mirror of https://github.com/istio/istio.io.git
189 lines
52 KiB
HTML
189 lines
52 KiB
HTML
<!doctype html><html lang=en itemscope itemtype=https://schema.org/WebPage><head><meta charset=utf-8><meta http-equiv=x-ua-compatible content="IE=edge"><meta name=viewport content="width=device-width,initial-scale=1,shrink-to-fit=no"><meta name=theme-color content=#466BB0><meta name=title content="Consuming External TCP Services"><meta name=description content="Describes a simple scenario based on Istio's Bookinfo example."><meta name=author content="Vadim Eisenberg"><meta name=keywords content=microservices,services,mesh,traffic-management,egress,tcp><meta property=og:title content="Consuming External TCP Services"><meta property=og:type content=website><meta property=og:description content="Describes a simple scenario based on Istio's Bookinfo example."><meta property=og:url content=/v1.2/blog/2018/egress-tcp/><meta property=og:image content=/v1.2/img/istio-whitelogo-bluebackground-framed.svg><meta property=og:image:alt content="Istio Logo"><meta property=og:image:width content=112><meta property=og:image:height content=150><meta property=og:site_name content=Istio><meta name=twitter:card content=summary><meta name=twitter:site content=@IstioMesh><title>Istioldie 1.2 / Consuming External TCP Services</title><script async src="https://www.googletagmanager.com/gtag/js?id=UA-98480406-2"></script><script>window.dataLayer=window.dataLayer||[];function gtag(){dataLayer.push(arguments);}
|
|
gtag('js',new Date());gtag('config','UA-98480406-2');</script><link rel=alternate type=application/rss+xml title="Istio Blog" href=/v1.2/feed.xml><link rel="shortcut icon" href=/v1.2/favicons/favicon.ico><link rel=apple-touch-icon href=/v1.2/favicons/apple-touch-icon-180x180.png sizes=180x180><link rel=icon type=image/png href=/v1.2/favicons/favicon-16x16.png sizes=16x16><link rel=icon type=image/png href=/v1.2/favicons/favicon-32x32.png sizes=32x32><link rel=icon type=image/png href=/v1.2/favicons/android-36x36.png sizes=36x36><link rel=icon type=image/png href=/v1.2/favicons/android-48x48.png sizes=48x48><link rel=icon type=image/png href=/v1.2/favicons/android-72x72.png sizes=72x72><link rel=icon type=image/png href=/v1.2/favicons/android-96x96.png sizes=96xW96><link rel=icon type=image/png href=/v1.2/favicons/android-144x144.png sizes=144x144><link rel=icon type=image/png href=/v1.2/favicons/android-192x192.png sizes=192x192><link rel=manifest href=/v1.2/manifest.json><meta name=apple-mobile-web-app-title content=Istio><meta name=application-name content=Istio><link rel=stylesheet href="https://fonts.googleapis.com/css?family=Work+Sans:400|Chivo:400|Work+Sans:500,300,600,300italic,400italic,500italic,600italic|Chivo:500,300,600,300italic,400italic,500italic,600italic"><link rel=stylesheet href=/v1.2/css/all.css><script src=/v1.2/js/themes_init.min.js></script></head><body class="language-unknown archive-site"><script>const branchName="release-1.2";const docTitle="Consuming External TCP Services";const iconFile="\/v1.2/img/icons.svg";const buttonCopy='Copy to clipboard';const buttonPrint='Print';const buttonDownload='Download';</script><script src="https://www.google.com/cse/brand?form=search-form" defer></script><script src=/v1.2/js/all.min.js data-manual defer></script><header><nav><a id=brand href=/v1.2/><span class=logo><svg viewBox="0 0 300 300"><circle cx="150" cy="150" r="146" stroke-width="2" /><path d="M65 240H225L125 270z"/><path d="M65 230l60-10V110z"/><path d="M135 220l90 10L135 30z"/></svg></span><span class=name>Istioldie 1.2</span></a><div id=hamburger><svg class="icon"><use xlink:href="/v1.2/img/icons.svg#hamburger"/></svg></div><div id=header-links><a title="Learn how to deploy, use, and operate Istio." href=/v1.2/docs/>Docs</a>
|
|
<span title="Posts about using Istio.">Blog</span>
|
|
<a title="Frequently Asked Questions about Istio." href=/v1.2/faq/>FAQ</a>
|
|
<a title="Get a bit more in-depth info about the Istio project." href=/v1.2/about/>About</a><div class=menu><button id=gearDropdownButton class=menu-trigger title="Options and settings" aria-label="Options and Settings" aria-controls=gearDropdownContent><svg class="icon"><use xlink:href="/v1.2/img/icons.svg#gear"/></svg></button><div id=gearDropdownContent class=menu-content aria-labelledby=gearDropdownButton role=menu><a tabindex=-1 role=menuitem lang=en id=switch-lang-en class=active>English</a>
|
|
<a tabindex=-1 role=menuitem lang=zh id=switch-lang-zh>中文</a><div role=separator></div><a tabindex=-1 role=menuitem class=active id=light-theme-item>Light Theme</a>
|
|
<a tabindex=-1 role=menuitem id=dark-theme-item>Dark Theme</a><div role=separator></div><a tabindex=-1 role=menuitem id=syntax-coloring-item>Color Examples</a><div role=separator></div><h6>Other versions of this site</h6><a tabindex=-1 role=menuitem onclick="navigateToUrlOrRoot('https://istio.io/blog\/2018\/egress-tcp\/');return false;">Current Release</a>
|
|
<a tabindex=-1 role=menuitem onclick="navigateToUrlOrRoot('https://preliminary.istio.io/blog\/2018\/egress-tcp\/');return false;">Next Release</a>
|
|
<a tabindex=-1 role=menuitem href=https://archive.istio.io>Older Releases</a></div></div><button id=search-show title="Search this site" aria-label=Search><svg class="icon"><use xlink:href="/v1.2/img/icons.svg#magnifier"/></svg></button></div><form id=search-form name=cse role=search><input type=hidden name=cx value=013699703217164175118:iwwf17ikgf4>
|
|
<input type=hidden name=ie value=utf-8>
|
|
<input type=hidden name=hl value=en>
|
|
<input type=hidden id=search-page-url value=/v1.2/search.html>
|
|
<input id=search-textbox class=form-control name=q type=search aria-label="Search this site">
|
|
<button id=search-close title="Cancel search" type=reset aria-label="Cancel search"><svg class="icon"><use xlink:href="/v1.2/img/icons.svg#cancel-x"/></svg></button></form></nav></header><main class=primary><div id=sidebar-container class="sidebar-container sidebar-offcanvas"><nav id=sidebar aria-label="Section Navigation"><div class=directory><div class=card><button class="header dynamic" id=card0 title="Blog posts for 2019." aria-controls=card0-body><svg class="icon"><use xlink:href="/v1.2/img/icons.svg#blog"/></svg>2019 Posts</button><div class=body aria-labelledby=card0 role=region id=card0-body><ul role=tree aria-expanded=true class=leaf-section aria-labelledby=card0><li role=none><a role=treeitem title="Istio 1.1.14 patch release." href=/v1.2/blog/2019/announcing-1.1.14/>Announcing Istio 1.1.14</a></li><li role=none><a role=treeitem title="Istio 1.2.5 patch release." href=/v1.2/blog/2019/announcing-1.2.5/>Announcing Istio 1.2.5</a></li><li role=none><a role=treeitem title="Upcoming Istio 1.1 end of life