mirror of https://github.com/istio/istio.io.git
100 lines
30 KiB
HTML
100 lines
30 KiB
HTML
<!doctype html><html lang=en itemscope itemtype=https://schema.org/WebPage><head><meta charset=utf-8><meta http-equiv=x-ua-compatible content="IE=edge"><meta name=viewport content="width=device-width,initial-scale=1,shrink-to-fit=no"><meta name=theme-color content="#466BB0"><meta name=title content="Secure Control of Egress Traffic in Istio, part 1"><meta name=description content="Attacks involving egress traffic and requirements for egress traffic control."><meta name=author content="Vadim Eisenberg (IBM)"><meta name=keywords content="microservices,services,mesh,traffic-management,egress,security"><meta property="og:title" content="Secure Control of Egress Traffic in Istio, part 1"><meta property="og:type" content="website"><meta property="og:description" content="Attacks involving egress traffic and requirements for egress traffic control."><meta property="og:url" content="/v1.19/blog/2019/egress-traffic-control-in-istio-part-1/"><meta property="og:image" content="https://raw.githubusercontent.com/istio/istio.io/master/static/img/istio-social.svg"><meta property="og:image:alt" content="Istio Logo"><meta property="og:image:width" content="1200"><meta property="og:image:height" content="600"><meta property="og:site_name" content="Istio"><meta name=twitter:card content="summary"><meta name=twitter:site content="@IstioMesh"><title>Istioldie 1.19 / Secure Control of Egress Traffic in Istio, part 1</title><script async src="https://www.googletagmanager.com/gtag/js?id=UA-98480406-2"></script>
|
||
<script>window.dataLayer=window.dataLayer||[];function gtag(){dataLayer.push(arguments)}gtag("js",new Date),gtag("config","UA-98480406-2")</script><link rel=alternate type=application/rss+xml title="Istio Blog" href=/v1.19/blog/feed.xml><link rel=alternate type=application/rss+xml title="Istio News" href=/v1.19/news/feed.xml><link rel=alternate type=application/rss+xml title="Istio Blog and News" href=/v1.19/feed.xml><link rel="shortcut icon" href=/v1.19/favicons/favicon.ico><link rel=apple-touch-icon href=/v1.19/favicons/apple-touch-icon-180x180.png sizes=180x180><link rel=icon type=image/png href=/v1.19/favicons/favicon-16x16.png sizes=16x16><link rel=icon type=image/png href=/v1.19/favicons/favicon-32x32.png sizes=32x32><link rel=icon type=image/png href=/v1.19/favicons/android-36x36.png sizes=36x36><link rel=icon type=image/png href=/v1.19/favicons/android-48x48.png sizes=48x48><link rel=icon type=image/png href=/v1.19/favicons/android-72x72.png sizes=72x72><link rel=icon type=image/png href=/v1.19/favicons/android-96x96.png sizes=96xW96><link rel=icon type=image/png href=/v1.19/favicons/android-144x144.png sizes=144x144><link rel=icon type=image/png href=/v1.19/favicons/android-192x192.png sizes=192x192><link rel=icon type=image/svg+xml href=/v1.19/favicons/favicon.svg><link rel=icon type=image/png href=/v1.19/favicons/favicon.png><link rel=mask-icon href=/v1.19/favicons/safari-pinned-tab.svg color=#466bb0><link rel=manifest href=/v1.19/manifest.json><meta name=apple-mobile-web-app-title content="Istio"><meta name=application-name content="Istio"><meta name=msapplication-config content="/browserconfig.xml"><meta name=msapplication-TileColor content="#466BB0"><meta name=theme-color content="#466BB0"><link rel=stylesheet href=/v1.19/css/all.css><link rel=preconnect href=https://fonts.googleapis.com><link rel=preconnect href=https://fonts.gstatic.com crossorigin><link rel=stylesheet href="https://fonts.googleapis.com/css2?family=Barlow:ital,wght@0,400;0,500;0,600;0,700;1,400;1,600&display=swap"><script src=/v1.19/js/themes_init.min.js></script></head><body class="language-unknown archive-site"><script>const branchName="release-1.19",docTitle="Secure Control of Egress Traffic in Istio, part 1",iconFile="/v1.19/img/icons.svg",buttonCopy="Copy to clipboard",buttonPrint="Print",buttonDownload="Download"</script><script src="https://www.google.com/cse/brand?form=search-form" defer></script>
