istio.io/archive/v1.8/docs/reference/config/networking/service-entry/index.html

665 lines
96 KiB
HTML
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<!doctype html><html lang=en itemscope itemtype=https://schema.org/WebPage><head><meta charset=utf-8><meta http-equiv=x-ua-compatible content="IE=edge"><meta name=viewport content="width=device-width,initial-scale=1,shrink-to-fit=no"><meta name=theme-color content="#466BB0"><meta name=title content="Service Entry"><meta name=description content="Configuration affecting service registry."><meta name=keywords content="microservices,services,mesh"><meta property="og:title" content="Service Entry"><meta property="og:type" content="website"><meta property="og:description" content="Configuration affecting service registry."><meta property="og:url" content="/v1.8/docs/reference/config/networking/service-entry/"><meta property="og:image" content="/v1.8/img/istio-whitelogo-bluebackground-framed.svg"><meta property="og:image:alt" content="Istio Logo"><meta property="og:image:width" content="112"><meta property="og:image:height" content="150"><meta property="og:site_name" content="Istio"><meta name=twitter:card content="summary"><meta name=twitter:site content="@IstioMesh"><title>Istioldie 1.8 / Service Entry</title><script async src="https://www.googletagmanager.com/gtag/js?id=UA-98480406-2"></script><script>window.dataLayer=window.dataLayer||[];function gtag(){dataLayer.push(arguments);}
gtag('js',new Date());gtag('config','UA-98480406-2');</script><link rel=alternate type=application/rss+xml title="Istio Blog" href=/v1.8/blog/feed.xml><link rel=alternate type=application/rss+xml title="Istio News" href=/v1.8/news/feed.xml><link rel=alternate type=application/rss+xml title="Istio Blog and News" href=/v1.8/feed.xml><link rel="shortcut icon" href=/v1.8/favicons/favicon.ico><link rel=apple-touch-icon href=/v1.8/favicons/apple-touch-icon-180x180.png sizes=180x180><link rel=icon type=image/png href=/v1.8/favicons/favicon-16x16.png sizes=16x16><link rel=icon type=image/png href=/v1.8/favicons/favicon-32x32.png sizes=32x32><link rel=icon type=image/png href=/v1.8/favicons/android-36x36.png sizes=36x36><link rel=icon type=image/png href=/v1.8/favicons/android-48x48.png sizes=48x48><link rel=icon type=image/png href=/v1.8/favicons/android-72x72.png sizes=72x72><link rel=icon type=image/png href=/v1.8/favicons/android-96x96.png sizes=96xW96><link rel=icon type=image/png href=/v1.8/favicons/android-144x144.png sizes=144x144><link rel=icon type=image/png href=/v1.8/favicons/android-192x192.png sizes=192x192><link rel=manifest href=/v1.8/manifest.json><meta name=apple-mobile-web-app-title content="Istio"><meta name=application-name content="Istio"><link rel=stylesheet href="https://fonts.googleapis.com/css?family=Work+Sans:400|Chivo:400|Work+Sans:500,300,600,300italic,400italic,500italic,600italic|Chivo:500,300,600,300italic,400italic,500italic,600italic"><link rel=stylesheet href=/v1.8/css/all.css><script src=/v1.8/js/themes_init.min.js></script></head><body class="language-unknown archive-site"><script>const branchName="release-1.8";const docTitle="Service Entry";const iconFile="\/v1.8/img/icons.svg";const buttonCopy='Copy to clipboard';const buttonPrint='Print';const buttonDownload='Download';</script><script src="https://www.google.com/cse/brand?form=search-form" defer></script><script src=/v1.8/js/all.min.js data-manual defer></script><header><nav><a id=brand href=/v1.8/><span class=logo><svg viewBox="0 0 300 300"><circle cx="150" cy="150" r="146" stroke-width="2"/><polygon points="65 240 225 240 125 270"/><polygon points="65 230 125 220 125 110"/><polygon points="135 220 225 230 135 30"/></svg></span><span class=name>Istioldie 1.8</span></a><div id=hamburger><svg class="icon hamburger"><use xlink:href="/v1.8/img/icons.svg#hamburger"/></svg></div><div id=header-links><a class=current title="Learn how to deploy, use, and operate Istio." href=/v1.8/docs/>Docs</a>
<a title="Posts about using Istio." href=/v1.8/blog/2020/>Blog<i class=dot data-prefix=/blog></i></a>
<a title="Timely news about the Istio project." href=/v1.8/news/>News<i class=dot data-prefix=/news></i></a>
<a title="Frequently Asked Questions about Istio." href=/v1.8/faq/>FAQ</a>
<a title="Get a bit more in-depth info about the Istio project." href=/v1.8/about/>About</a><div class=menu><button id=gearDropdownButton class=menu-trigger title="Options and settings" aria-label="Options and Settings" aria-controls=gearDropdownContent><svg class="icon gear"><use xlink:href="/v1.8/img/icons.svg#gear"/></svg></button><div id=gearDropdownContent class=menu-content aria-labelledby=gearDropdownButton role=menu><a tabindex=-1 role=menuitem lang=en id=switch-lang-en class=active>English</a>
<a tabindex=-1 role=menuitem lang=zh id=switch-lang-zh>中文</a><div role=separator></div><a tabindex=-1 role=menuitem class=active id=light-theme-item>Light Theme</a>
<a tabindex=-1 role=menuitem id=dark-theme-item>Dark Theme</a><div role=separator></div><a tabindex=-1 role=menuitem id=syntax-coloring-item>Color Examples</a><div role=separator></div><h6>Other versions of this site</h6><a tabindex=-1 role=menuitem onclick="navigateToUrlOrRoot('https://istio.io/docs\/reference\/config\/networking\/service-entry\/');return false;">Current Release</a>
<a tabindex=-1 role=menuitem onclick="navigateToUrlOrRoot('https://preliminary.istio.io/docs\/reference\/config\/networking\/service-entry\/');return false;">Next Release</a>
<a tabindex=-1 role=menuitem href=https://istio.io/archive>Older Releases</a></div></div><button id=search-show title="Search this site" aria-label=Search><svg class="icon magnifier"><use xlink:href="/v1.8/img/icons.svg#magnifier"/></svg></button></div><form id=search-form name=cse role=search><input type=hidden name=cx value=002184991200833970123:iwwf17ikgf4>
<input type=hidden name=ie value=utf-8>
<input type=hidden name=hl value=en>
<input type=hidden id=search-page-url value=/v1.8/search>
<input id=search-textbox class=form-control name=q type=search aria-label="Search this site">
<button id=search-close title="Cancel search" type=reset aria-label="Cancel search"><svg class="icon cancel-x"><use xlink:href="/v1.8/img/icons.svg#cancel-x"/></svg></button></form></nav></header><div class=banner-container></div><main class=primary><div id=sidebar-container class="sidebar-container sidebar-offcanvas"><nav id=sidebar aria-label="Section Navigation"><div class=directory><div class=card><button class="header dynamic" id=card17 title="Learn about the different parts of the Istio system and the abstractions it uses." aria-controls=card17-body><svg class="icon concepts"><use xlink:href="/v1.8/img/icons.svg#concepts"/></svg>Concepts</button><div class=body aria-labelledby=card17 role=region id=card17-body><ul role=tree aria-expanded=true class=leaf-section aria-labelledby=card17><li role=none><a role=treeitem title="Introduces Istio, the problems it solves, its high-level architecture, and its design goals." href=/v1.8/docs/concepts/what-is-istio/>What is Istio?</a></li><li role=none><a role=treeitem title="Describes the various Istio features focused on traffic routing and control." href=/v1.8/docs/concepts/traffic-management/>Traffic Management</a></li><li role=none><a role=treeitem title="Describes Istio's authorization and authentication functionality." href=/v1.8/docs/concepts/security/>Security</a></li><li role=none><a role=treeitem title="Describes the telemetry and monitoring features provided by Istio." href=/v1.8/docs/concepts/observability/>Observability</a></li><li role=none><a role=treeitem title="Describes Istio's WebAssembly Plugin system." href=/v1.8/docs/concepts/wasm/>Extensibility</a></li></ul></div></div><div class=card><button class="header dynamic" id=card40 title="Instructions for installing the Istio control plane on Kubernetes." aria-controls=card40-body><svg class="icon setup"><use xlink:href="/v1.8/img/icons.svg#setup"/></svg>Setup</button><div class=body aria-labelledby=card40 role=region id=card40-body><ul role=tree aria-expanded=true aria-labelledby=card40><li role=none><a role=treeitem title="Try Istios features quickly and easily." href=/v1.8/docs/setup/getting-started/>Getting Started</a></li><li role=treeitem aria-label="Platform Setup"><button aria-hidden=true></button><a title="How to prepare various Kubernetes platforms before installing Istio." href=/v1.8/docs/setup/platform-setup/>Platform Setup</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Instructions