announcement." href=/v1.2/blog/2019/announcing-1.1-eol/>Support for Istio 1.1 ends on September 19th, 2019</a></li><li role=none><a role=treeitem title="Istio 1.1.13 patch release." href=/v1.2/blog/2019/announcing-1.1.13/>Announcing Istio 1.1.13</a></li><li role=none><a role=treeitem title="Istio 1.2.4 patch release." href=/v1.2/blog/2019/announcing-1.2.4/>Announcing Istio 1.2.4</a></li><li role=none><a role=treeitem title="Security vulnerability disclosure for multiple CVEs." href=/v1.2/blog/2019/istio-security-003-004/>Security Update - ISTIO-SECURITY-003 and ISTIO-SECURITY-004</a></li><li role=none><a role=treeitem title="The design principles behind Istio's APIs and how those APIs are evolving." href=/v1.2/blog/2019/evolving-istios-apis/>The Evolution of Istio's APIs</a></li><li role=none><a role=treeitem title="Istio 1.1.12 patch release." href=/v1.2/blog/2019/announcing-1.1.12/>Announcing Istio 1.1.12</a></li><li role=none><a role=treeitem title="Istio 1.2.3 patch release." href=/v1.2/blog/2019/announcing-1.2.3/>Announcing Istio 1.2.3</a></li><li role=none><a role=treeitem title="Comparison of alternative solutions to control egress traffic including performance considerations." href=/v1.2/blog/2019/egress-traffic-control-in-istio-part-3/>Secure Control of Egress Traffic in Istio, part 3</a></li><li role=none><a role=treeitem title="Use Istio Egress Traffic Control to prevent attacks involving egress traffic." href=/v1.2/blog/2019/egress-traffic-control-in-istio-part-2/>Secure Control of Egress Traffic in Istio, part 2</a></li><li role=none><a role=treeitem title="Tools and guidance for evaluating Istio's data plane performance." href=/v1.2/blog/2019/performance-best-practices/>Best Practices: Benchmarking Service Mesh Performance</a></li><li role=none><a role=treeitem title="Istio 1.1.11 patch release." href=/v1.2/blog/2019/announcing-1.1.11/>Announcing Istio 1.1.11</a></li><li role=none><a role=treeitem title="Istio 1.0.9 patch release." href=/v1.2/blog/2019/announcing-1.0.9/>Announcing Istio 1.0.9</a></li><li role=none><a role=treeitem title="Istio 1.1.10 patch release." href=/v1.2/blog/2019/announcing-1.1.10/>Announcing Istio 1.1.10</a></li><li role=none><a role=treeitem title="Istio 1.2.2 patch release." href=/v1.2/blog/2019/announcing-1.2.2/>Announcing Istio 1.2.2</a></li><li role=none><a role=treeitem title="Security vulnerability disclosure for CVE-2019-12995." href=/v1.2/blog/2019/cve-2019-12995/>Security Update - CVE-2019-12995</a></li><li role=none><a role=treeitem title="Istio 1.2.1 patch release." href=/v1.2/blog/2019/announcing-1.2.1/>Announcing Istio 1.2.1</a></li><li role=none><a role=treeitem title="Istio 1.0 end of life announcement." href=/v1.2/blog/2019/announcing-1.0-eol-final/>Support for Istio 1.0 has ended</a></li><li role=none><a role=treeitem title="Istio 1.2 release announcement." href=/v1.2/blog/2019/announcing-1.2/>Announcing Istio 1.2</a></li><li role=none><a role=treeitem title="Istio 1.1.9 patch release." href=/v1.2/blog/2019/announcing-1.1.9/>Announcing Istio 1.1.9</a></li><li role=none><a role=treeitem title="Istio 1.0.8 patch release." href=/v1.2/blog/2019/announcing-1.0.8/>Announcing Istio 1.0.8</a></li><li role=none><a role=treeitem title="Learn how to extend the lifetime of Istio self-signed root certificate." href=/v1.2/blog/2019/root-transition/>Extending Istio Self-Signed Root Certificate Lifetime</a></li><li role=none><a role=treeitem title="Istio 1.1.8 patch release." href=/v1.2/blog/2019/announcing-1.1.8/>Announcing Istio 1.1.8</a></li><li role=none><a role=treeitem title="Security vulnerability disclosure for CVE-2019-12243." href=/v1.2/blog/2019/cve-2019-12243/>Security Update - CVE-2019-12243</a></li><li role=none><a role=treeitem title="Upcoming Istio 1.0 end of life announcement." href=/v1.2/blog/2019/announcing-1.0-eol/>Support for Istio 1.0 ends on June 19th, 2019</a></li><li role=none><a role=treeitem title="Attacks involving egress traffic and requirements for egress traffic control." href=/v1.2/blog/2019/egress-traffic-control-in-istio-part-1/>Secure Control of Egress Traffic in Istio, part 1</a></li><li role=none><a role=treeitem title="Istio 1.1.7 patch release." href=/v1.2/blog/2019/announcing-1.1.7/>Announcing Istio 1.1.7</a></li><li role=none><a role=treeitem title="Istio 1.1.6 patch release." href=/v1.2/blog/2019/announcing-1.1.6/>Announcing Istio 1.1.6</a></li><li role=none><a role=treeitem title="Istio 1.1.5 patch release." href=/v1.2/blog/2019/announcing-1.1.5/>Announcing Istio 1.1.5</a></li><li role=none><a role=treeitem title="Istio 1.1.4 patch release." href=/v1.2/blog/2019/announcing-1.1.4/>Announcing Istio 1.1.4</a></li><li role=none><a role=treeitem title="Istio 1.1.3 patch release." href=/v1.2/blog/2019/announcing-1.1.3/>Announcing Istio 1.1.3</a></li><li role=none><a role=treeitem title="Istio 1.0.7 patch releases." href=/v1.2/blog/2019/announcing-1.0.7/>Announcing Istio 1.0.7 with Important Security Update</a></li><li role=none><a role=treeitem title="Istio 1.1.2 patch release." href=/v1.2/blog/2019/announcing-1.1.2/>Announcing Istio 1.1.2 with Important Security Update</a></li><li role=none><a role=treeitem title="Istio 1.1.1 patch release." href=/v1.2/blog/2019/announcing-1.1.1/>Announcing Istio 1.1.1</a></li><li role=none><a role=treeitem title="Istio 1.1 release announcement." href=/v1.2/blog/2019/announcing-1.1/>Announcing Istio 1.1</a></li><li role=none><a role=treeitem title="An overview of Istio 1.1 performance." href=/v1.2/blog/2019/istio1.1_perf/>Architecting Istio 1.1 for Performance</a></li><li role=none><a role=treeitem title="Istio 1.0.6 patch release." href=/v1.2/blog/2019/announcing-1.0.6/>Announcing Istio 1.0.6</a></li><li role=none><a role=treeitem title="Configuring Istio route rules in a multicluster service mesh." href=/v1.2/blog/2019/multicluster-version-routing/>Version Routing in a Multicluster Service Mesh</a></li><li role=none><a role=treeitem title="Announces the new Istio blog policy." href=/v1.2/blog/2019/sail-the-blog/>Sail the Blog!