|
||
<script src=/v1.19/js/all.min.js data-manual defer></script><header class=main-navigation><nav class="main-navigation-wrapper container-l"><div class=main-navigation-header><a id=brand href=/v1.19/ aria-label=logotype><span class=logo><svg xmlns="http://www.w3.org/2000/svg" width="128" height="60" viewBox="0 0 128 60"><path d="M58.434 48.823A.441.441.0 0158.3 48.497V22.583a.444.444.0 01.134-.326.446.446.0 01.327-.134h3.527a.447.447.0 01.325.134.447.447.0 01.134.326v25.914a.443.443.0 01-.134.326.444.444.0 01-.325.134h-3.527a.444.444.0 01-.327-.134z"/><path d="m70.969 48.477a6.556 6.556.0 01-2.818-1.955 4.338 4.338.0 01-1-2.78v-.345a.443.443.0 01.134-.326.444.444.0 01.326-.135h3.374a.444.444.0 01.326.135.445.445.0 01.134.326v.077a2.014 2.014.0 001.054 1.667 4.672 4.672.0 002.664.709 4.446 4.446.0 002.492-.633 1.862 1.862.0 00.958-1.591 1.426 1.426.0 00-.786-1.322 12.7 12.7.0 00-2.549-.939l-1.457-.46a21.526 21.526.0 01-3.3-1.227 6.57 6.57.0 01-2.262-1.783 4.435 4.435.0 01-.92-2.894 5.081 5.081.0 012.109-4.275 8.993 8.993.0 015.558-1.591 10.445 10.445.0 014.1.748 6.3 6.3.0 012.722 2.07 5 5 0 01.958 3.009.441.441.0 01-.134.326.441.441.0 01-.325.134h-3.258a.441.441.0 01-.326-.134.443.443.0 01-.134-.326 1.974 1.974.0 00-.978-1.667 4.647 4.647.0 00-2.665-.671 4.741 4.741.0 00-2.435.556 1.724 1.724.0 00-.938 1.553 1.512 1.512.0 00.9 1.4 15.875 15.875.0 003.01 1.055l.843.229a27.368 27.368.0 013.412 1.246 6.67 6.67.0 012.338 1.763 4.387 4.387.0 01.958 2.933 4.988 4.988.0 01-2.146 4.275 9.543 9.543.0 01-5.712 1.552 11.626 11.626.0 01-4.227-.709z"/><path d="m97.039 32.837a.443.443.0 01-.326.135h-3.911a.169.169.0 00-.191.192v9.239a2.951 2.951.0 00.632 2.108 2.7 2.7.0 002.013.652h1.15a.444.444.0 01.325.134.441.441.0 01.134.326v2.875a.471.471.0 01-.459.5l-1.994.039a8 8 0 01-4.524-1.035q-1.495-1.035-1.533-3.91V33.166A.17.17.0 0088.164 32.974H85.978A.441.441.0 0185.652 32.839.441.441.0 0185.518 32.513V29.83a.441.441.0 01.134-.326.444.444.0 01.326-.135h2.186a.169.169.0 00.191-.192v-4.485a.438.438.0 01.134-.326.44.44.0 01.325-.134h3.336a.443.443.0 01.325.134.442.442.0 01.135.326v4.485a.169.169.0 00.191.192h3.911a.446.446.0 01.326.135.446.446.0 01.134.326v2.683a.446.446.0 01-.133.324z"/><path d="m101.694 25.917a2.645 2.645.0 01-.767-1.955 2.65 2.65.0 01.767-1.955 2.65 2.65.0 011.955-.767 2.65 2.65.0 011.955.767 2.652 2.652.0 01.767 1.955 2.647 2.647.0 01-.767 1.955 2.646 2.646.0 01-1.955.767 2.645 2.645.0 01-1.955-.767zm-.211 22.906a.441.441.0 01-.134-.326V29.79a.444.444.0 01.134-.326.446.446.0 01.326-.134h3.527a.446.446.0 01.326.134.445.445.0 01.134.326v18.707a.443.443.0 01-.134.326.443.443.0 01-.326.134h-3.527a.443.443.0 01-.326-.134z"/><path d="m114.019 47.734a8.1 8.1.0 01-3.047-4.255 14.439 14.439.0 01-.652-4.37 14.3 14.3.0 01.614-4.371A7.869 7.869.0 01114 30.56a9.072 9.072.0 015.252-1.5 8.543 8.543.0 015.041 1.5 7.985 7.985.0 013.009 4.14 12.439 12.439.0 01.69 4.37 13.793 13.793.0 01-.651 4.37 8.255 8.255.0 01-3.028 4.275 8.475 8.475.0 01-5.1 1.553 8.754 8.754.0 01-5.194-1.534zm7.629-3.1a4.536 4.536.0 001.476-2.262 11.335 11.335.0 00.383-3.221 10.618 10.618.0 00-.383-3.22 4.169 4.169.0 00-1.457-2.243 4.066 4.066.0 00-2.531-.785 3.942 3.942.0 00-2.453.785 4.376 4.376.0 00-1.5 2.243 11.839 11.839.0 00-.383 3.22 11.84 11.84.0 00.383 3.221 4.222 4.222.0 001.476 2.262 4.075 4.075.0 002.549.8 3.8 3.8.0 002.44-.809z"/><path d="m15.105 32.057v15.565a.059.059.0 01-.049.059L.069 50.25A.06.06.0 01.005 50.167l14.987-33.47a.06.06.0 01.114.025z"/><path d="m17.631 23.087v24.6a.06.06.0 00.053.059l22.449 2.507a.06.06.0 00.061-.084L17.745.032a.06.06.0 00-.114.024z"/><path d="m39.961 52.548-24.833 7.45a.062.062.0 01-.043.0L.079 52.548a.059.059.0 01.026-.113h39.839a.06.06.0 01.017.113z"/></svg></span></a><button id=hamburger class=main-navigation-toggle aria-label="Open navigation"><svg class="icon menu-hamburger"><use xlink:href="/v1.19/img/icons.svg#menu-hamburger"/></svg></button>