to setup an Alibaba Cloud Kubernetes cluster for Istio." href=/v1.8/docs/setup/platform-setup/alicloud/>Alibaba Cloud</a></li><li role=none><a role=treeitem title="Instructions to setup an Azure cluster for Istio." href=/v1.8/docs/setup/platform-setup/azure/>Azure</a></li><li role=none><a role=treeitem title="Instructions to setup Docker Desktop for Istio." href=/v1.8/docs/setup/platform-setup/docker/>Docker Desktop</a></li><li role=none><a role=treeitem title="Instructions to setup a Google Kubernetes Engine cluster for Istio." href=/v1.8/docs/setup/platform-setup/gke/>Google Kubernetes Engine</a></li><li role=none><a role=treeitem title="Instructions to setup an IBM Cloud cluster for Istio." href=/v1.8/docs/setup/platform-setup/ibm/>IBM Cloud</a></li><li role=none><a role=treeitem title="Instructions to setup kind for Istio." href=/v1.8/docs/setup/platform-setup/kind/>kind</a></li><li role=none><a role=treeitem title="Instructions to setup Kops for use with Istio." href=/v1.8/docs/setup/platform-setup/kops/>Kops</a></li><li role=none><a role=treeitem title="Instructions to setup a Gardener cluster for Istio." href=/v1.8/docs/setup/platform-setup/gardener/>Kubernetes Gardener</a></li><li role=none><a role=treeitem title="Instructions to setup a KubeSphere Container Platform for Istio." href=/v1.8/docs/setup/platform-setup/kubesphere/>KubeSphere Container Platform</a></li><li role=none><a role=treeitem title="Instructions to setup MicroK8s for use with Istio." href=/v1.8/docs/setup/platform-setup/microk8s/>MicroK8s</a></li><li role=none><a role=treeitem title="Instructions to setup minikube for Istio." href=/v1.8/docs/setup/platform-setup/minikube/>Minikube</a></li><li role=none><a role=treeitem title="Instructions to setup an OpenShift cluster for Istio." href=/v1.8/docs/setup/platform-setup/openshift/>OpenShift</a></li><li role=none><a role=treeitem title="Instructions to setup an OKE cluster for Istio." href=/v1.8/docs/setup/platform-setup/oci/>Oracle Cloud Infrastructure</a></li></ul></li><li role=treeitem aria-label=Install><button aria-hidden=true></button><a title="Choose the guide that best suits your needs and platform." href=/v1.8/docs/setup/install/>Install</a><ul role=group aria-expanded=false><li role=none><a role=treeitem title="Install and customize any Istio configuration profile for in-depth evaluation or production use." href=/v1.8/docs/setup/install/istioctl/>Install with Istioctl</a></li><li role=none><a role=treeitem title="Instructions to install Istio in a Kubernetes cluster using the Istio operator." href=/v1.8/docs/setup/install/operator/>Istio Operator Install</a></li><li role=none><a role=treeitem title="Install and configure Istio for in-depth evaluation." href=/v1.8/docs/setup/install/helm/>Install with Helm</a></li><li role=treeitem aria-label="Install Multicluster"><button aria-hidden=true></button><a title="Install an Istio mesh across multiple Kubernetes clusters." href=/v1.8/docs/setup/install/multicluster/>Install Multicluster</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Initial steps before installing Istio on multiple clusters." href=/v1.8/docs/setup/install/multicluster/before-you-begin/>Before you begin</a></li><li role=none><a role=treeitem title="Install an Istio mesh across multiple primary clusters." href=/v1.8/docs/setup/install/multicluster/multi-primary/>Install Multi-Primary</a></li><li role=none><a role=treeitem title="Install an Istio mesh across primary and remote clusters." href=/v1.8/docs/setup/install/multicluster/primary-remote/>Install Primary-Remote</a></li><li role=none><a role=treeitem title="Install an Istio mesh across multiple primary clusters on different networks." href=/v1.8/docs/setup/install/multicluster/multi-primary_multi-network/>Install Multi-Primary on different networks</a></li><li role=none><a role=treeitem title="Install an Istio mesh across primary and remote clusters on different networks." href=/v1.8/docs/setup/install/multicluster/primary-remote_multi-network/>Install Primary-Remote on different networks</a></li><li role=none><a role=treeitem title="Verify that Istio has been installed properly on multiple clusters." href=/v1.8/docs/setup/install/multicluster/verify/>Verify the installation</a></li></ul></li><li role=none><a role=treeitem title="Deploy Istio and connect a workload running within a virtual machine to it." href=/v1.8/docs/setup/install/virtual-machine/>Virtual Machine Installation</a></li></ul></li><li role=treeitem aria-label=Upgrade><button aria-hidden=true></button><a title="Upgrade, downgrade, and manage Istio accross multiple control plane revisions." href=/v1.8/docs/setup/upgrade/>Upgrade</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Upgrade Istio by first running a canary deployment of a new control plane." href=/v1.8/docs/setup/upgrade/canary/>Canary Upgrades</a></li><li role=none><a role=treeitem title="Upgrade or downgrade Istio in place." href=/v1.8/docs/setup/upgrade/in-place/>In-place Upgrades</a></li><li role=none><a role=treeitem title="Configuring and upgrading Istio with gateways." href=/v1.8/docs/setup/upgrade/gateways/>Managing Gateways with Multiple Revisions [experimental]</a></li></ul></li><li role=treeitem aria-label="More Guides"><button aria-hidden=true></button><a title="More information on additional setup tasks." href=/v1.8/docs/setup/additional-setup/>More Guides</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Describes the built-in Istio installation configuration profiles." href=/v1.8/docs/setup/additional-setup/config-profiles/>Installation Configuration Profiles</a></li><li role=none><a role=treeitem title="Install the Istio sidecar in application pods automatically using the sidecar injector webhook or manually using istioctl CLI." href=/v1.8/docs/setup/additional-setup/sidecar-injection/>Installing the Sidecar</a></li><li role=none><a role=treeitem title="Install and use Istio with the Istio CNI plugin, allowing operators to deploy services with lower privilege." href=/v1.8/docs/setup/additional-setup/cni/>Install Istio with the Istio CNI plugin</a></li><li role=none><a role=treeitem title="Install an external control plane and remote cluster." href=/v1.8/docs/setup/additional-setup/external-controlplane/>Install Istio with an External Control Plane</a></li></ul></li></ul></div></div><div class=card><button class="header dynamic" id=card73 title="How to do single specific targeted activities with the Istio system." aria-controls=card73-body><svg class="icon tasks"><use xlink:href="/v1.8/img/icons.svg#tasks"/></svg>Tasks</button><div class=body aria-labelledby=card73 role=region id=card73-body><ul role=tree aria-expanded=true aria-labelledby=card73><li role=treeitem aria-label="Traffic Management"><button aria-hidden=true></button><a title="Tasks that demonstrate Istio's traffic routing features." href=/v1.8/docs/tasks/traffic-management/>Traffic Management</a><ul role=group aria-expanded=false><li role=none><a role=treeitem title="This task shows you how to configure dynamic request routing to multiple versions of a microservice." href=/v1.8/docs/tasks/traffic-management/request-routing/>Request Routing</a></li><li role=none><a role=treeitem title="This task shows you how to inject faults to test the resiliency of your application." href=/v1.8/docs/tasks/traffic-management/fault-injection/>Fault Injection</a></li><li role=none><a role=treeitem title="Shows you how to migrate traffic from an old to new version of a service." href=/v1.8/docs/tasks/traffic-management/traffic-shifting/>Traffic Shifting</a></li><li role=none><a role=treeitem title="Shows you how to migrate TCP traffic from an old to new version of a TCP service." href=/v1.8/docs/tasks/traffic-management/tcp-traffic-shifting/>TCP Traffic Shifting</a></li><li role=none><a role=treeitem title="This task shows you how to setup request timeouts in Envoy using Istio." href=/v1.8/docs/tasks/traffic-management/request-timeouts/>Request Timeouts</a></li><li role=none><a role=treeitem title="This task shows you how to configure circuit breaking for connections, requests, and outlier detection." href=/v1.8/docs/tasks/traffic-management/circuit-breaking/>Circuit Breaking</a></li><li role=none><a role=treeitem title="This task demonstrates the traffic mirroring/shadowing capabilities of Istio." href=/v1.8/docs/tasks/traffic-management/mirroring/>Mirroring</a></li><li role=treeitem aria-label=Ingress><button