</a></li><li role=none><a role=treeitem title="De-mystify how Istio manages to plugin its data-plane components into an existing deployment." href=/v1.2/blog/2019/data-plane-setup/>Demystifying Istio's Sidecar Injection Model</a></li><li role=none><a role=treeitem title="Verifies the performance impact of adding an egress gateway." href=/v1.2/blog/2019/egress-performance/>Egress Gateway Performance Investigation</a></li><li role=none><a role=treeitem title="Addressing application startup ordering and startup latency using AppSwitch." href=/v1.2/blog/2019/appswitch/>Sidestepping Dependency Ordering with AppSwitch</a></li><li role=none><a role=treeitem title="Istio has a new discussion board." href=/v1.2/blog/2019/announcing-discuss.istio.io/>Announcing discuss.istio.io</a></li><li role=none><a role=treeitem title="Describes how to deploy a custom ingress gateway using cert-manager manually." href=/v1.2/blog/2019/custom-ingress-gateway/>Deploy a Custom Ingress Gateway Using Cert-Manager</a></li></ul></div></div><div class=card><button class="header dynamic" id=card1 title="Blog posts for 2018." aria-controls=card1-body><svg class="icon"><use xlink:href="/v1.2/img/icons.svg#blog"/></svg>2018 Posts</button><div class="body default" aria-labelledby=card1 role=region id=card1-body><ul role=tree aria-expanded=true class=leaf-section aria-labelledby=card1><li role=none><a role=treeitem title="Istio 1.0.5 patch release." href=/v1.2/blog/2018/announcing-1.0.5/>Announcing Istio 1.0.5</a></li><li role=none><a role=treeitem title="Istio 1.0.4 patch release." href=/v1.2/blog/2018/announcing-1.0.4/>Announcing Istio 1.0.4</a></li><li role=none><a role=treeitem title="How to use Istio for traffic management without deploying sidecar proxies." href=/v1.2/blog/2018/incremental-traffic-management/>Incremental Istio Part 1, Traffic Management</a></li><li role=none><a role=treeitem title="Describes a simple scenario based on Istio's Bookinfo example." href=/v1.2/blog/2018/egress-mongo/>Consuming External MongoDB Services</a></li><li role=none><a role=treeitem title="Istio 1.0.3 patch release." href=/v1.2/blog/2018/announcing-1.0.3/>Announcing Istio 1.0.3</a></li><li role=none><a role=treeitem title="Istio 1.0.2 patch release." href=/v1.2/blog/2018/announcing-1.0.2/>Announcing Istio 1.0.2</a></li><li role=none><a role=treeitem title="Istio 1.0.1 patch release." href=/v1.2/blog/2018/announcing-1.0.1/>Announcing Istio 1.0.1</a></li><li role=none><a role=treeitem title="Istio hosting an all day Twitch stream to celebrate the 1.0 release." href=/v1.2/blog/2018/istio-twitch-stream/>All Day Istio Twitch Stream</a></li><li role=none><a role=treeitem title="Istio is ready for production use with its 1.0 release." href=/v1.2/blog/2018/announcing-1.0/>Announcing Istio 1.0</a></li><li role=none><a role=treeitem title="How HP is building its next-generation footwear personalization platform on Istio." href=/v1.2/blog/2018/hp/>Istio a Game Changer for HP's FitStation Platform</a></li><li role=none><a role=treeitem title="Automatic application onboarding and latency optimizations using AppSwitch." href=/v1.2/blog/2018/delayering-istio/>Delayering Istio with AppSwitch</a></li><li role=none><a role=treeitem title="Describe Istio's authorization feature and how to use it in various use cases." href=/v1.2/blog/2018/istio-authorization/>Micro-Segmentation with Istio Authorization</a></li><li role=none><a role=treeitem title="How to export Istio Access Logs to different sinks like BigQuery, GCS, Pub/Sub through Stackdriver." href=/v1.2/blog/2018/export-logs-through-stackdriver/>Exporting Logs to BigQuery, GCS, Pub/Sub through Stackdriver</a></li><li role=none><a role=treeitem title="Describes how to configure Istio for monitoring and access policies of HTTP egress traffic." href=/v1.2/blog/2018/egress-monitoring-access-control/>Monitoring and Access Policies for HTTP Egress Traffic</a></li><li role=none><a role=treeitem title="Introduction, motivation and design principles for the Istio v1alpha3 routing API." href=/v1.2/blog/2018/v1alpha3-routing/>Introducing the Istio v1alpha3 routing API</a></li><li role=none><a role=treeitem title="Describes how to configure Istio ingress with a network load balancer on AWS." href=/v1.2/blog/2018/aws-nlb/>Configuring Istio Ingress with AWS NLB</a></li><li role=none><a role=treeitem title="Using Kubernetes namespaces and RBAC to create an Istio soft multi-tenancy environment." href=/v1.2/blog/2018/soft-multitenancy/>Istio Soft Multi-Tenancy Support</a></li><li role=none><a role=treeitem title="An introduction to safer, lower-risk deployments and release to production." href=/v1.2/blog/2018/traffic-mirroring/>Traffic Mirroring with Istio for Testing in Production</a></li><li role=none><span role=treeitem class=current title="Describes a simple scenario based on Istio's Bookinfo example.">Consuming External TCP Services</span></li><li role=none><a role=treeitem title="Describes a simple scenario based on Istio's Bookinfo example." href=/v1.2/blog/2018/egress-https/>Consuming External Web Services</a></li></ul></div></div><div class=card><button class="header dynamic" id=card2 title="Blog posts for 2017." aria-controls=card2-body><svg class="icon"><use xlink:href="/v1.2/img/icons.svg#blog"/></svg>2017 Posts</button><div class=body aria-labelledby=card2 role=region id=card2-body><ul role=tree aria-expanded=true class=leaf-section aria-labelledby=card2><li role=none><a role=treeitem title="Improving availability and reducing latency." href=/v1.2/blog/2017/mixer-spof-myth/>Mixer and the SPOF Myth</a></li><li role=none><a role=treeitem title="Provides an overview of Mixer's plug-in architecture." href=/v1.2/blog/2017/adapter-model/>Mixer Adapter Model</a></li><li role=none><a role=treeitem title="Istio 0.2 announcement." href=/v1.2/blog/2017/0.2-announcement/>Announcing Istio 0.2</a></li><li role=none><a role=treeitem title="How Kubernetes Network Policy relates to Istio policy." href=/v1.2/blog/2017/0.1-using-network-policy/>Using Network Policy with Istio</a></li><li role=none><a role=treeitem title="Using Istio to create autoscaled canary deployments." href=/v1.2/blog/2017/0.1-canary/>Canary Deployments using Istio</a></li><li role=none><a role=treeitem title="Istio Auth 0.1 announcement." href=/v1.2/blog/2017/0.1-auth/>Using Istio to Improve End-to-End Security</a></li><li role=none><a role=treeitem title="Istio 0.1 announcement." href=/v1.2/blog/2017/0.1-announcement/>Introducing Istio</a></li></ul></div></div></div></nav></div><div class=article-container><button tabindex=-1 id=sidebar-toggler title="Toggle the navigation bar"><svg class="icon"><use xlink:href="/v1.2/img/icons.svg#pull"/></svg></button><nav aria-label=Breadcrumb><ol><li><a href=/v1.2/ title="Connect, secure, control, and observe services.">Istio</a></li><li><a href=/v1.2/blog/ title="Posts about using Istio.">Blog</a></li><li><a href=/v1.2/blog/2018/ title="Blog posts for 2018.">2018 Posts</a></li><li>Consuming External TCP Services</li></ol></nav><article aria-labelledby=title><div class=title-area><div><h1 id=title>Consuming External TCP Services</h1><p class=subtitle>Mesh-external Service Entries for TCP traffic</p><p class=byline><span>By</span>
|
|