|
||
<button id=menu-close class=main-navigation-toggle aria-label="Close navigation"><svg class="icon menu-close"><use xlink:href="/v1.19/img/icons.svg#menu-close"/></svg></button></div><div id=header-links class=main-navigation-links-wrapper><ul class=main-navigation-links><li class=main-navigation-links-item><a class="main-navigation-links-link has-dropdown"><span>About</span><svg class="icon dropdown-arrow"><use xlink:href="/v1.19/img/icons.svg#dropdown-arrow"/></svg></a><ul class=main-navigation-links-dropdown><li class=main-navigation-links-dropdown-item><a href=/v1.19/about/service-mesh class=main-navigation-links-link>Service mesh</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.19/about/solutions class=main-navigation-links-link>Solutions</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.19/about/case-studies class=main-navigation-links-link>Case studies</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.19/about/ecosystem class=main-navigation-links-link>Ecosystem</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.19/about/deployment class=main-navigation-links-link>Deployment</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.19/about/faq class=main-navigation-links-link>FAQ</a></li></ul></li><li class=main-navigation-links-item><a href=/v1.19/blog/ class=main-navigation-links-link><span>Blog</span></a></li><li class=main-navigation-links-item><a href=/v1.19/news/ class=main-navigation-links-link><span>News</span></a></li><li class=main-navigation-links-item><a href=/v1.19/get-involved/ class=main-navigation-links-link><span>Get involved</span></a></li><li class=main-navigation-links-item><a href=/v1.19/docs/ class=main-navigation-links-link><span>Documentation</span></a></li></ul><div class=main-navigation-footer><button id=search-show class=search-show title='Search this site' aria-label=Search><svg class="icon magnifier"><use xlink:href="/v1.19/img/icons.svg#magnifier"/></svg></button>
|
||
<a href=/v1.19/docs/setup/getting-started class="btn btn--primary" id=try-istio>Try Istio</a></div></div><form id=search-form class=search name=cse role=search><input type=hidden name=cx value=002184991200833970123:iwwf17ikgf4>
|
||
<input type=hidden name=ie value=utf-8>
|
||
<input type=hidden name=hl value=en>
|
||
<input type=hidden id=search-page-url value=/search>
|
||
<input id=search-textbox class="search-textbox form-control" name=q type=search aria-label='Search this site' placeholder=Search>
|
||
<button id=search-close title='Cancel search' type=reset aria-label='Cancel search'><svg class="icon menu-close"><use xlink:href="/v1.19/img/icons.svg#menu-close"/></svg></button></form></nav></header><div class=banner-container><a href=/v1.19/news/releases/1.19.x/announcing-1.19.4/ class=banner data-title="Latest Release-2023-11-13 00:00:00 +0000 UTC" data-period-start=1699833600000 data-period-end=1700438400000 data-max-impressions=3 data-timeout><div class=content><p>Istio 1.19.4 is now available! Click here to learn more</p></div><div class=frame></div></a></div><article class=post itemscope itemtype=http://schema.org/BlogPosting><div class=header-content><h1>Secure Control of Egress Traffic in Istio, part 1</h1><p>Attacks involving egress traffic and requirements for egress traffic control.</p></div><p class=post-author>May 22, 2019 <span>|</span> By Vadim Eisenberg - IBM</p><div><p>This is part 1 in a new series about secure control of egress traffic in Istio that I am going to publish.