aria-hidden=true></button><a title="Controlling ingress traffic for an Istio service mesh." href=/v1.8/docs/tasks/traffic-management/ingress/>Ingress</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Describes how to configure an Istio gateway to expose a service outside of the service mesh." href=/v1.8/docs/tasks/traffic-management/ingress/ingress-control/>Ingress Gateways</a></li><li role=none><a role=treeitem title="Expose a service outside of the service mesh over TLS or mTLS." href=/v1.8/docs/tasks/traffic-management/ingress/secure-ingress/>Secure Gateways</a></li><li role=none><a role=treeitem title="Describes how to configure SNI passthrough for an ingress gateway." href=/v1.8/docs/tasks/traffic-management/ingress/ingress-sni-passthrough/>Ingress Gateway without TLS Termination</a></li><li role=none><a role=treeitem title="Describes how to configure a Kubernetes Ingress object to expose a service outside of the service mesh." href=/v1.8/docs/tasks/traffic-management/ingress/kubernetes-ingress/>Kubernetes Ingress</a></li><li role=none><a role=treeitem title="Describes how to configure the Kubernetes Service APIs with Istio." href=/v1.8/docs/tasks/traffic-management/ingress/service-apis/>Kubernetes Service APIs [Experimental]</a></li></ul></li><li role=treeitem aria-label=Egress><button aria-hidden=true></button><a title="Controlling egress traffic for an Istio service mesh." href=/v1.8/docs/tasks/traffic-management/egress/>Egress</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Describes how to configure Istio to route traffic from services in the mesh to external services." href=/v1.8/docs/tasks/traffic-management/egress/egress-control/>Accessing External Services</a></li><li role=none><a role=treeitem title="Describes how to configure Istio to perform TLS origination for traffic to external services." href=/v1.8/docs/tasks/traffic-management/egress/egress-tls-origination/>Egress TLS Origination</a></li><li role=none><a role=treeitem title="Describes how to configure Istio to direct traffic to external services through a dedicated gateway." href=/v1.8/docs/tasks/traffic-management/egress/egress-gateway/>Egress Gateways</a></li><li role=none><a role=treeitem title="Describes how to configure an Egress Gateway to perform TLS origination to external services using Secret Discovery Service." href=/v1.8/docs/tasks/traffic-management/egress/egress-gateway-tls-origination-sds/>Egress Gateways with TLS Origination (SDS)</a></li><li role=none><a role=treeitem title="Describes how to configure an Egress Gateway to perform TLS origination to external services using file mount certificates." href=/v1.8/docs/tasks/traffic-management/egress/egress-gateway-tls-origination/>Egress Gateways with TLS Origination (File Mount)</a></li><li role=none><a role=treeitem title="Describes how to enable egress traffic for a set of hosts in a common domain, instead of configuring each and every host separately." href=/v1.8/docs/tasks/traffic-management/egress/wildcard-egress-hosts/>Egress using Wildcard Hosts</a></li><li role=none><a role=treeitem title="Shows how to configure Istio for Kubernetes External Services." href=/v1.8/docs/tasks/traffic-management/egress/egress-kubernetes-services/>Kubernetes Services for Egress Traffic</a></li><li role=none><a role=treeitem title="Describes how to configure Istio to let applications use an external HTTPS proxy." href=/v1.8/docs/tasks/traffic-management/egress/http-proxy/>Using an External HTTPS Proxy</a></li></ul></li></ul></li><li role=treeitem aria-label=Security><button aria-hidden=true></button><a title="Demonstrates how to secure the mesh." href=/v1.8/docs/tasks/security/>Security</a><ul role=group aria-expanded=false><li role=treeitem aria-label="Certificate Management"><button aria-hidden=true></button><a title="Management of the certificates in Istio." href=/v1.8/docs/tasks/security/cert-management/>Certificate Management</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Shows how system administrators can configure Istio's CA with a root certificate, signing certificate and key." href=/v1.8/docs/tasks/security/cert-management/plugin-ca-cert/>Plug in CA Certificates</a></li><li role=none><a role=treeitem title="Shows how to provision and manage DNS certificates in Istio." href=/v1.8/docs/tasks/security/cert-management/dns-cert/>Istio DNS Certificate Management</a></li><li role=none><a role=treeitem title="Shows how to use a Custom Certificate Authority (that integrates with the Kubernetes CSR API) to provision Istio workload certificates." href=/v1.8/docs/tasks/security/cert-management/custom-ca-k8s/>Custom CA Integration using Kubernetes CSR [experimental]</a></li></ul></li><li role=treeitem aria-label=Authentication><button aria-hidden=true></button><a title="Controlling mutual TLS and end-user authentication for mesh services." href=/v1.8/docs/tasks/security/authentication/>Authentication</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Shows you how to use Istio authentication policy to setup mutual TLS and basic end-user authentication." href=/v1.8/docs/tasks/security/authentication/authn-policy/>Authentication Policy</a></li><li role=none><a role=treeitem title="Shows you how to incrementally migrate your Istio services to mutual TLS." href=/v1.8/docs/tasks/security/authentication/mtls-migration/>Mutual TLS Migration</a></li></ul></li><li role=treeitem aria-label=Authorization><button aria-hidden=true></button><a title="Shows how to control access to Istio services." href=/v1.8/docs/tasks/security/authorization/>Authorization</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Shows how to set up access control for HTTP traffic." href=/v1.8/docs/tasks/security/authorization/authz-http/>Authorization for HTTP traffic</a></li><li role=none><a role=treeitem title="How to set up access control for TCP traffic." href=/v1.8/docs/tasks/security/authorization/authz-tcp/>Authorization for TCP traffic</a></li><li role=none><a role=treeitem title="How to set up access control with JWT in Istio." href=/v1.8/docs/tasks/security/authorization/authz-jwt/>Authorization with JWT</a></li><li role=none><a role=treeitem title="Shows how to set up access control to deny traffic explicitly." href=/v1.8/docs/tasks/security/authorization/authz-deny/>Authorization policies with a deny action</a></li><li role=none><a role=treeitem title="How to set up access control on an ingress gateway." href=/v1.8/docs/tasks/security/authorization/authz-ingress/>Authorization on Ingress Gateway</a></li><li role=none><a role=treeitem title="Shows how to migrate from one trust domain to another without changing authorization policy." href=/v1.8/docs/tasks/security/authorization/authz-td-migration/>Authorization Policy Trust Domain Migration</a></li></ul></li></ul></li><li role=treeitem aria-label=Observability><button aria-hidden=true></button><a title="Demonstrates how to collect telemetry information from the mesh." href=/v1.8/docs/tasks/observability/>Observability</a><ul role=group aria-expanded=false><li role=treeitem aria-label=Metrics><button aria-hidden=true></button><a title="Demonstrates the collection and querying of metrics within Istio." href=/v1.8/docs/tasks/observability/metrics/>Metrics</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="This task shows you how to configure Istio to collect metrics for TCP services." href=/v1.8/docs/tasks/observability/metrics/tcp-metrics/>Collecting Metrics for TCP Services</a></li><li role=none><a role=treeitem title="This task shows you how to customize the Istio metrics." href=/v1.8/docs/tasks/observability/metrics/customize-metrics/>Customizing Istio Metrics</a></li><li role=none><a role=treeitem title="This task shows you how to improve telemetry by grouping requests and responses by their type." href=/v1.8/docs/tasks/observability/metrics/classify-metrics/>Classifying Metrics Based on Request or Response (Experimental)</a></li><li role=none><a role=treeitem title="This task shows you how to query for Istio Metrics using Prometheus." href=/v1.8/docs/tasks/observability/metrics/querying-metrics/>Querying Metrics from Prometheus</a></li><li role=none><a role=treeitem title="This task shows you how to setup and use the Istio Dashboard to monitor mesh traffic." href=/v1.8/docs/tasks/observability/metrics/using-istio-dashboard/>Visualizing Metrics with Grafana</a></li></ul></li><li role=treeitem aria-label=Logs><button aria-hidden=true></button><a title="Demonstrates the collection