<span class=attribution>Vadim Eisenberg</span><span> | </span><span><svg class="icon"><use xlink:href="/v1.2/img/icons.svg#calendar"/></svg><span> </span>February 6, 2018<span> </span>(updated on February 10, 2019)</span><span> | </span><span title="2329 words"><svg class="icon"><use xlink:href="/v1.2/img/icons.svg#clock"/></svg><span> </span>11 minute read</span></p></div></div><nav class=toc-inlined aria-label="Table of Contents"><div><hr><ol><li role=none aria-label="Bookinfo sample application with external ratings database"><a href=#bookinfo-sample-application-with-external-ratings-database>Bookinfo sample application with external ratings database</a><ol><li role=none aria-label="Setting up the database for ratings data"><a href=#setting-up-the-database-for-ratings-data>Setting up the database for ratings data</a><li role=none aria-label="Initial setting of Bookinfo application"><a href=#initial-setting-of-bookinfo-application>Initial setting of Bookinfo application</a><li role=none aria-label="Use the database for ratings data in Bookinfo application"><a href=#use-the-database-for-ratings-data-in-bookinfo-application>Use the database for ratings data in Bookinfo application</a><li role=none aria-label="Access the webpage"><a href=#access-the-webpage>Access the webpage</a><li role=none aria-label="Mesh-external service entry for an external MySQL instance"><a href=#mesh-external-service-entry-for-an-external-mysql-instance>Mesh-external service entry for an external MySQL instance</a></ol></li><li role=none aria-label="Motivation for egress TCP traffic control"><a href=#motivation-for-egress-tcp-traffic-control>Motivation for egress TCP traffic control</a><li role=none aria-label="Service entries for TCP traffic"><a href=#service-entries-for-tcp-traffic>Service entries for TCP traffic</a><li role=none aria-label="Relation to mesh expansion"><a href=#relation-to-mesh-expansion>Relation to mesh expansion</a><li role=none aria-label=Cleanup><a href=#cleanup>Cleanup</a><li role=none aria-label=Conclusion><a href=#conclusion>Conclusion</a><li role=none aria-label="See also"><a href=#see-also>See also</a></li></ol><hr></div></nav><div><aside class="callout tip"><div class=type><svg class="large-icon"><use xlink:href="/v1.2/img/icons.svg#callout-tip"/></svg></div><div class=content>This blog post was updated on July 23, 2018 to use the new
|
|
<a href=/v1.2/blog/2018/v1alpha3-routing/>v1alpha3 traffic management API</a>. If you need to use the old version, follow these <a href=https://archive.istio.io/v0.7/blog/2018/egress-tcp.html>docs</a>.</div></aside></div><p>In my previous blog post, <a href=/v1.2/blog/2018/egress-https/>Consuming External Web Services</a>, I described how external services
|
|
can be consumed by in-mesh Istio applications via HTTPS. In this post, I demonstrate consuming external services
|
|
over TCP. You will use the <a href=/v1.2/docs/examples/bookinfo/>Istio Bookinfo sample application</a>, the version in which the book
|
|
ratings data is persisted in a MySQL database. You deploy this database outside the cluster and configure the
|
|
<em>ratings</em> microservice to use it. You define a
|
|
<a href=/v1.2/docs/reference/config/networking/v1alpha3/service-entry/>Service Entry</a> to allow the in-mesh applications to
|
|
access the external database.</p><h2 id=bookinfo-sample-application-with-external-ratings-database>Bookinfo sample application with external ratings database</h2><p>First, you set up a MySQL database instance to hold book ratings data outside of your Kubernetes cluster. Then you
|
|
modify the <a href=/v1.2/docs/examples/bookinfo/>Bookinfo sample application</a> to use your database.</p><h3 id=setting-up-the-database-for-ratings-data>Setting up the database for ratings data</h3><p>For this task you set up an instance of <a href=https://www.mysql.com>MySQL</a>. You can use any MySQL instance; I used
|
|
<a href=https://www.ibm.com/cloud/compose/mysql>Compose for MySQL</a>. I used <code>mysqlsh</code>
|
|
(<a href=https://dev.mysql.com/doc/mysql-shell/en/>MySQL Shell</a>) as a MySQL client to feed the ratings data.</p><ol><li><p>Set the <code>MYSQL_DB_HOST</code> and <code>MYSQL_DB_PORT</code> environment variables:</p><pre><code class=language-bash data-expandlinks=true>$ export MYSQL_DB_HOST=<your MySQL database host>
|
|
$ export MYSQL_DB_PORT=<your MySQL database port>
|
|
</code></pre><p>In case of a local MySQL database with the default port, the values are <code>localhost</code> and <code>3306</code>, respectively.</p></li><li><p>To initialize the database, run the following command entering the password when prompted. The command is
|
|
performed with the credentials of the <code>admin</code> user, created by default by
|
|
<a href=https://www.ibm.com/cloud/compose/mysql>Compose for MySQL</a>.</p><pre><code class=language-bash data-expandlinks=true>$ curl -s https://raw.githubusercontent.com/istio/istio/release-1.2/samples/bookinfo/src/mysql/mysqldb-init.sql | mysqlsh --sql --ssl-mode=REQUIRED -u admin -p --host $MYSQL_DB_HOST --port $MYSQL_DB_PORT
|
|
</code></pre><p><em><strong>OR</strong></em></p><p>When using the <code>mysql</code> client and a local MySQL database, run:</p><pre><code class=language-bash data-expandlinks=true>$ curl -s https://raw.githubusercontent.com/istio/istio/release-1.2/samples/bookinfo/src/mysql/mysqldb-init.sql | mysql -u root -p --host $MYSQL_DB_HOST --port $MYSQL_DB_PORT
|
|
</code></pre></li><li><p>Create a user with the name <code>bookinfo</code> and grant it <em>SELECT</em> privilege on the <code>test.ratings</code> table:</p><pre><code class=language-bash data-expandlinks=true>$ mysqlsh --sql --ssl-mode=REQUIRED -u admin -p --host $MYSQL_DB_HOST --port $MYSQL_DB_PORT -e "CREATE USER 'bookinfo' IDENTIFIED BY '<password you choose>'; GRANT SELECT ON test.ratings to 'bookinfo';"
|
|
</code></pre><p><em><strong>OR</strong></em></p><p>For <code>mysql</code> and the local database, the command is:</p><pre><code class=language-bash data-expandlinks=true>$ mysql -u root -p --host $MYSQL_DB_HOST --port $MYSQL_DB_PORT -e "CREATE USER 'bookinfo' IDENTIFIED BY '<password you choose>'; GRANT SELECT ON test.ratings to 'bookinfo';"
|
|
</code></pre><p>Here you apply the <a href=https://en.wikipedia.org/wiki/Principle_of_least_privilege>principle of least privilege</a>. This
|
|
means that you do not use your <code>admin</code> user in the Bookinfo application. Instead, you create a special user for the
|
|
Bookinfo application , <code>bookinfo</code>, with minimal privileges. In this case, the <em>bookinfo</em> user only has the <code>SELECT</code>
|
|
privilege on a single table.</p><p>After running the command to create the user, you may want to clean your bash history by checking the number of the last
|
|
command and running <code>history -d <the number of the command that created the user></code>. You don’t want the password of the
|
|
new user to be stored in the bash history. If you’re using <code>mysql</code>, remove the last command from
|
|