|
||
In this installment, I explain why you should apply egress traffic control to your cluster, the attacks
|
||
involving egress traffic you want to prevent, and the requirements for a system for egress traffic control
|
||
to do so.
|
||
Once you agree that you should control the egress traffic coming from your cluster, the following questions arise:
|
||
What is required from a system for secure control of egress traffic? Which is the best solution to fulfill
|
||
these requirements? (spoiler: Istio in my opinion)
|
||
Future installments will describe
|
||
<a href=/v1.19/blog/2019/egress-traffic-control-in-istio-part-2/>the implementation of the secure control of egress traffic in Istio</a>
|
||
and compare it with other solutions.</p><p>The most important security aspect for a service mesh is probably ingress traffic. You definitely must prevent attackers
|
||
from penetrating the cluster through ingress APIs. Having said that, securing
|
||
the traffic leaving the mesh is also very important. Once your cluster is compromised, and you must be
|
||
prepared for that scenario, you want to reduce the damage as much as possible and prevent the attackers from using the
|
||
cluster for further attacks on external services and legacy systems outside of the cluster. To achieve that goal,
|
||
you need secure control of egress traffic.</p><p>Compliance requirements are another reason to implement secure control of egress traffic. For example, the <a href=https://www.pcisecuritystandards.org/pci_security/>Payment Card
|
||
Industry (PCI) Data Security Standard</a> requires that inbound
|
||
and outbound traffic must be restricted to that which is necessary:</p><div><aside class="callout quote"><div class=type><svg class="large-icon"><use xlink:href="/v1.19/img/icons.svg#callout-quote"/></svg></div><div class=content><em>1.2.1 Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic.</em></div></aside></div><p>And specifically regarding outbound traffic:</p><div><aside class="callout quote"><div class=type><svg class="large-icon"><use xlink:href="/v1.19/img/icons.svg#callout-quote"/></svg></div><div class=content><em>1.3.4 Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet… All traffic outbound from the cardholder data environment should be evaluated to ensure that it follows established, authorized rules. Connections should be inspected to restrict traffic to only authorized communications (for example by restricting source/destination addresses/ports, and/or blocking of content).</em></div></aside></div><p>Let’s start with the attacks that involve egress traffic.</p><h2 id=the-attacks>The attacks</h2><p>An IT organization must assume it will be attacked if it hasn’t been attacked already, and that
|
||
part of its infrastructure could already be compromised or become compromised in the future.
|
||
Once attackers are able to penetrate an application in a cluster, they can proceed to attack external services:
|
||
legacy systems, external web services and databases. The attackers may want to steal the data of the application and to
|
||
transfer it to their external servers. Attackers’ malware may require access to attackers’ servers to download
|
||
updates. The attackers may use pods in the cluster to perform DDOS attacks or to break into external systems.
|
||
Even though you <a href=https://en.wikipedia.org/wiki/There_are_known_knowns>cannot know</a> all the possible types of
|
||
attacks, you want to reduce possibilities for any attacks, both for known and unknown ones.</p><p>The external attackers gain access to the application’s container from outside the mesh through a
|
||
bug in the application but attackers can also be internal, for example, malicious DevOps people inside the
|
||
organization.</p><p>To prevent the attacks described above, some form of egress traffic control must be applied. Let me present egress
|
||
traffic control in the following section.</p><h2 id=the-solution-secure-control-of-egress-traffic>The solution: secure control of egress traffic</h2><p>Secure control of egress traffic means monitoring the egress traffic and enforcing all the security policies regarding
|
||
the egress traffic.