of logs within Istio." href=/v1.8/docs/tasks/observability/logs/>Logs</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="This task shows you how to configure Envoy proxies to print access logs to their standard output." href=/v1.8/docs/tasks/observability/logs/access-log/>Getting Envoy's Access Logs</a></li></ul></li><li role=treeitem aria-label="Distributed Tracing"><button aria-hidden=true></button><a title="This task shows you how to configure Istio-enabled applications to collect trace spans." href=/v1.8/docs/tasks/observability/distributed-tracing/>Distributed Tracing</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Overview of distributed tracing in Istio." href=/v1.8/docs/tasks/observability/distributed-tracing/overview/>Overview</a></li><li role=none><a role=treeitem title="Learn how to configure the proxies to send tracing requests to Zipkin." href=/v1.8/docs/tasks/observability/distributed-tracing/zipkin/>Zipkin</a></li><li role=none><a role=treeitem title="Learn how to configure the proxies to send tracing requests to Jaeger." href=/v1.8/docs/tasks/observability/distributed-tracing/jaeger/>Jaeger</a></li><li role=none><a role=treeitem title="How to configure the proxies to send tracing requests to Lightstep." href=/v1.8/docs/tasks/observability/distributed-tracing/lightstep/>Lightstep</a></li><li role=none><a role=treeitem title="How to configure tracing options (beta/development)." href=/v1.8/docs/tasks/observability/distributed-tracing/configurability/>Configurability (Beta/Development)</a></li></ul></li><li role=none><a role=treeitem title="This task shows you how to visualize your services within an Istio mesh." href=/v1.8/docs/tasks/observability/kiali/>Visualizing Your Mesh</a></li><li role=none><a role=treeitem title="This task shows you how to configure external access to the set of Istio telemetry addons." href=/v1.8/docs/tasks/observability/gateways/>Remotely Accessing Telemetry Addons</a></li></ul></li></ul></div></div><div class=card><button class="header dynamic" id=card94 title="A variety of fully working example uses for Istio that you can experiment with." aria-controls=card94-body><svg class="icon examples"><use xlink:href="/v1.8/img/icons.svg#examples"/></svg>Examples</button><div class=body aria-labelledby=card94 role=region id=card94-body><ul role=tree aria-expanded=true aria-labelledby=card94><li role=none><a role=treeitem title="Deploys a sample application composed of four separate microservices used to demonstrate various Istio features." href=/v1.8/docs/examples/bookinfo/>Bookinfo Application</a></li><li role=treeitem aria-label="Virtual Machines"><button aria-hidden=true></button><a title="Examples that add workloads running on virtual machines to an Istio mesh." href=/v1.8/docs/examples/virtual-machines/>Virtual Machines</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Learn how to add a service running on a virtual machine to your single-network Istio mesh." href=/v1.8/docs/examples/virtual-machines/single-network/>Example Application using Virtual Machines in a Single Network Mesh</a></li><li role=none><a role=treeitem title="Learn how to add a service running on a virtual machine to your multi-network Istio mesh." href=/v1.8/docs/examples/virtual-machines/multi-network/>Virtual Machines in Multi-Network Meshes</a></li><li role=none><a role=treeitem title="Run the Bookinfo application with a MySQL service running on a virtual machine within your mesh." href=/v1.8/docs/examples/virtual-machines/bookinfo/>Bookinfo with a Virtual Machine</a></li></ul></li><li role=treeitem aria-label="Learn Microservices using Kubernetes and Istio"><button aria-hidden=true></button><a title="This modular tutorial provides new users with hands-on experience using Istio for common microservices scenarios, one step at a time." href=/v1.8/docs/examples/microservices-istio/>Learn Microservices using Kubernetes and Istio</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem href=/v1.8/docs/examples/microservices-istio/prereq/>Prerequisites</a></li><li role=none><a role=treeitem href=/v1.8/docs/examples/microservices-istio/setup-kubernetes-cluster/>Setup a Kubernetes Cluster</a></li><li role=none><a role=treeitem href=/v1.8/docs/examples/microservices-istio/setup-local-computer/>Setup a Local Computer</a></li><li role=none><a role=treeitem href=/v1.8/docs/examples/microservices-istio/single/>Run a Microservice Locally</a></li><li role=none><a role=treeitem href=/v1.8/docs/examples/microservices-istio/package-service/>Run ratings in Docker</a></li><li role=none><a role=treeitem href=/v1.8/docs/examples/microservices-istio/bookinfo-kubernetes/>Run Bookinfo with Kubernetes</a></li><li role=none><a role=treeitem href=/v1.8/docs/examples/microservices-istio/production-testing/>Test in production</a></li><li role=none><a role=treeitem href=/v1.8/docs/examples/microservices-istio/add-new-microservice-version/>Add a new version of reviews</a></li><li role=none><a role=treeitem href=/v1.8/docs/examples/microservices-istio/add-istio/>Enable Istio on productpage</a></li><li role=none><a role=treeitem href=/v1.8/docs/examples/microservices-istio/enable-istio-all-microservices/>Enable Istio on all the microservices</a></li><li role=none><a role=treeitem href=/v1.8/docs/examples/microservices-istio/istio-ingress-gateway/>Configure Istio Ingress Gateway</a></li><li role=none><a role=treeitem href=/v1.8/docs/examples/microservices-istio/logs-istio/>Monitoring with Istio</a></li></ul></li></ul></div></div><div class=card><button class="header dynamic" id=card118 title="Concepts, tools, and techniques to deploy and manage an Istio mesh." aria-controls=card118-body><svg class="icon guide"><use xlink:href="/v1.8/img/icons.svg#guide"/></svg>Operations</button><div class=body aria-labelledby=card118 role=region id=card118-body><ul role=tree aria-expanded=true aria-labelledby=card118><li role=treeitem aria-label=Deployment><button aria-hidden=true></button><a title="Requirements, concepts, and considerations for setting up an Istio deployment." href=/v1.8/docs/ops/deployment/>Deployment</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Describes Istio's high-level architecture and design goals." href=/v1.8/docs/ops/deployment/architecture/>Architecture</a></li><li role=none><a role=treeitem title="Describes the options and considerations when configuring your Istio deployment." href=/v1.8/docs/ops/deployment/deployment-models/>Deployment Models</a></li><li role=none><a role=treeitem title="Istio performance and scalability summary." href=/v1.8/docs/ops/deployment/performance-and-scalability/>Performance and Scalability</a></li><li role=none><a role=treeitem title="Requirements of applications deployed in an Istio-enabled cluster." href=/v1.8/docs/ops/deployment/requirements/>Application Requirements</a></li></ul></li><li role=treeitem aria-label=Configuration><button aria-hidden=true></button><a title="Advanced concepts and features for configuring a running Istio mesh." href=/v1.8/docs/ops/configuration/>Configuration</a><ul role=group aria-expanded=false><li role=treeitem aria-label="Mesh Configuration"><button aria-hidden=true></button><a title="Helps you manage the global mesh configuration." href=/v1.8/docs/ops/configuration/mesh/>Mesh Configuration</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Provides a general overview of Istio's use of Kubernetes webhooks and the related issues that can arise." href=/v1.8/docs/ops/configuration/mesh/webhook/>Dynamic Admission Webhooks Overview</a></li><li role=none><a role=treeitem title="Describes how to wait to apply mesh configuration until a resource reaches a given status or readiness." href=/v1.8/docs/ops/configuration/mesh/config-resource-ready/>Wait for Resource Status to Apply Configuration</a></li><li role=none><a role=treeitem title="Describes Istio's use of Kubernetes webhooks for automatic sidecar injection." href=/v1.8/docs/ops/configuration/mesh/injection-concepts/>Automatic Sidecar Injection</a></li><li role=none><a role=treeitem title="Shows how to do health checking for Istio services." href=/v1.8/docs/ops/configuration/mesh/app-health-check/>Health Checking of Istio Services</a></li></ul></li><li role=treeitem aria-label="Traffic Management"><button aria-hidden=true></button><a title="Helps you manage the networking aspects of a running mesh." href=/v1.8/docs/ops/configuration/traffic-management/>Traffic Management</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Information