<code>~/.mysql_history</code> file as well. Read more about password protection of the newly created user in <a href=https://dev.mysql.com/doc/refman/5.5/en/create-user.html>MySQL documentation</a>.</p></li><li><p>Inspect the created ratings to see that everything worked as expected:</p><pre><code class=language-bash data-expandlinks=true>$ mysqlsh --sql --ssl-mode=REQUIRED -u bookinfo -p --host $MYSQL_DB_HOST --port $MYSQL_DB_PORT -e "select * from test.ratings;"
|
|
Enter password:
|
|
+----------+--------+
|
|
| ReviewID | Rating |
|
|
+----------+--------+
|
|
| 1 | 5 |
|
|
| 2 | 4 |
|
|
+----------+--------+
|
|
</code></pre><p><em><strong>OR</strong></em></p><p>For <code>mysql</code> and the local database:</p><pre><code class=language-bash data-expandlinks=true>$ mysql -u bookinfo -p --host $MYSQL_DB_HOST --port $MYSQL_DB_PORT -e "select * from test.ratings;"
|
|
Enter password:
|
|
+----------+--------+
|
|
| ReviewID | Rating |
|
|
+----------+--------+
|
|
| 1 | 5 |
|
|
| 2 | 4 |
|
|
+----------+--------+
|
|
</code></pre></li><li><p>Set the ratings temporarily to <code>1</code> to provide a visual clue when our database is used by the Bookinfo <em>ratings</em>
|
|
service:</p><pre><code class=language-bash data-expandlinks=true>$ mysqlsh --sql --ssl-mode=REQUIRED -u admin -p --host $MYSQL_DB_HOST --port $MYSQL_DB_PORT -e "update test.ratings set rating=1; select * from test.ratings;"
|
|
Enter password:
|
|
|
|
Rows matched: 2 Changed: 2 Warnings: 0
|
|
+----------+--------+
|
|
| ReviewID | Rating |
|
|
+----------+--------+
|
|
| 1 | 1 |
|
|
| 2 | 1 |
|
|
+----------+--------+
|
|
</code></pre><p><em><strong>OR</strong></em></p><p>For <code>mysql</code> and the local database:</p><pre><code class=language-bash data-expandlinks=true>$ mysql -u root -p --host $MYSQL_DB_HOST --port $MYSQL_DB_PORT -e "update test.ratings set rating=1; select * from test.ratings;"
|
|
Enter password:
|
|
+----------+--------+
|
|
| ReviewID | Rating |
|
|
+----------+--------+
|
|
| 1 | 1 |
|
|
| 2 | 1 |
|
|
+----------+--------+
|
|
</code></pre><p>You used the <code>admin</code> user (and <code>root</code> for the local database) in the last command since the <code>bookinfo</code> user does not
|
|
have the <code>UPDATE</code> privilege on the <code>test.ratings</code> table.</p></li></ol><p>Now you are ready to deploy a version of the Bookinfo application that will use your database.</p><h3 id=initial-setting-of-bookinfo-application>Initial setting of Bookinfo application</h3><p>To demonstrate the scenario of using an external database, you start with a Kubernetes cluster with <a href=/v1.2/docs/setup/kubernetes/install/kubernetes/#installation-steps>Istio installed</a>. Then you deploy the
|
|
<a href=/v1.2/docs/examples/bookinfo/>Istio Bookinfo sample application</a>, <a href=/v1.2/docs/examples/bookinfo/#apply-default-destination-rules>apply the default destination rules</a>, and <a href=/v1.2/docs/tasks/traffic-management/egress/egress-control/#change-to-the-blocking-by-default-policy>change Istio to the blocking-egress-by-default policy</a>.</p><p>This application uses the <code>ratings</code> microservice to fetch
|
|
book ratings, a number between 1 and 5. The ratings are displayed as stars for each review. There are several versions
|
|
of the <code>ratings</code> microservice. Some use <a href=https://www.mongodb.com>MongoDB</a>, others use <a href=https://www.mysql.com>MySQL</a>
|
|
as their database.</p><p>The example commands in this blog post work with Istio 0.8+, with or without
|
|
<a href=/v1.2/docs/concepts/security/#mutual-tls-authentication>mutual TLS</a> enabled.</p><p>As a reminder, here is the end-to-end architecture of the application from the
|
|
<a href=/v1.2/docs/examples/bookinfo/>Bookinfo sample application</a>.</p><figure style=width:80%><div class=wrapper-with-intrinsic-ratio style=padding-bottom:59.086918235567985%><a data-skipendnotes=true href=/v1.2/docs/examples/bookinfo/withistio.svg title="The original Bookinfo application"><img class=element-to-stretch src=/v1.2/docs/examples/bookinfo/withistio.svg alt="The original Bookinfo application"></a></div><figcaption>The original Bookinfo application</figcaption></figure><h3 id=use-the-database-for-ratings-data-in-bookinfo-application>Use the database for ratings data in Bookinfo application</h3><ol><li><p>Modify the deployment spec of a version of the <em>ratings</em> microservice that uses a MySQL database, to use your
|
|
database instance. The spec is in <a href=https://github.com/istio/istio/blob/release-1.2/samples/bookinfo/platform/kube/bookinfo-ratings-v2-mysql.yaml><code>samples/bookinfo/platform/kube/bookinfo-ratings-v2-mysql.yaml</code></a>
|
|
of an Istio release archive. Edit the following lines:</p><pre><code class=language-yaml data-expandlinks=true>- name: MYSQL_DB_HOST
|
|
value: mysqldb
|
|
- name: MYSQL_DB_PORT
|
|
value: "3306"
|
|
- name: MYSQL_DB_USER
|
|
value: root
|
|
- name: MYSQL_DB_PASSWORD
|
|
value: password
|
|
</code></pre><p>Replace the values in the snippet above, specifying the database host, port, user, and password. Note that the
|
|
correct way to work with passwords in container’s environment variables in Kubernetes is <a href=https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets-as-environment-variables>to use secrets</a>. For this
|
|
example task only, you may want to write the password directly in the deployment spec. <strong>Do not do it</strong> in a real
|
|
environment! I also assume everyone realizes that <code>"password"</code> should not be used as a password…</p></li><li><p>Apply the modified spec to deploy the version of the <em>ratings</em> microservice, <em>v2-mysql</em>, that will use your
|
|
database.</p><div><a data-skipendnotes=true style=display:none href=https://raw.githubusercontent.com/istio/istio/release-1.2/samples/bookinfo/platform/kube/bookinfo-ratings-v2-mysql.yaml>Zip</a><pre><code class=language-bash data-expandlinks=true>$ kubectl apply -f @samples/bookinfo/platform/kube/bookinfo-ratings-v2-mysql.yaml@
|
|
deployment "ratings-v2-mysql" created
|
|
</code></pre></div></li><li><p>Route all the traffic destined to the <em>reviews</em> service to its <em>v3</em> version. You do this to ensure that the
|
|
<em>reviews</em> service always calls the <em>ratings</em> service. In addition, route all the traffic destined to the <em>ratings</em>
|
|
service to <em>ratings v2-mysql</em> that uses your database.</p><p>Specify the routing for both services above by adding two
|
|
<a href=/v1.2/docs/reference/config/networking/v1alpha3/virtual-service/>virtual services</a>. These virtual services are
|
|
specified in <code>samples/bookinfo/networking/virtual-service-ratings-mysql.yaml</code> of an Istio release archive.