|
||
Monitoring the egress traffic, enables you to analyze it, possibly offline, and detect the attacks even if
|
||
you were unable to prevent them in real time.
|
||
Another good practice to reduce possibilities of attacks is to specify policies that limit access following the
|
||
<a href=https://en.wikipedia.org/wiki/Need_to_know#In_computer_technology%5D>Need to know</a> principle: only the applications that
|
||
need external services should be allowed to access the external services they need.</p><p>Let me now turn to the requirements for egress traffic control we collected.</p><h2 id=requirements-for-egress-traffic-control>Requirements for egress traffic control</h2><p>My colleagues at IBM and I collected requirements for secure control of egress traffic from several customers, and
|
||
combined them with the
|
||
<a href=https://docs.google.com/document/d/1-Cq_Y-yuyNklvdnaZF9Qngl3xe0NnArT7Xt_Wno9beg>egress traffic control requirements from Kubernetes Network Special Interest Group</a>.</p><p>Istio 1.1 satisfies all gathered requirements:</p><ol><li><p>Support for <a href=https://en.wikipedia.org/wiki/Transport_Layer_Security>TLS</a> with
|
||
<a href=https://en.wikipedia.org/wiki/Server_Name_Indication>SNI</a> or for <a href=/v1.19/docs/reference/glossary/#tls-origination>TLS origination</a> by Istio.</p></li><li><p><strong>Monitor</strong> SNI and the source workload of every egress access.</p></li><li><p>Define and enforce <strong>policies per cluster</strong>, e.g.:</p><ul><li><p>all applications in the cluster may access <code>service1.foo.com</code> (a specific host)</p></li><li><p>all applications in the cluster may access any host of the form <code>*.bar.com</code> (a wildcarded domain)</p></li></ul><p>All unspecified access must be blocked.</p></li><li><p>Define and enforce <strong>policies per source</strong>, <em>Kubernetes-aware</em>:</p><ul><li><p>application <code>A</code> may access <code>*.foo.com</code>.</p></li><li><p>application <code>B</code> may access <code>*.bar.com</code>.</p></li></ul><p>All other access must be blocked, in particular access of application <code>A</code> to <code>service1.bar.com</code>.</p></li><li><p><strong>Prevent tampering</strong>. In case an application pod is compromised, prevent the compromised pod from escaping
|
||
monitoring, from sending fake information to the monitoring system, and from breaking the egress policies.</p></li><li><p>Nice to have: traffic control is <strong>transparent</strong> to the applications.</p></li></ol><p>Let me explain each requirement in more detail. The first requirement states that only TLS traffic to the external
|
||
services must be supported.
|
||
The requirement emerged upon observation that all the traffic that leaves the cluster must be encrypted.
|
||
This means that either the applications perform TLS origination or Istio must perform TLS origination
|
||
for them.
|
||
Note that in the case an application performs TLS origination, the Istio proxies cannot see the original traffic,
|
||
only the encrypted one, so the proxies see the TLS protocol only. For the proxies it does not matter if the original
|
||
protocol is HTTP or MongoDB, all the Istio proxies can see is TLS traffic.</p><p>The second requirement states that SNI and the source of the traffic must be monitored. Monitoring is the first step to
|
||
prevent attacks. Even if attackers would be able to access external services from the cluster, if the access is
|
||
monitored, there is a chance to discover the suspicious traffic and take a corrective action.</p><p>Note that in the case of TLS originated by an application, the Istio sidecar proxies can only see TCP traffic and a
|
||
TLS handshake that includes SNI.
|
||
A label of the source pod could identify the source of the traffic but a service account of the pod or some
|
||
other source identifier could be used. We call this property of an egress control system as <em>being Kubernetes-aware</em>:
|
||
the system must understand Kubernetes artifacts like pods and service accounts. If the system is not Kubernetes-aware,
|
||
it can only monitor the IP address as the identifier of the source.</p><p>The third requirement states that Istio operators must be able to define policies for egress traffic for the entire
|
||
cluster.
