "httpbin.org",
|
|
"destination_service_name": "BlackHoleCluster",
|
|
"destination_service_namespace": "unknown",
|
|
"destination_version": "unknown",
|
|
"destination_workload": "unknown",
|
|
"destination_workload_namespace": "unknown",
|
|
"instance": "100.96.2.183:42422",
|
|
"job": "istio-mesh",
|
|
"permissive_response_code": "none",
|
|
"permissive_response_policyid": "none",
|
|
"reporter": "source",
|
|
"request_protocol": "http",
|
|
"response_code": "502",
|
|
"response_flags": "-",
|
|
"source_app": "sleep",
|
|
"source_principal": "unknown",
|
|
"source_version": "unknown",
|
|
"source_workload": "sleep",
|
|
"source_workload_namespace": "default"
|
|
},
|
|
"value": [
|
|
1567034251.717,
|
|
"1"
|
|
]
|
|
}
|
|
</code></pre><p>Note the <code>destination_service_name</code> label is set to BlackHoleCluster and the
|
|
<code>destination_service</code> to the host name of the external service. The response
|
|
code should always be <code>502</code> in this case.</p><ul><li>TCP proxy virtual listener - If the external service port doesn’t map to any
|
|
HTTP based service ports within the cluster, this listener is invoked and
|
|
<code>istio_tcp_connections_closed_total</code> is the metric that will be increased:</li></ul><pre><code class=language-json data-expandlinks=true data-repo=istio>{
|
|
"metric": {
|
|
"__name__": "istio_tcp_connections_closed_total",
|
|
"connection_security_policy": "unknown",
|
|
"destination_app": "unknown",
|
|
"destination_ip": "52.22.188.80",
|
|
"destination_principal": "unknown",
|
|
"destination_service": "unknown",
|
|
"destination_service_name": "BlackHoleCluster",
|
|
"destination_service_namespace": "unknown",
|
|
"destination_version": "unknown",
|
|
"destination_workload": "unknown",
|
|
"destination_workload_namespace": "unknown",
|
|
"instance": "100.96.2.183:42422",
|
|
"job": "istio-mesh",
|
|
"reporter": "source",
|
|
"response_flags": "-",
|
|
"source_app": "sleep",
|
|
"source_principal": "unknown",
|
|
"source_version": "unknown",
|
|
"source_workload": "sleep",
|
|
"source_workload_namespace": "default"
|
|
},
|
|
"value": [
|
|
1567034481.03,
|
|
"1"
|
|
]
|
|
}
|
|
</code></pre><p>Note the <code>destination_ip</code> label represents the IP address of the external
|
|
service and the <code>destination_service_name</code> is set to BlackHoleCluster
|
|
to indicate that this traffic was blocked by the mesh. Is is interesting to
|
|
note that for the BlackHole cluster case, other TCP related metrics like
|
|
<code>istio_tcp_connections_opened_total</code> are not increased as there’s no
|
|
connection that is ever established.</p><p>Monitoring these metrics can help operators easily understand all the external
|
|
services consumed by the applications in their cluster.</p></div><nav class=pagenav><div class=left><a title="Deploy environments that require isolation into separate meshes and enable inter-mesh communication by mesh federation." href=/v1.14/blog/2019/isolated-clusters/ class=next-link><svg class="icon left-arrow"><use xlink:href="/v1.14/img/icons.svg#left-arrow"/></svg>Multi-Mesh Deployments for Isolation and Boundary Protection</a></div><div class=right><a title="Using Istio to secure multi-cloud Kubernetes applications with zero code changes." href=/v1.14/blog/2019/app-identity-and-access-adapter/ class=next-link>App Identity