|
|
<strong><em>Important:</em></strong> make sure you
|
|
<a href=/v1.2/docs/examples/bookinfo/#apply-default-destination-rules>applied the default destination rules</a> before running the
|
|
following command.</p><div><a data-skipendnotes=true style=display:none href=https://raw.githubusercontent.com/istio/istio/release-1.2/samples/bookinfo/networking/virtual-service-ratings-mysql.yaml>Zip</a><pre><code class=language-bash data-expandlinks=true>$ kubectl apply -f @samples/bookinfo/networking/virtual-service-ratings-mysql.yaml@
|
|
</code></pre></div></li></ol><p>The updated architecture appears below. Note that the blue arrows inside the mesh mark the traffic configured according
|
|
to the virtual services we added. According to the virtual services, the traffic is sent to <em>reviews v3</em> and
|
|
<em>ratings v2-mysql</em>.</p><figure style=width:80%><div class=wrapper-with-intrinsic-ratio style=padding-bottom:59.314858206480224%><a data-skipendnotes=true href=/v1.2/blog/2018/egress-tcp/./bookinfo-ratings-v2-mysql-external.svg title="The Bookinfo application with ratings v2-mysql and an external MySQL database"><img class=element-to-stretch src=/v1.2/blog/2018/egress-tcp/./bookinfo-ratings-v2-mysql-external.svg alt="The Bookinfo application with ratings v2-mysql and an external MySQL database"></a></div><figcaption>The Bookinfo application with ratings v2-mysql and an external MySQL database</figcaption></figure><p>Note that the MySQL database is outside the Istio service mesh, or more precisely outside the Kubernetes cluster. The
|
|
boundary of the service mesh is marked by a dashed line.</p><h3 id=access-the-webpage>Access the webpage</h3><p>Access the webpage of the application, after
|
|
<a href=/v1.2/docs/examples/bookinfo/#determining-the-ingress-ip-and-port>determining the ingress IP and port</a>.</p><p>You have a problem… Instead of the rating stars, the message <em>“Ratings service is currently unavailable”</em> is currently
|
|
displayed below each review:</p><figure style=width:80%><div class=wrapper-with-intrinsic-ratio style=padding-bottom:36.18705035971223%><a data-skipendnotes=true href=/v1.2/blog/2018/egress-tcp/./errorFetchingBookRating.png title="The Ratings service error messages"><img class=element-to-stretch src=/v1.2/blog/2018/egress-tcp/./errorFetchingBookRating.png alt="The Ratings service error messages"></a></div><figcaption>The Ratings service error messages</figcaption></figure><p>As in <a href=/v1.2/blog/2018/egress-https/>Consuming External Web Services</a>, you experience <strong>graceful service degradation</strong>,
|
|
which is good. The application did not crash due to the error in the <em>ratings</em> microservice. The webpage of the
|
|
application correctly displayed the book information, the details, and the reviews, just without the rating stars.</p><p>You have the same problem as in <a href=/v1.2/blog/2018/egress-https/>Consuming External Web Services</a>, namely all the traffic
|
|
outside the Kubernetes cluster, both TCP and HTTP, is blocked by default by the sidecar proxies. To enable such traffic
|
|
for TCP, a mesh-external service entry for TCP must be defined.</p><h3 id=mesh-external-service-entry-for-an-external-mysql-instance>Mesh-external service entry for an external MySQL instance</h3><p>TCP mesh-external service entries come to our rescue.</p><ol><li><p>Get the IP address of your MySQL database instance. As an option, you can use the
|
|
<a href=https://linux.die.net/man/1/host>host</a> command:</p><pre><code class=language-bash data-expandlinks=true>$ export MYSQL_DB_IP=$(host $MYSQL_DB_HOST | grep " has address " | cut -d" " -f4)
|
|
</code></pre><p>For a local database, set <code>MYSQL_DB_IP</code> to contain the IP of your machine, accessible from your cluster.</p></li><li><p>Define a TCP mesh-external service entry:</p><pre><code class=language-bash data-expandlinks=true>$ kubectl apply -f - <<EOF
|
|
apiVersion: networking.istio.io/v1alpha3
|
|
kind: ServiceEntry
|
|
metadata:
|
|
name: mysql-external
|
|
spec:
|
|
hosts:
|
|
- $MYSQL_DB_HOST
|
|
addresses:
|
|
- $MYSQL_DB_IP/32
|
|
ports:
|
|
- name: tcp
|
|
number: $MYSQL_DB_PORT
|
|
protocol: tcp
|
|
location: MESH_EXTERNAL
|
|
EOF
|
|
</code></pre></li><li><p>Review the service entry you just created and check that it contains the correct values:</p><pre><code class=language-bash data-expandlinks=true>$ kubectl get serviceentry mysql-external -o yaml
|
|
apiVersion: networking.istio.io/v1alpha3
|
|
kind: ServiceEntry
|
|
metadata:
|
|
...