|
||
The policies state which external services may be accessed by any pod in the cluster. The external services can be
|
||
identified either by a <a href=https://en.wikipedia.org/wiki/Fully_qualified_domain_name>Fully qualified domain name</a> of the
|
||
service, e.g. <code>www.ibm.com</code> or by a wildcarded domain, e.g. <code>*.ibm.com</code>. Only the specified external services may be
|
||
accessed, all other egress traffic is blocked.</p><p>This requirement originates from the need to prevent
|
||
attackers from accessing malicious sites, for example for downloading updates/instructions for their malware. You also
|
||
want to limit the number of external sites that the attackers can access and attack.
|
||
You want to allow access only to the external services that the applications in the cluster need to
|
||
access and to block access to all the other services, this way you reduce the
|
||
<a href=https://en.wikipedia.org/wiki/Attack_surface>attack surface</a>. While the external services
|
||
can have their own security mechanisms, you want to exercise <a href=https://en.wikipedia.org/wiki/Defense_in_depth_(computing)>Defense in depth</a> and to have multiple security layers: a security layer in your cluster in addition to
|
||
the security layers in the external systems.</p><p>This requirement means that the external services must be identifiable by domain names. We call this property
|
||
of an egress control system as <em>being DNS-aware</em>.
|
||
If the system is not DNS-aware, the external services must be specified by IP addresses.
|
||
Using IP addresses is not convenient and often is not feasible, since the IP addresses of a service can change. Sometimes
|
||
all the IP addresses of a service are not even known, for example in the case of
|
||
<a href=https://en.wikipedia.org/wiki/Content_delivery_network>CDNs</a>.</p><p>The fourth requirement states that the source of the egress traffic must be added to the policies effectively extending
|
||
the third requirement.
|
||
Policies can specify which source can access which external service and the source must be identified just as in the
|
||
second requirement, for example, by a label of the source pod or by service account of the pod.
|
||
It means that policy enforcement must also be <em>Kubernetes-aware</em>.
|
||
If policy enforcement is not Kubernetes-aware, the policies must identify the source of traffic by
|
||
the IP of the pod, which is not convenient, especially since the pods can come and go so their IPs are not static.</p><p>The fifth requirement states that even if the cluster is compromised and the attackers control some of the pods, they
|
||
must not be able to cheat the monitoring or to violate policies of the egress control system. We say that such a
|
||
system provides <em>secure</em> control of egress traffic.</p><p>The sixth requirement states that the traffic control should be provided without changing the application containers, in
|
||
particular without changing the code of the applications and without changing the environment of the containers.
|
||
We call such a control of egress traffic <em>transparent</em>.</p><p>In the next posts I will show that Istio can function as an example of an egress traffic control system that satisfies
|
||
all of these requirements, in particular it is transparent, DNS-aware, and Kubernetes-aware.</p><h2 id=summary>Summary</h2><p>I hope that you are convinced that controlling egress traffic is important for the security of your cluster. In <a href=/v1.19/blog/2019/egress-traffic-control-in-istio-part-2/>the
|
||
part 2 of this series</a> I describe the Istio way to perform secure
|
||
control of egress traffic. In
|
||
<a href=/v1.19/blog/2019/egress-traffic-control-in-istio-part-3/>the