on how to specify protocols." href=/v1.8/docs/ops/configuration/traffic-management/protocol-selection/>Protocol Selection</a></li><li role=none><a role=treeitem title="Information on how to enable and understand Locality Load Balancing." href=/v1.8/docs/ops/configuration/traffic-management/locality-load-balancing/>Locality Load Balancing</a></li><li role=none><a role=treeitem title="How to configure TLS settings to secure network traffic." href=/v1.8/docs/ops/configuration/traffic-management/tls-configuration/>TLS Configuration</a></li><li role=none><a role=treeitem title="How to configure gateway network topology." href=/v1.8/docs/ops/configuration/traffic-management/network-topologies/>Configuring Gateway Network Topology [experimental]</a></li></ul></li><li role=treeitem aria-label=Security><button aria-hidden=true></button><a title="Helps you manage the security aspects of a running mesh." href=/v1.8/docs/ops/configuration/security/>Security</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Use hardened container images to reduce Istio's attack surface." href=/v1.8/docs/ops/configuration/security/harden-docker-images/>Harden Docker Container Images</a></li><li role=none><a role=treeitem title="Learn how to extend the lifetime of the Istio self-signed root certificate." href=/v1.8/docs/ops/configuration/security/root-transition/>Extending Self-Signed Certificate Lifetime</a></li></ul></li><li role=treeitem aria-label=Observability><button aria-hidden=true></button><a title="Helps you manage telemetry collection and visualization in a running mesh." href=/v1.8/docs/ops/configuration/telemetry/>Observability</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Fine-grained control of Envoy statistics." href=/v1.8/docs/ops/configuration/telemetry/envoy-stats/>Envoy Statistics</a></li><li role=none><a role=treeitem title="Configure Prometheus to monitor multicluster Istio." href=/v1.8/docs/ops/configuration/telemetry/monitoring-multicluster-prometheus/>Monitoring Multicluster Istio with Prometheus</a></li></ul></li></ul></li><li role=treeitem aria-label="Best Practices"><button aria-hidden=true></button><a title="Best practices for setting up and managing an Istio service mesh." href=/v1.8/docs/ops/best-practices/>Best Practices</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="General best practices when setting up an Istio service mesh." href=/v1.8/docs/ops/best-practices/deployment/>Deployment Best Practices</a></li><li role=none><a role=treeitem title="Configuration best practices to avoid networking or traffic management issues." href=/v1.8/docs/ops/best-practices/traffic-management/>Traffic Management Best Practices</a></li><li role=none><a role=treeitem title="Best practices for securing applications using Istio." href=/v1.8/docs/ops/best-practices/security/>Security Best Practices</a></li><li role=none><a role=treeitem title="Best practices for observing applications using Istio." href=/v1.8/docs/ops/best-practices/observability/>Observability Best Practices</a></li></ul></li><li role=treeitem aria-label="Common Problems"><button aria-hidden=true></button><a title="Describes how to identify and resolve common problems in Istio." href=/v1.8/docs/ops/common-problems/>Common Problems</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Techniques to address common Istio traffic management and network problems." href=/v1.8/docs/ops/common-problems/network-issues/>Traffic Management Problems</a></li><li role=none><a role=treeitem title="Techniques to address common Istio authentication, authorization, and general security-related problems." href=/v1.8/docs/ops/common-problems/security-issues/>Security Problems</a></li><li role=none><a role=treeitem title="Dealing with telemetry collection issues." href=/v1.8/docs/ops/common-problems/observability-issues/>Observability Problems</a></li><li role=none><a role=treeitem title="Resolve common problems with Istio's use of Kubernetes webhooks for automatic sidecar injection." href=/v1.8/docs/ops/common-problems/injection/>Sidecar Injection Problems</a></li><li role=none><a role=treeitem title="Describes how to resolve configuration validation problems." href=/v1.8/docs/ops/common-problems/validation/>Configuration Validation Problems</a></li></ul></li><li role=treeitem aria-label="Diagnostic Tools"><button aria-hidden=true></button><a title="Tools and techniques to help troubleshoot an Istio mesh." href=/v1.8/docs/ops/diagnostic-tools/>Diagnostic Tools</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Istio includes a supplemental tool that provides debugging and diagnosis for Istio service mesh deployments." href=/v1.8/docs/ops/diagnostic-tools/istioctl/>Using the Istioctl Command-line Tool</a></li><li role=none><a role=treeitem title="Describes tools and techniques to diagnose Envoy configuration issues related to traffic management." href=/v1.8/docs/ops/diagnostic-tools/proxy-cmd/>Debugging Envoy and Istiod</a></li><li role=none><a role=treeitem title="Shows you how to use istioctl describe to verify the configurations of a pod in your mesh." href=/v1.8/docs/ops/diagnostic-tools/istioctl-describe/>Understand your Mesh with Istioctl Describe</a></li><li role=none><a role=treeitem title="Shows you how to use istioctl analyze to identify potential issues with your configuration." href=/v1.8/docs/ops/diagnostic-tools/istioctl-analyze/>Diagnose your Configuration with Istioctl Analyze</a></li><li role=none><a role=treeitem title="Describes how to use ControlZ to get insight into a running istiod component." href=/v1.8/docs/ops/diagnostic-tools/controlz/>Istiod Introspection</a></li><li role=none><a role=treeitem title="Describes how to use component-level logging to get insights into a running component's behavior." href=/v1.8/docs/ops/diagnostic-tools/component-logging/>Component Logging</a></li></ul></li><li role=treeitem aria-label=Integrations><button aria-hidden=true></button><a title="Other softwares that Istio can integrate with to provide additional functionality." href=/v1.8/docs/ops/integrations/>Integrations</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Information on how to integrate with cert-manager." href=/v1.8/docs/ops/integrations/certmanager/>cert-manager</a></li><li role=none><a role=treeitem title="Information on how to integrate with Grafana to set up Istio dashboards." href=/v1.8/docs/ops/integrations/grafana/>Grafana</a></li><li role=none><a role=treeitem title="How to integrate with Jaeger." href=/v1.8/docs/ops/integrations/jaeger/>Jaeger</a></li><li role=none><a role=treeitem title="Information on how to integrate with Kiali." href=/v1.8/docs/ops/integrations/kiali/>Kiali</a></li><li role=none><a role=treeitem title="How to integrate with Prometheus." href=/v1.8/docs/ops/integrations/prometheus/>Prometheus</a></li><li role=none><a role=treeitem title="How to integrate with Zipkin." href=/v1.8/docs/ops/integrations/zipkin/>Zipkin</a></li></ul></li></ul></div></div><div class=card><button class="header dynamic" id=card169 title="Detailed authoritative reference material such as command-line options, configuration options, and API calling parameters." aria-controls=card169-body><svg class="icon reference"><use xlink:href="/v1.8/img/icons.svg#reference"/></svg>Reference</button><div class="body default" aria-labelledby=card169 role=region id=card169-body><ul role=tree aria-expanded=true aria-labelledby=card169><li role=treeitem aria-label=Configuration><button class=show aria-hidden=true></button><a title="Detailed information on configuration options." href=/v1.8/docs/reference/config/>Configuration</a><ul role=group aria-expanded=true><li role=none><a role=treeitem title="Configuration affecting Istio control plane installation version and shape." href=/v1.8/docs/reference/config/istio.operator.v1alpha1/>IstioOperator Options</a></li><li role=none><a role=treeitem title="Configuration affecting the service mesh as a whole." href=/v1.8/docs/reference/config/istio.mesh.v1alpha1/>Global Mesh Options</a></li><li role=none><a role=treeitem title="Describes the structure of messages generated by Istio analyzers." href=/v1.8/docs/reference/config/istio.analysis.v1alpha1/>Analysis Messages</a></li><li role=none><a role=treeitem title="Describes the role of the `status` field in configuration workflow." href=/v1.8/docs/reference/config/config-status/>Configuration Status Field</a></li><li role=treeitem aria-label="Proxy Extensions"><button