|
|
</code></pre></li></ol><p>Note that for a TCP service entry, you specify <code>tcp</code> as the protocol of a port of the entry. Also note that you have to
|
|
specify the IP of the external service in the list of addresses, as a <a href=https://tools.ietf.org/html/rfc2317>CIDR</a> block
|
|
with suffix <code>32</code>.</p><p>I will talk more about TCP service entries
|
|
<a href=#service-entries-for-tcp-traffic>below</a>. For now, verify that the service entry we added fixed the problem. Access the
|
|
webpage and see if the stars are back.</p><p>It worked! Accessing the web page of the application displays the ratings without error:</p><figure style=width:80%><div class=wrapper-with-intrinsic-ratio style=padding-bottom:36.69064748201439%><a data-skipendnotes=true href=/v1.2/blog/2018/egress-tcp/./externalMySQLRatings.png title="Book Ratings Displayed Correctly"><img class=element-to-stretch src=/v1.2/blog/2018/egress-tcp/./externalMySQLRatings.png alt="Book Ratings Displayed Correctly"></a></div><figcaption>Book Ratings Displayed Correctly</figcaption></figure><p>Note that you see a one-star rating for both displayed reviews, as expected. You changed the ratings to be one star to
|
|
provide us with a visual clue that our external database is indeed being used.</p><p>As with service entries for HTTP/HTTPS, you can delete and create service entries for TCP using <code>kubectl</code>, dynamically.</p><h2 id=motivation-for-egress-tcp-traffic-control>Motivation for egress TCP traffic control</h2><p>Some in-mesh Istio applications must access external services, for example legacy systems. In many cases, the access is
|
|
not performed over HTTP or HTTPS protocols. Other TCP protocols are used, such as database-specific protocols like
|
|
<a href=https://docs.mongodb.com/manual/reference/mongodb-wire-protocol/>MongoDB Wire Protocol</a> and <a href=https://dev.mysql.com/doc/internals/en/client-server-protocol.html>MySQL Client/Server Protocol</a> to communicate with external databases.</p><p>Next let me provide more details about the service entries for TCP traffic.</p><h2 id=service-entries-for-tcp-traffic>Service entries for TCP traffic</h2><p>The service entries for enabling TCP traffic to a specific port must specify <code>TCP</code> as the protocol of the port.
|
|
Additionally, for the <a href=https://docs.mongodb.com/manual/reference/mongodb-wire-protocol/>MongoDB Wire Protocol</a>, the
|
|
protocol can be specified as <code>MONGO</code>, instead of <code>TCP</code>.</p><p>For the <code>addresses</code> field of the entry, a block of IPs in <a href=https://tools.ietf.org/html/rfc2317>CIDR</a>
|
|
notation must be used. Note that the <code>hosts</code> field is ignored for TCP service entries.</p><p>To enable TCP traffic to an external service by its hostname, all the IPs of the hostname must be specified. Each IP
|
|
must be specified by a CIDR block.</p><p>Note that all the IPs of an external service are not always known. To enable egress TCP traffic, only the IPs that are
|
|
used by the applications must be specified.</p><p>Also note that the IPs of an external service are not always static, for example in the case of
|
|
<a href=https://en.wikipedia.org/wiki/Content_delivery_network>CDNs</a>. Sometimes the IPs are static most of the time, but can
|
|
be changed from time to time, for example due to infrastructure changes. In these cases, if the range of the possible
|
|
IPs is known, you should specify the range by CIDR blocks. If the range of the possible IPs is not known, service
|
|
entries for TCP cannot be used and
|
|
<a href=/v1.2/docs/tasks/traffic-management/egress/egress-control/#direct-access-to-external-services>the external services must be called directly</a>,
|
|
bypassing the sidecar proxies.</p><h2 id=relation-to-mesh-expansion>Relation to mesh expansion</h2><p>Note that the scenario described in this post is different from the mesh expansion scenario, described in the
|
|
<a href=/v1.2/docs/examples/integrating-vms/>Integrating Virtual Machines</a> example. In that scenario, a MySQL instance runs on an
|
|
external
|
|
(outside the cluster) machine (a bare metal or a VM), integrated with the Istio service mesh. The MySQL service becomes
|
|
a first-class citizen of the mesh with all the beneficial features of Istio applicable. Among other things, the service
|
|
becomes addressable by a local cluster domain name, for example by <code>mysqldb.vm.svc.cluster.local</code>, and the communication
|
|
to it can be secured by
|
|
<a href=/v1.2/docs/concepts/security/#mutual-tls-authentication>mutual TLS authentication</a>. There is no need to create a service
|
|
entry to access this service; however, the service must be registered with Istio. To enable such integration, Istio
|
|
components (<em>Envoy proxy</em>, <em>node-agent</em>, <code>_istio-agent_</code>) must be installed on the machine and the Istio control plane
|
|
(<em>Pilot</em>, <em>Mixer</em>, <em>Citadel</em>) must be accessible from it. See the
|
|
<a href=/v1.2/docs/setup/kubernetes/additional-setup/mesh-expansion/>Istio Mesh Expansion</a> instructions for more details.</p><p>In our case, the MySQL instance can run on any machine or can be provisioned as a service by a cloud provider. There is
|
|
no requirement to integrate the machine with Istio. The Istio control plane does not have to be accessible from the
|
|
machine. In the case of MySQL as a service, the machine which MySQL runs on may be not accessible and installing on it
|
|
the required components may be impossible. In our case, the MySQL instance is addressable by its global domain name,
|
|
which could be beneficial if the consuming applications expect to use that domain name. This is especially relevant when
|
|
that expected domain name cannot be changed in the deployment configuration of the consuming applications.</p><h2 id=cleanup>Cleanup</h2><ol><li><p>Drop the <code>test</code> database and the <code>bookinfo</code> user:</p><pre><code class=language-bash data-expandlinks=true>$ mysqlsh --sql --ssl-mode=REQUIRED -u admin -p --host $MYSQL_DB_HOST --port $MYSQL_DB_PORT -e "drop database test; drop user bookinfo;"
|
|
</code></pre><p><em><strong>OR</strong></em></p><p>For <code>mysql</code> and the local database:</p><pre><code class=language-bash data-expandlinks=true>$ mysql -u root -p --host $MYSQL_DB_HOST --port $MYSQL_DB_PORT -e "drop database test; drop user bookinfo;"
|
|
</code></pre></li><li><p>Remove the virtual services:</p><div><a data-skipendnotes=true style=display:none href=https://raw.githubusercontent.com/istio/istio/release-1.2/samples/bookinfo/networking/virtual-service-ratings-mysql.yaml>Zip</a><pre><code class=language-bash data-expandlinks=true>$ kubectl delete -f @samples/bookinfo/networking/virtual-service-ratings-mysql.yaml@
|
|
Deleted config: virtual-service/default/reviews
|
|
Deleted config: virtual-service/default/ratings
|
|
</code></pre></div></li><li><p>Undeploy <em>ratings v2-mysql</em>:</p><div><a data-skipendnotes=true style=display:none href=https://raw.githubusercontent.com/istio/istio/release-1.2/samples/bookinfo/platform/kube/bookinfo-ratings-v2-mysql.yaml>Zip</a><pre><code class=language-bash data-expandlinks=true>$ kubectl delete -f @samples/bookinfo/platform/kube/bookinfo-ratings-v2-mysql.yaml@
|
|
deployment "ratings-v2-mysql" deleted
|
|
</code></pre></div></li><li><p>Delete the service entry:</p><pre><code class=language-bash data-expandlinks=true>$ kubectl delete serviceentry mysql-external -n default
|
|
Deleted config: serviceentry mysql-external
|
|
</code></pre></li></ol><h2 id=conclusion>Conclusion</h2><p>In this blog post, I demonstrated how the microservices in an Istio service mesh can consume external services via TCP.