and Access Adapter<svg class="icon right-arrow"><use xlink:href="/v1.14/img/icons.svg#right-arrow"/></svg></a></div></nav></article><footer class=footer><div class="footer-wrapper container-l"><div class="user-links footer-links"><a class=channel title="GitHub is where development takes place on Istio code" href=https://github.com/istio/community aria-label=GitHub><svg class="icon github"><use xlink:href="/v1.14/img/icons.svg#github"/></svg></a><a class=channel title="Access our team drive if you'd like to take a look at the Istio technical design documents" href=https://groups.google.com/forum/#!forum/istio-team-drive-access aria-label="team drive"><svg class="icon drive"><use xlink:href="/v1.14/img/icons.svg#drive"/></svg></a><a class=channel title="Interactively discuss issues with the Istio community on Slack" href=https://slack.istio.io aria-label=slack><svg class="icon slack"><use xlink:href="/v1.14/img/icons.svg#slack"/></svg></a><a class=channel title="Stack Overflow is where you can ask questions and find curated answers on deploying, configuring, and using Istio" href=https://stackoverflow.com/questions/tagged/istio aria-label="Stack Overflow"><svg class="icon stackoverflow"><use xlink:href="/v1.14/img/icons.svg#stackoverflow"/></svg></a><a class=channel title="Follow us on Twitter to get the latest news" href=https://twitter.com/IstioMesh aria-label=Twitter><svg class="icon twitter"><use xlink:href="/v1.14/img/icons.svg#twitter"/></svg></a></div><hr class=footer-separator role=separator><div class="info footer-info"><a class=logo href=/v1.14/ aria-label=logotype><svg xmlns="http://www.w3.org/2000/svg" width="128" height="60" viewBox="0 0 128 60"><path d="M58.434 48.823A.441.441.0 0158.3 48.497V22.583a.444.444.0 01.134-.326.446.446.0 01.327-.134h3.527a.447.447.0 01.325.134.447.447.0 01.134.326v25.914a.443.443.0 01-.134.326.444.444.0 01-.325.134h-3.527a.444.444.0 01-.327-.134z"/><path d="m70.969 48.477a6.556 6.556.0 01-2.818-1.955 4.338 4.338.0 01-1-2.78v-.345a.443.443.0 01.134-.326.444.444.0 01.326-.135h3.374a.444.444.0 01.326.135.445.445.0 01.134.326v.077a2.014 2.014.0 001.054 1.667 4.672 4.672.0 002.664.709 4.446 4.446.0 002.492-.633 1.862 1.862.0 00.958-1.591 1.426 1.426.0 00-.786-1.322 12.7 12.7.0 00-2.549-.939l-1.457-.46a21.526 21.526.0 01-3.3-1.227 6.57 6.57.0 01-2.262-1.783 4.435 4.435.0 01-.92-2.894 5.081 5.081.0 012.109-4.275 8.993 8.993.0 015.558-1.591 10.445 10.445.0 014.1.748 6.3 6.3.0 012.722 2.07 5 5 0 01.958 3.009.441.441.0 01-.134.326.441.441.0 01-.325.134h-3.258a.441.441.0 01-.326-.134.443.443.0 01-.134-.326 1.974 1.974.0 00-.978-1.667 4.647 4.647.0 00-2.665-.671 4.741 4.741.0 00-2.435.556 1.724 1.724.0 00-.938 1.553 1.512 1.512.0 00.9 1.4 15.875 15.875.0 003.01 1.055l.843.229a27.368 27.368.0 013.412 1.246 6.67 6.67.0 012.338 1.763 4.387 4.387.0 01.958 2.933 4.988 4.988.0 01-2.146 4.275 9.543 9.543.0 01-5.712 1.552 11.626 11.626.0 01-4.227-.709z"/><path d="m97.039 32.837a.443.443.0 01-.326.135h-3.911a.169.169.0 00-.191.192v9.239a2.951 2.951.0 00.632 2.108 2.7 2.7.0 002.013.652h1.15a.444.444.0 01.325.134.441.441.0 01.134.326v2.875a.471.471.0 01-.459.5l-1.994.039a8 8 0 01-4.524-1.035q-1.495-1.035-1.533-3.91V33.166A.17.17.0 0088.164 32.974H85.978A.441.441.0 0185.652 32.839.441.441.0 0185.518 32.513V29.83a.441.441.0 01.134-.326.444.444.0 01.326-.135h2.186a.169.169.0 