aria-hidden=true></button><a title="Describes how to configure Istio proxy extensions." href=/v1.8/docs/reference/config/proxy_extensions/>Proxy Extensions</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Configuration for Metadata Exchange Filter." href=/v1.8/docs/reference/config/proxy_extensions/metadata_exchange/>Metadata Exchange Config</a></li><li role=none><a role=treeitem title="Configuration for Stackdriver filter." href=/v1.8/docs/reference/config/proxy_extensions/stackdriver/>Stackdriver Config</a></li><li role=none><a role=treeitem title="Configuration for Attribute Generation plugin." href=/v1.8/docs/reference/config/proxy_extensions/attributegen/>AttributeGen Config</a></li><li role=none><a role=treeitem title="Configuration for AccessLogPolicy Filter." href=/v1.8/docs/reference/config/proxy_extensions/accesslogpolicy/>AccessLogPolicy Config</a></li><li role=none><a role=treeitem title="Configuration for Stats Filter." href=/v1.8/docs/reference/config/proxy_extensions/stats/>Stats Config</a></li><li role=none><a role=treeitem title="How to enable telemetry generation with the Wasm runtime (experimental)." href=/v1.8/docs/reference/config/proxy_extensions/wasm_telemetry/>Wasm-based Telemetry (Experimental)</a></li></ul></li><li role=treeitem aria-label="Traffic Management"><button class=show aria-hidden=true></button><a title="Describes how to configure HTTP/TCP routing features." href=/v1.8/docs/reference/config/networking/>Traffic Management</a><ul role=group aria-expanded=true class=leaf-section><li role=none><a role=treeitem title="Configuration affecting load balancing, outlier detection, etc." href=/v1.8/docs/reference/config/networking/destination-rule/>Destination Rule</a></li><li role=none><a role=treeitem title="Customizing Envoy configuration generated by Istio." href=/v1.8/docs/reference/config/networking/envoy-filter/>Envoy Filter</a></li><li role=none><a role=treeitem title="Configuration affecting edge load balancer." href=/v1.8/docs/reference/config/networking/gateway/>Gateway</a></li><li role=none><span role=treeitem class=current title="Configuration affecting service registry.">Service Entry</span></li><li role=none><a role=treeitem title="Configuration affecting network reachability of a sidecar." href=/v1.8/docs/reference/config/networking/sidecar/>Sidecar</a></li><li role=none><a role=treeitem title="Describes a collection of workload instances." href=/v1.8/docs/reference/config/networking/workload-group/>Workload Group</a></li><li role=none><a role=treeitem title="Configuration affecting VMs onboarded into the mesh." href=/v1.8/docs/reference/config/networking/workload-entry/>Workload Entry</a></li><li role=none><a role=treeitem title="Configuration affecting label/content routing, sni routing, etc." href=/v1.8/docs/reference/config/networking/virtual-service/>Virtual Service</a></li></ul></li><li role=treeitem aria-label=Security><button aria-hidden=true></button><a title="Describes how to configure Istio's security features." href=/v1.8/docs/reference/config/security/>Security</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Configuration to validate JWT." href=/v1.8/docs/reference/config/security/jwt/>JWTRule</a></li><li role=none><a role=treeitem title="Peer authentication configuration for workloads." href=/v1.8/docs/reference/config/security/peer_authentication/>PeerAuthentication</a></li><li role=none><a role=treeitem title="Request authentication configuration for workloads." href=/v1.8/docs/reference/config/security/request_authentication/>RequestAuthentication</a></li><li role=none><a role=treeitem title="Configuration for access control on workloads." href=/v1.8/docs/reference/config/security/authorization-policy/>Authorization Policy</a></li><li role=none><a role=treeitem title="Describes the supported conditions in authorization policies." href=/v1.8/docs/reference/config/security/conditions/>Authorization Policy Conditions</a></li></ul></li><li role=treeitem aria-label="Common Types"><button aria-hidden=true></button><a title="Describes common types in Istio API." href=/v1.8/docs/reference/config/type/>Common Types</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Definition of a workload selector." href=/v1.8/docs/reference/config/type/workload-selector/>Workload Selector</a></li></ul></li><li role=none><a role=treeitem title="Istio standard metrics exported by Istio telemetry." href=/v1.8/docs/reference/config/metrics/>Istio Standard Metrics</a></li><li role=none><a role=treeitem title="Resource annotations used by Istio." href=/v1.8/docs/reference/config/annotations/>Resource Annotations</a></li><li role=treeitem aria-label="Configuration Analysis Messages"><button aria-hidden=true></button><a title="Documents the individual error and warning messages produced during configuration analysis." href=/v1.8/docs/reference/config/analysis/>Configuration Analysis Messages</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem href=/v1.8/docs/reference/config/analysis/ist0113/>MTLSPolicyConflict</a></li><li role=none><a role=treeitem href=/v1.8/docs/reference/config/analysis/ist0109/>ConflictingMeshGatewayVirtualServiceHosts</a></li><li role=none><a role=treeitem href=/v1.8/docs/reference/config/analysis/ist0110/>ConflictingSidecarWorkloadSelectors</a></li><li role=none><a role=treeitem href=/v1.8/docs/reference/config/analysis/ist0116/>DeploymentAssociatedToMultipleServices</a></li><li role=none><a role=treeitem href=/v1.8/docs/reference/config/analysis/ist0117/>DeploymentRequiresServiceAssociated</a></li><li role=none><a role=treeitem href=/v1.8/docs/reference/config/analysis/ist0002/>Deprecated</a></li><li role=none><a role=treeitem href=/v1.8/docs/reference/config/analysis/ist0104/>GatewayPortNotOnWorkload</a></li><li role=none><a role=treeitem href=/v1.8/docs/reference/config/analysis/ist0001/>InternalError</a></li><li role=none><a role=treeitem href=/v1.8/docs/reference/config/analysis/ist0125/>InvalidAnnotation</a></li><li role=none><a role=treeitem href=/v1.8/docs/reference/config/analysis/ist0122/>InvalidRegexp</a></li><li role=none><a role=treeitem href=/v1.8/docs/reference/config/analysis/ist0105/>IstioProxyImageMismatch</a></li><li role=none><a role=treeitem href=/v1.8/docs/reference/config/analysis/ist0119/>JwtFailureDueToInvalidServicePortPrefix</a></li><li role=none><a role=treeitem href=/v1.8/docs/reference/config/analysis/ist0107/>MisplacedAnnotation</a></li><li role=none><a role=treeitem href=/v1.8/docs/reference/config/analysis/ist0108/>UnknownAnnotation</a></li><li role=none><a role=treeitem href=/v1.8/docs/reference/config/analysis/ist0111/>MultipleSidecarsWithoutWorkloadSelectors</a></li><li role=none><a role=treeitem href=/v1.8/docs/reference/config/analysis/ist0123/>NamespaceMultipleInjectionLabels</a></li><li role=none><a role=treeitem href=/v1.8/docs/reference/config/analysis/ist0102/>NamespaceNotInjected</a></li><li role=none><a role=treeitem href=/v1.8/docs/reference/config/analysis/ist0127/>NoMatchingWorkloadsFound</a></li><li role=none><a role=treeitem href=/v1.8/docs/reference/config/analysis/ist0128/>NoServerCertificateVerificationDestinationLevel</a></li><li role=none><a role=treeitem href=/v1.8/docs/reference/config/analysis/ist0129/>NoServerCertificateVerificationPortLevel</a></li><li role=none><a role=treeitem href=/v1.8/docs/reference/config/analysis/message-format/>Analyzer Message Format</a></li><li role=none><a role=treeitem href=/v1.8/docs/reference/config/analysis/ist0131/>VirtualServiceIneffectiveMatch</a></li><li role=none><a role=treeitem href=/v1.8/docs/reference/config/analysis/ist0118/>PortNameIsNotUnderNamingConvention</a></li><li role=none><a role=treeitem href=/v1.8/docs/reference/config/analysis/ist0101/>ReferencedResourceNotFound</a></li><li role=none><a role=treeitem href=/v1.8/docs/reference/config/analysis/ist0106/>SchemaValidationError</a></li><li role=none><a role=treeitem href=/v1.8/docs/reference/config/analysis/ist0130/>VirtualServiceUnreachableRule</a></li><li role=none><a role=treeitem href=/v1.8/docs/reference/config/analysis/ist0103/>PodMissingProxy</a></li><li role=none><a role=treeitem href=/v1.8/docs/reference/config/analysis/ist0112/>VirtualServiceDestinationPortSelectorRequired</a></li></ul></li></ul></li><li role=treeitem aria-label=Commands><button aria-hidden=true></button><a title="Describes usage and options of the Istio commands and utilities." href=/v1.8/docs/reference/commands/>Commands</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Istio