|
||
part 3 of this series</a> I compare it with alternative solutions such as
|
||
<a href=https://kubernetes.io/docs/concepts/services-networking/network-policies/>Kubernetes Network Policies</a> and legacy
|
||
egress proxies/firewalls.</p></div><nav class=pagenav><div class=left><a title="Learn how to extend the lifetime of Istio self-signed root certificate." href=/v1.19/blog/2019/root-transition/ class=next-link><svg class="icon left-arrow"><use xlink:href="/v1.19/img/icons.svg#left-arrow"/></svg>Extending Istio Self-Signed Root Certificate Lifetime</a></div><div class=right><a title="An overview of Istio 1.1 performance." href=/v1.19/blog/2019/istio1.1_perf/ class=next-link>Architecting Istio 1.1 for Performance<svg class="icon right-arrow"><use xlink:href="/v1.19/img/icons.svg#right-arrow"/></svg></a></div></nav></article><footer class=footer><div class="footer-wrapper container-l"><div class="user-links footer-links"><a class=channel title='GitHub is where development takes place on Istio code' href=https://github.com/istio/community aria-label=GitHub><svg class="icon github"><use xlink:href="/v1.19/img/icons.svg#github"/></svg></a><a class=channel title="Access our team drive if you'd like to take a look at the Istio technical design documents" href=https://groups.google.com/forum/#!forum/istio-team-drive-access aria-label="team drive"><svg class="icon drive"><use xlink:href="/v1.19/img/icons.svg#drive"/></svg></a><a class=channel title='Interactively discuss issues with the Istio community on Slack' href=https://slack.istio.io aria-label=slack><svg class="icon slack"><use xlink:href="/v1.19/img/icons.svg#slack"/></svg></a><a class=channel title='Stack Overflow is where you can ask questions and find curated answers on deploying, configuring, and using Istio' href=https://stackoverflow.com/questions/tagged/istio aria-label="Stack Overflow"><svg class="icon stackoverflow"><use xlink:href="/v1.19/img/icons.svg#stackoverflow"/></svg></a><a class=channel title='Follow us on Twitter to get the latest news' href=https://twitter.com/IstioMesh aria-label=Twitter><svg class="icon twitter"><use xlink:href="/v1.19/img/icons.svg#twitter"/></svg></a></div><hr class=footer-separator role=separator><div class="info footer-info"><a class=logo href=/v1.19/ aria-label=logotype><svg xmlns="http://www.w3.org/2000/svg" width="128" height="60" viewBox="0 0 128 60"><path d="M58.434 48.823A.441.441.0 0158.3 48.497V22.583a.444.444.0 01.134-.326.446.446.0 01.327-.134h3.527a.447.447.0 01.325.134.447.447.0 01.134.326v25.914a.443.443.0 01-.134.326.444.444.0 01-.325.134h-3.527a.444.444.0 01-.327-.134z"/><path d="m70.969 48.477a6.556 6.556.0 01-2.818-1.955 4.338 4.338.0 01-1-2.78v-.345a.443.443.0 01.134-.326.444.444.0 01.326-.135h3.374a.444.444.0 01.326.135.445.445.0 01.134.326v.077a2.014 2.014.0 001.054 1.667 4.672 4.672.0 002.664.709 4.446 4.446.0 002.492-.633 1.862 1.862.0 00.958-1.591 1.426 1.426.0 00-.786-1.322 12.7 12.7.0 00-2.549-.939l-1.457-.46a21.526 21.526.0 01-3.3-1.227 6.57 6.57.0 01-2.262-1.783 4.435 4.435.0 01-.92-2.894 5.081 5.081.0 012.109-4.275 8.993 8.993.0 015.558-1.591 10.445 10.445.0 014.1.748 6.3 6.3.0 012.722 2.07 5 5 0 01.958 3.009.441.441.0 01-.134.326.441.441.0 01-.325.134h-3.258a.441.441.0 01-.326-.134.443.443.0 01-.134-.326 1.974 1.974.0 00-.978-1.667 4.647 4.647.0 00-2.665-.671 4.741 4.741.0 00-2.435.556 1.724 1.724.0 00-.938 1.553 1.512 1.512.0 00.9 1.4 15.875 15.875.0 003.01 1.055l.843.229a27.368 27.368.0 013.412 1.246 6.67 6.67.0 012.338 1.763 4.387 4.387.0 01.958 2.933 4.988 4.988.0 01-2.146 4.275 9.543 9.543.0 01-5.712 1.552 11.626 11.626.0 01-4.227-.709z"/><path d="m97.039 32.837a.443.443.0 01-.326.135h-3.911a.169.169.0 00-.191.192v9.239a2.951 2.951.0 00.632 2.108 2.7 2.7.0 002.013.652h1.15a.444.444.0 