00.191-.192v-4.485a.438.438.0 01.134-.326.44.44.0 01.325-.134h3.336a.443.443.0 01.325.134.442.442.0 01.135.326v4.485a.169.169.0 00.191.192h3.911a.446.446.0 01.326.135.446.446.0 01.134.326v2.683a.446.446.0 01-.133.324z"/><path d="m101.694 25.917a2.645 2.645.0 01-.767-1.955 2.65 2.65.0 01.767-1.955 2.65 2.65.0 011.955-.767 2.65 2.65.0 011.955.767 2.652 2.652.0 01.767 1.955 2.647 2.647.0 01-.767 1.955 2.646 2.646.0 01-1.955.767 2.645 2.645.0 01-1.955-.767zm-.211 22.906a.441.441.0 01-.134-.326V29.79a.444.444.0 01.134-.326.446.446.0 01.326-.134h3.527a.446.446.0 01.326.134.445.445.0 01.134.326v18.707a.443.443.0 01-.134.326.443.443.0 01-.326.134h-3.527a.443.443.0 01-.326-.134z"/><path d="m114.019 47.734a8.1 8.1.0 01-3.047-4.255 14.439 14.439.0 01-.652-4.37 14.3 14.3.0 01.614-4.371A7.869 7.869.0 01114 30.56a9.072 9.072.0 015.252-1.5 8.543 8.543.0 015.041 1.5 7.985 7.985.0 013.009 4.14 12.439 12.439.0 01.69 4.37 13.793 13.793.0 01-.651 4.37 8.255 8.255.0 01-3.028 4.275 8.475 8.475.0 01-5.1 1.553 8.754 8.754.0 01-5.194-1.534zm7.629-3.1a4.536 4.536.0 001.476-2.262 11.335 11.335.0 00.383-3.221 10.618 10.618.0 00-.383-3.22 4.169 4.169.0 00-1.457-2.243 4.066 4.066.0 00-2.531-.785 3.942 3.942.0 00-2.453.785 4.376 4.376.0 00-1.5 2.243 11.839 11.839.0 00-.383 3.22 11.84 11.84.0 00.383 3.221 4.222 4.222.0 001.476 2.262 4.075 4.075.0 002.549.8 3.8 3.8.0 002.44-.809z"/><path d="m15.105 32.057v15.565a.059.059.0 01-.049.059L.069 50.25A.06.06.0 01.005 50.167l14.987-33.47a.06.06.0 01.114.025z"/><path d="m17.631 23.087v24.6a.06.06.0 00.053.059l22.449 2.507a.06.06.0 00.061-.084L17.745.032a.06.06.0 00-.114.024z"/><path d="m39.961 52.548-24.833 7.45a.062.062.0 01-.043.0L.079 52.548a.059.059.0 01.026-.113h39.839a.06.06.0 01.017.113z"/></svg></a><div class=footer-languages><a tabindex=-1 lang=en id=switch-lang-en class="footer-languages-item active"><svg class="icon tick"><use xlink:href="/v1.14/img/icons.svg#tick"/></svg>English</a>
|
|
<a tabindex=-1 lang=zh id=switch-lang-zh class=footer-languages-item>中文</a></div></div><ul class=footer-policies><li class=footer-policies-item><a class=footer-policies-link href=https://policies.google.com/privacy>Privacy policy</a> |
|
|
<a class=footer-policies-link href=https://github.com/istio/istio.io/edit/release-1.14/content/en/blog/2019/monitoring-external-service-traffic/index.md>Edit this Page on GitHub</a></li></ul><div class=footer-base><span class=footer-base-copyright>© 2022 Istio Authors.</span>
|
|
<span class=footer-base-version>Version
|
|
Archive
|
|
1.14.3</span><ul class=footer-base-releases><li class=footer-base-releases-item><a tabindex=-1 class=footer-base-releases-link onclick='return navigateToUrlOrRoot("https://istio.io/blog/2019/monitoring-external-service-traffic/"),!1'>current release</a></li><li class=footer-base-releases-item><a tabindex=-1 class=footer-base-releases-link onclick='return navigateToUrlOrRoot("https://preliminary.istio.io/blog/2019/monitoring-external-service-traffic/"),!1'>next release</a></li><li class=footer-base-releases-item><a tabindex=-1 class=footer-base-releases-link href=https://istio.io/archive>older releases</a></li></ul></div></div></footer><div id=scroll-to-top-container aria-hidden=true><button id=scroll-to-top title="Back to top" tabindex=-1><svg class="icon top"><use xlink:href="/v1.14/img/icons.svg#top"/></svg></button></div></body></html> |