|
|
By default, Istio blocks all the traffic, TCP and HTTP, to the hosts outside the cluster. To enable such traffic for
|
|
TCP, TCP mesh-external service entries must be created for the service mesh.</p><nav id=see-also><h2>See also</h2><div class=see-also><div class=entry><p class=link><a data-skipendnotes=true href=/v1.2/blog/2018/egress-mongo/>Consuming External MongoDB Services</a></p><p class=desc>Describes a simple scenario based on Istio's Bookinfo example.</p></div><div class=entry><p class=link><a data-skipendnotes=true href=/v1.2/blog/2019/egress-traffic-control-in-istio-part-3/>Secure Control of Egress Traffic in Istio, part 3</a></p><p class=desc>Comparison of alternative solutions to control egress traffic including performance considerations.</p></div><div class=entry><p class=link><a data-skipendnotes=true href=/v1.2/blog/2019/egress-traffic-control-in-istio-part-2/>Secure Control of Egress Traffic in Istio, part 2</a></p><p class=desc>Use Istio Egress Traffic Control to prevent attacks involving egress traffic.</p></div><div class=entry><p class=link><a data-skipendnotes=true href=/v1.2/blog/2019/egress-traffic-control-in-istio-part-1/>Secure Control of Egress Traffic in Istio, part 1</a></p><p class=desc>Attacks involving egress traffic and requirements for egress traffic control.</p></div><div class=entry><p class=link><a data-skipendnotes=true href=/v1.2/blog/2019/egress-performance/>Egress Gateway Performance Investigation</a></p><p class=desc>Verifies the performance impact of adding an egress gateway.</p></div><div class=entry><p class=link><a data-skipendnotes=true href=/v1.2/blog/2018/egress-monitoring-access-control/>Monitoring and Access Policies for HTTP Egress Traffic</a></p><p class=desc>Describes how to configure Istio for monitoring and access policies of HTTP egress traffic.</p></div></div></nav></article><nav class=pagenav><div class=left><a title="An introduction to safer, lower-risk deployments and release to production." href=/v1.2/blog/2018/traffic-mirroring/><svg class="icon"><use xlink:href="/v1.2/img/icons.svg#left-arrow"/></svg>Traffic Mirroring with Istio for Testing in Production</a></div><div class=right><a title="Describes a simple scenario based on Istio's Bookinfo example." href=/v1.2/blog/2018/egress-https/>Consuming External Web Services<svg class="icon"><use xlink:href="/v1.2/img/icons.svg#right-arrow"/></svg></a></div></nav><div id=endnotes-container aria-hidden=true><h2>Links</h2><ol id=endnotes></ol></div></div><div class=toc-container><nav class=toc aria-label="Table of Contents"><div id=toc><ol><li role=none aria-label="Bookinfo sample application with external ratings database"><a href=#bookinfo-sample-application-with-external-ratings-database>Bookinfo sample application with external ratings database</a><ol><li role=none aria-label="Setting up the database for ratings data"><a href=#setting-up-the-database-for-ratings-data>Setting up the database for ratings data</a><li role=none aria-label="Initial setting of Bookinfo application"><a href=#initial-setting-of-bookinfo-application>Initial setting of Bookinfo application</a><li role=none aria-label="Use the database for ratings data in Bookinfo application"><a href=#use-the-database-for-ratings-data-in-bookinfo-application>Use the database for ratings data in Bookinfo application</a><li role=none aria-label="Access the webpage"><a href=#access-the-webpage>Access the webpage</a><li role=none aria-label="Mesh-external service entry for an external MySQL instance"><a href=#mesh-external-service-entry-for-an-external-mysql-instance>Mesh-external service entry for an external MySQL instance</a></ol></li><li role=none aria-label="Motivation for egress TCP traffic control"><a href=#motivation-for-egress-tcp-traffic-control>Motivation for egress TCP traffic control</a><li role=none aria-label="Service entries for TCP traffic"><a href=#service-entries-for-tcp-traffic>Service entries for TCP traffic</a><li role=none aria-label="Relation to mesh expansion"><a href=#relation-to-mesh-expansion>Relation to mesh expansion</a><li role=none aria-label=Cleanup><a href=#cleanup>Cleanup</a><li role=none aria-label=Conclusion><a href=#conclusion>Conclusion</a><li role=none aria-label="See also"><a href=#see-also>See also</a></li></ol></div></nav></div></main><footer><div class=user-links><a class=channel title="Go download Istio 1.2.5 now" href=https://github.com/istio/istio/releases/tag/1.2.5 aria-label="Download Istio"><span>download</span><svg class="icon"><use xlink:href="/v1.2/img/icons.svg#download"/></svg>
|
|
</a><a class=channel title="Join the Istio discussion board to participate in discussions and get help troubleshooting problems" href=https://discuss.istio.io aria-label="Istio discussion board"><span>discuss</span><svg class="icon"><use xlink:href="/v1.2/img/icons.svg#discourse"/></svg></a>
|
|
<a class=channel title="Stack Overflow is where you can ask questions and find curated answers on deploying, configuring, and using Istio" href=https://stackoverflow.com/questions/tagged/istio aria-label="Stack Overflow"><span>stack overflow</span><svg class="icon"><use xlink:href="/v1.2/img/icons.svg#stackoverflow"/></svg></a>
|
|
<a class=channel title="Interactively discuss issues with the Istio community on Slack" href=https://istio.slack.com aria-label=slack><span>slack</span><svg class="icon"><use xlink:href="/v1.2/img/icons.svg#slack"/></svg></a>
|
|
<a class=channel title="Follow us on Twitter to get the latest news" href=https://twitter.com/IstioMesh aria-label=Twitter><span>twitter</span><svg class="icon"><use xlink:href="/v1.2/img/icons.svg#twitter"/></svg></a><div class=tag>for everyone</div></div><div class=info><p class=copyright>Istio Archive
|
|
1.2.5<br>© 2019 Istio Authors, <a href=https://policies.google.com/privacy>Privacy Policy</a><br>Archived on September 12, 2019</p></div><div class=dev-links><a class=channel title="GitHub is where development takes place on Istio code" href=https://github.com/istio/community aria-label=GitHub><span>github</span><svg class="icon"><use xlink:href="/v1.2/img/icons.svg#github"/></svg></a>
|
|
<a class=channel title="Access our team drive if you'd like to take a look at the Istio technical design documents" href=https://groups.google.com/forum/#!forum/istio-team-drive-access aria-label="team drive"><span>drive</span><svg class="icon"><use xlink:href="/v1.2/img/icons.svg#drive"/></svg></a>
|
|
<a class=channel title="If you'd like to contribute to the Istio project, consider participating in our working groups" href=https://github.com/istio/community/blob/master/WORKING-GROUPS.md aria-label="working groups"><span>working groups</span><svg class="icon"><use xlink:href="/v1.2/img/icons.svg#working-groups"/></svg></a><div class=tag>for developers</div></div></footer><div id=scroll-to-top-container aria-hidden=true><button id=scroll-to-top title="Back to top"><svg class="icon"><use xlink:href="/v1.2/img/icons.svg#top"/></svg></button></div></body></html> |