01.325.134.441.441.0 01.134.326v2.875a.471.471.0 01-.459.5l-1.994.039a8 8 0 01-4.524-1.035q-1.495-1.035-1.533-3.91V33.166A.17.17.0 0088.164 32.974H85.978A.441.441.0 0185.652 32.839.441.441.0 0185.518 32.513V29.83a.441.441.0 01.134-.326.444.444.0 01.326-.135h2.186a.169.169.0 00.191-.192v-4.485a.438.438.0 01.134-.326.44.44.0 01.325-.134h3.336a.443.443.0 01.325.134.442.442.0 01.135.326v4.485a.169.169.0 00.191.192h3.911a.446.446.0 01.326.135.446.446.0 01.134.326v2.683a.446.446.0 01-.133.324z"/><path d="m101.694 25.917a2.645 2.645.0 01-.767-1.955 2.65 2.65.0 01.767-1.955 2.65 2.65.0 011.955-.767 2.65 2.65.0 011.955.767 2.652 2.652.0 01.767 1.955 2.647 2.647.0 01-.767 1.955 2.646 2.646.0 01-1.955.767 2.645 2.645.0 01-1.955-.767zm-.211 22.906a.441.441.0 01-.134-.326V29.79a.444.444.0 01.134-.326.446.446.0 01.326-.134h3.527a.446.446.0 01.326.134.445.445.0 01.134.326v18.707a.443.443.0 01-.134.326.443.443.0 01-.326.134h-3.527a.443.443.0 01-.326-.134z"/><path d="m114.019 47.734a8.1 8.1.0 01-3.047-4.255 14.439 14.439.0 01-.652-4.37 14.3 14.3.0 01.614-4.371A7.869 7.869.0 01114 30.56a9.072 9.072.0 015.252-1.5 8.543 8.543.0 015.041 1.5 7.985 7.985.0 013.009 4.14 12.439 12.439.0 01.69 4.37 13.793 13.793.0 01-.651 4.37 8.255 8.255.0 01-3.028 4.275 8.475 8.475.0 01-5.1 1.553 8.754 8.754.0 01-5.194-1.534zm7.629-3.1a4.536 4.536.0 001.476-2.262 11.335 11.335.0 00.383-3.221 10.618 10.618.0 00-.383-3.22 4.169 4.169.0 00-1.457-2.243 4.066 4.066.0 00-2.531-.785 3.942 3.942.0 00-2.453.785 4.376 4.376.0 00-1.5 2.243 11.839 11.839.0 00-.383 3.22 11.84 11.84.0 00.383 3.221 4.222 4.222.0 001.476 2.262 4.075 4.075.0 002.549.8 3.8 3.8.0 002.44-.809z"/><path d="m15.105 32.057v15.565a.059.059.0 01-.049.059L.069 50.25A.06.06.0 01.005 50.167l14.987-33.47a.06.06.0 01.114.025z"/><path d="m17.631 23.087v24.6a.06.06.0 00.053.059l22.449 2.507a.06.06.0 00.061-.084L17.745.032a.06.06.0 00-.114.024z"/><path d="m39.961 52.548-24.833 7.45a.062.062.0 01-.043.0L.079 52.548a.059.059.0 01.026-.113h39.839a.06.06.0 01.017.113z"/></svg></a><div class=footer-languages><a tabindex=-1 lang=en id=switch-lang-en class="footer-languages-item active"><svg class="icon tick"><use xlink:href="/v1.19/img/icons.svg#tick"/></svg>English</a>
|
||
<a tabindex=-1 lang=zh id=switch-lang-zh class=footer-languages-item>中文</a></div></div><ul class=footer-policies><li class=footer-policies-item><a class=footer-policies-link href=https://www.linuxfoundation.org/legal/terms>Terms and Conditions</a> |
|
||
<a class=footer-policies-link href=https://www.linuxfoundation.org/legal/privacy-policy>Privacy policy</a> |
|
||
<a class=footer-policies-link href=https://github.com/istio/istio.io/edit/release-1.19/content/en/blog/2019/egress-traffic-control-in-istio-part-1/index.md>Edit this Page on GitHub</a></li></ul><div class=footer-base><span class=footer-base-copyright>© 2023 the Istio Authors.</span>
|
||
<span class=footer-base-version>Version
|
||
Archive
|
||
1.19.4</span><ul class=footer-base-releases><li class=footer-base-releases-item><a tabindex=-1 class=footer-base-releases-link onclick='return navigateToUrlOrRoot("https://istio.io/blog/2019/egress-traffic-control-in-istio-part-1/"),!1'>current release</a></li><li class=footer-base-releases-item><a tabindex=-1 class=footer-base-releases-link onclick='return navigateToUrlOrRoot("https://preliminary.istio.io/blog/2019/egress-traffic-control-in-istio-part-1/"),!1'>next release</a></li><li class=footer-base-releases-item><a tabindex=-1 class=footer-base-releases-link href=https://istio.io/archive>older releases</a></li></ul></div></div></footer><div id=scroll-to-top-container aria-hidden=true><button id=scroll-to-top title='Back to top' tabindex=-1><svg class="icon top"><use xlink:href="/v1.19/img/icons.svg#top"/></svg></button></div></body></html> |