control interface." href=/v1.8/docs/reference/commands/istioctl/>istioctl</a></li><li role=none><a role=treeitem title="Istio Pilot." href=/v1.8/docs/reference/commands/pilot-discovery/>pilot-discovery</a></li><li role=none><a role=treeitem title="The Istio operator." href=/v1.8/docs/reference/commands/operator/>operator</a></li><li role=none><a role=treeitem title="Istio Pilot agent." href=/v1.8/docs/reference/commands/pilot-agent/>pilot-agent</a></li></ul></li><li role=none><a role=treeitem title="A glossary of common Istio terms." href=/v1.8/docs/reference/glossary/>Glossary</a></li></ul></div></div></div></nav></div><div class=article-container><button tabindex=-1 id=sidebar-toggler title="Toggle the navigation bar"><svg class="icon pull"><use xlink:href="/v1.8/img/icons.svg#pull"/></svg></button><nav aria-label=Breadcrumb><ol><li><a href=/v1.8/ title="Connect, secure, control, and observe services.">Istio</a></li><li><a href=/v1.8/docs/ title="Learn how to deploy, use, and operate Istio.">Docs</a></li><li><a href=/v1.8/docs/reference/ title="Detailed authoritative reference material such as command-line options, configuration options, and API calling parameters.">Reference</a></li><li><a href=/v1.8/docs/reference/config/ title="Detailed information on configuration options.">Configuration</a></li><li><a href=/v1.8/docs/reference/config/networking/ title="Describes how to configure HTTP/TCP routing features.">Traffic Management</a></li><li>Service Entry</li></ol></nav><article aria-labelledby=title><div class=title-area><div style=width:100%><h1 id=title>Service Entry</h1><p class=byline><span title="2683 words"><svg class="icon clock"><use xlink:href="/v1.8/img/icons.svg#clock"/></svg><span>&nbsp;</span>13 minute read</span>
<span>&nbsp;</span>
<span></span></p></div></div><nav class=toc-inlined aria-label="Table of Contents"><div><hr><ol><li role=none aria-label=ServiceEntry><a href=#ServiceEntry>ServiceEntry</a><li role=none aria-label=ServiceEntry.Location><a href=#ServiceEntry-Location>ServiceEntry.Location</a><li role=none aria-label=ServiceEntry.Resolution><a href=#ServiceEntry-Resolution>ServiceEntry.Resolution</a></ol><hr></div></nav><p><code>ServiceEntry</code> enables adding additional entries into Istio&rsquo;s
internal service registry, so that auto-discovered services in the
mesh can access/route to these manually specified services. A
service entry describes the properties of a service (DNS name,
VIPs, ports, protocols, endpoints). These services could be
external to the mesh (e.g., web APIs) or mesh-internal services
that are not part of the platform&rsquo;s service registry (e.g., a set
of VMs talking to services in Kubernetes). In addition, the
endpoints of a service entry can also be dynamically selected by
using the <code>workloadSelector</code> field. These endpoints can be VM
workloads declared using the <code>WorkloadEntry</code> object or Kubernetes
pods. The ability to select both pods and VMs under a single
service allows for migration of services from VMs to Kubernetes
without having to change the existing DNS names associated with the
services.</p><p>The following example declares a few external APIs accessed by internal
applications over HTTPS. The sidecar inspects the SNI value in the
ClientHello message to route to the appropriate external service.</p><div id=tabset-docs-reference-config-networking-service-entry-1 role=tablist class=tabset><div class=tab-strip data-category-name=example><button aria-selected=true data-category-value=v1alpha3 aria-controls=tabset-docs-reference-config-networking-service-entry-1-0-panel id=tabset-docs-reference-config-networking-service-entry-1-0-tab role=tab><span>v1alpha3</span>
</button><button tabindex=-1 data-category-value=v1beta1 aria-controls=tabset-docs-reference-config-networking-service-entry-1-1-panel id=tabset-docs-reference-config-networking-service-entry-1-1-tab role=tab><span>v1beta1</span></button></div><div class=tab-content><div id=tabset-docs-reference-config-networking-service-entry-1-0-panel role=tabpanel tabindex=0 aria-labelledby=tabset-docs-reference-config-networking-service-entry-1-0-tab><pre><code class=language-yaml>apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: external-svc-https
spec:
hosts:
- api.dropboxapi.com
- www.googleapis.com
- api.facebook.com
location: MESH_EXTERNAL
ports:
- number: 443
name: https
protocol: TLS
resolution: DNS
</code></pre></div><div hidden id=tabset-docs-reference-config-networking-service-entry-1-1-panel role=tabpanel tabindex=0 aria-labelledby=tabset-docs-reference-config-networking-service-entry-1-1-tab><pre><code class=language-yaml>apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
name: external-svc-https
spec:
hosts:
- api.dropboxapi.com
- www.googleapis.com
- api.facebook.com
location: MESH_EXTERNAL
ports:
- number: 443
name: https
protocol: TLS
resolution: DNS
</code></pre></div></div></div><p>The following configuration adds a set of MongoDB instances running on
unmanaged VMs to Istio&rsquo;s registry, so that these services can be treated
as any other service in the mesh. The associated DestinationRule is used
to initiate mTLS connections to the database instances.</p><div id=tabset-docs-reference-config-networking-service-entry-2 role=tablist class=tabset><div class=tab-strip data-category-name=example><button aria-selected=true data-category-value=v1alpha3 aria-controls=tabset-docs-reference-config-networking-service-entry-2-0-panel id=tabset-docs-reference-config-networking-service-entry-2-0-tab role=tab><span>v1alpha3</span>
</button><button tabindex=-1 data-category-value=v1beta1 aria-controls=tabset-docs-reference-config-networking-service-entry-2-1-panel id=tabset-docs-reference-config-networking-service-entry-2-1-tab role=tab><span>v1beta1</span></button></div><div class=tab-content><div id=tabset-docs-reference-config-networking-service-entry-2-0-panel role=tabpanel tabindex=0 aria-labelledby=tabset-docs-reference-config-networking-service-entry-2-0-tab><pre><code class=language-yaml>apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: external-svc-mongocluster
spec:
hosts:
- mymongodb.somedomain # not used
addresses:
- 192.192.192.192/24 # VIPs
ports:
- number: 27018
name: mongodb
protocol: MONGO
location: MESH_INTERNAL
resolution: STATIC
endpoints:
- address: 2.2.2.2
- address: 3.3.3.3
</code></pre></div><div hidden id=tabset-docs-reference-config-networking-service-entry-2-1-panel role=tabpanel tabindex=0 aria-labelledby=tabset-docs-reference-config-networking-service-entry-2-1-tab><pre><code class=language-yaml>apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
name: external-svc-mongocluster
spec:
hosts:
- mymongodb.somedomain # not used
addresses:
- 192.192.192.192/24 # VIPs
ports:
- number: 27018
name: mongodb
protocol: MONGO
location: MESH_INTERNAL
resolution: STATIC
endpoints:
- address: 2.2.2.2
- address: 3.3.3.3
</code></pre></div></div></div><p>and the associated DestinationRule</p><div id=tabset-docs-reference-config-networking-service-entry-3 role=tablist class=tabset><div class=tab-strip data-category-name=example><button aria-selected=true data-category-value=v1alpha3 aria-controls=tabset-docs-reference-config-networking-service-entry-3-0-panel id=tabset-docs-reference-config-networking-service-entry-3-0-tab role=tab><span>v1alpha3</span>
</button><button tabindex=-1 data-category-value=v1beta1 aria-controls=tabset-docs-reference-config-networking-service-entry-3-1-panel id=tabset-docs-reference-config-networking-service-entry-3-1-tab role=tab><span>v1beta1</span></button></div><div class=tab-content><div id=tabset-docs-reference-config-networking-service-entry-3-0-panel role=tabpanel tabindex=0 aria-labelledby=tabset-docs-reference-config-networking-service-entry-3-0-tab><pre><code class=language-yaml>apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: mtls-mongocluster
spec:
host: mymongodb.somedomain
trafficPolicy:
tls:
mode: MUTUAL
clientCertificate: /etc/certs/myclientcert.pem
privateKey: /etc/certs/client_private_key.pem
caCertificates: /etc/certs/rootcacerts.pem
</code></pre></div><div hidden id=tabset-docs-reference-config-networking-service-entry-3-1-panel role=tabpanel tabindex=0 aria-labelledby=tabset-docs-reference-config-networking-service-entry-3-1-tab><pre><code class=language-yaml>apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
name: mtls-mongocluster
spec:
host: mymongodb.somedomain
trafficPolicy:
tls:
mode: MUTUAL
clientCertificate: /etc/certs/myclientcert.pem
privateKey: /etc/certs/client_private_key.pem
caCertificates: /etc/certs/rootcacerts.pem
</code></pre></div></div></div><p>The following example uses a combination of service entry and TLS
routing in a virtual service to steer traffic based on the SNI value to
an internal egress firewall.</p><div id=tabset-docs-reference-config-networking-service-entry-4 role=tablist class=tabset><div class=tab-strip data-category-name=example><button aria-selected=true data-category-value=v1alpha3 aria-controls=tabset-docs-reference-config-networking-service-entry-4-0-panel id=tabset-docs-reference-config-networking-service-entry-4-0-tab role=tab><span>v1alpha3</span>
</button><button tabindex=-1 data-category-value=v1beta1 aria-controls=tabset-docs-reference-config-networking-service-entry-4-1-panel id=tabset-docs-reference-config-networking-service-entry-4-1-tab role=tab><span>v1beta1</span></button></div><div class=tab-content><div id=tabset-docs-reference-config-networking-service-entry-4-0-panel role=tabpanel tabindex=0 aria-labelledby=tabset-docs-reference-config-networking-service-entry-4-0-tab><pre><code class=language-yaml>apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: external-svc-redirect
spec:
hosts:
- wikipedia.org
- &quot;*.wikipedia.org&quot;
location: MESH_EXTERNAL
ports:
- number: 443
name: https
protocol: TLS
resolution: NONE
</code></pre></div><div hidden id=tabset-docs-reference-config-networking-service-entry-4-1-panel role=tabpanel tabindex=0 aria-labelledby=tabset-docs-reference-config-networking-service-entry-4-1-tab><pre><code class=language-yaml>apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
name: external-svc-redirect
spec:
hosts:
- wikipedia.org
- &quot;*.wikipedia.org&quot;
location: MESH_EXTERNAL
ports:
- number: 443
name: https
protocol: TLS
resolution: NONE
</code></pre></div></div></div><p>And the associated VirtualService to route based on the SNI value.</p><div id=tabset-docs-reference-config-networking-service-entry-5 role=tablist class=tabset><div class=tab-strip data-category-name=example><button aria-selected=true data-category-value=v1alpha3 aria-controls=tabset-docs-reference-config-networking-service-entry-5-0-panel id=tabset-docs-reference-config-networking-service-entry-5-0-tab role=tab><span>v1alpha3</span>
</button><button tabindex=-1 data-category-value=v1beta1 aria-controls=tabset-docs-reference-config-networking-service-entry-5-1-panel id=tabset-docs-reference-config-networking-service-entry-5-1-tab role=tab><span>v1beta1</span></button></div><div class=tab-content><div id=tabset-docs-reference-config-networking-service-entry-5-0-panel role=tabpanel tabindex=0 aria-labelledby=tabset-docs-reference-config-networking-service-entry-5-0-tab><pre><code class=language-yaml>apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: tls-routing
spec:
hosts:
- wikipedia.org
- &quot;*.wikipedia.org&quot;
tls:
- match:
- sniHosts:
- wikipedia.org
- &quot;*.wikipedia.org&quot;
route:
- destination:
host: internal-egress-firewall.ns1.svc.cluster.local
</code></pre></div><div hidden id=tabset-docs-reference-config-networking-service-entry-5-1-panel role=tabpanel tabindex=0 aria-labelledby=tabset-docs-reference-config-networking-service-entry-5-1-tab><pre><code class=language-yaml>apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: tls-routing
spec:
hosts:
- wikipedia.org
- &quot;*.wikipedia.org&quot;
tls:
- match:
- sniHosts:
- wikipedia.org
- &quot;*.wikipedia.org&quot;
route:
- destination:
host: internal-egress-firewall.ns1.svc.cluster.local
</code></pre></div></div></div><p>The virtual service with TLS match serves to override the default SNI
match. In the absence of a virtual service, traffic will be forwarded to
the wikipedia domains.</p><p>The following example demonstrates the use of a dedicated egress gateway
through which all external service traffic is forwarded.
The &lsquo;exportTo&rsquo; field allows for control over the visibility of a service
declaration to other namespaces in the mesh. By default, a service is exported
to all namespaces. The following example restricts the visibility to the
current namespace, represented by &ldquo;.&rdquo;, so that it cannot be used by other
namespaces.</p><div id=tabset-docs-reference-config-networking-service-entry-6 role=tablist class=tabset><div class=tab-strip data-category-name=example><button aria-selected=true data-category-value=v1alpha3 aria-controls=tabset-docs-reference-config-networking-service-entry-6-0-panel id=tabset-docs-reference-config-networking-service-entry-6-0-tab role=tab><span>v1alpha3</span>
</button><button tabindex=-1 data-category-value=v1beta1 aria-controls=tabset-docs-reference-config-networking-service-entry-6-1-panel id=tabset-docs-reference-config-networking-service-entry-6-1-tab role=tab><span>v1beta1</span></button></div><div class=tab-content><div id=tabset-docs-reference-config-networking-service-entry-6-0-panel role=tabpanel tabindex=0 aria-labelledby=tabset-docs-reference-config-networking-service-entry-6-0-tab><pre><code class=language-yaml>apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: external-svc-httpbin
namespace : egress
spec:
hosts:
- httpbin.com
exportTo:
- &quot;.&quot;
location: MESH_EXTERNAL
ports:
- number: 80
name: http
protocol: HTTP
resolution: DNS
</code></pre></div><div hidden id=tabset-docs-reference-config-networking-service-entry-6-1-panel role=tabpanel tabindex=0 aria-labelledby=tabset-docs-reference-config-networking-service-entry-6-1-tab><pre><code class=language-yaml>apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
name: external-svc-httpbin
namespace : egress
spec:
hosts:
- httpbin.com
exportTo:
- &quot;.&quot;
location: MESH_EXTERNAL
ports:
- number: 80
name: http
protocol: HTTP
resolution: DNS
</code></pre></div></div></div><p>Define a gateway to handle all egress traffic.</p><div id=tabset-docs-reference-config-networking-service-entry-7 role=tablist class=tabset><div class=tab-strip data-category-name=example><button aria-selected=true data-category-value=v1alpha3 aria-controls=tabset-docs-reference-config-networking-service-entry-7-0-panel id=tabset-docs-reference-config-networking-service-entry-7-0-tab role=tab><span>v1alpha3</span>
</button><button tabindex=-1 data-category-value=v1beta1 aria-controls=tabset-docs-reference-config-networking-service-entry-7-1-panel id=tabset-docs-reference-config-networking-service-entry-7-1-tab role=tab><span>v1beta1</span></button></div><div class=tab-content><div id=tabset-docs-reference-config-networking-service-entry-7-0-panel role=tabpanel tabindex=0 aria-labelledby=tabset-docs-reference-config-networking-service-entry-7-0-tab><pre><code class=language-yaml>apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: istio-egressgateway
namespace: istio-system
spec:
selector:
istio: egressgateway
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- &quot;*&quot;
</code></pre></div><div hidden id=tabset-docs-reference-config-networking-service-entry-7-1-panel role=tabpanel tabindex=0 aria-labelledby=tabset-docs-reference-config-networking-service-entry-7-1-tab><pre><code class=language-yaml>apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
name: istio-egressgateway
namespace: istio-system
spec:
selector:
istio: egressgateway
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- &quot;*&quot;
</code></pre></div></div></div><p>And the associated <code>VirtualService</code> to route from the sidecar to the
gateway service (<code>istio-egressgateway.istio-system.svc.cluster.local</code>), as
well as route from the gateway to the external service. Note that the
virtual service is exported to all namespaces enabling them to route traffic
through the gateway to the external service. Forcing traffic to go through
a managed middle proxy like this is a common practice.</p><div id=tabset-docs-reference-config-networking-service-entry-8 role=tablist class=tabset><div class=tab-strip data-category-name=example><button aria-selected=true data-category-value=v1alpha3 aria-controls=tabset-docs-reference-config-networking-service-entry-8-0-panel id=tabset-docs-reference-config-networking-service-entry-8-0-tab role=tab><span>v1alpha3</span>
</button><button tabindex=-1 data-category-value=v1beta1 aria-controls=tabset-docs-reference-config-networking-service-entry-8-1-panel id=tabset-docs-reference-config-networking-service-entry-8-1-tab role=tab><span>v1beta1</span></button></div><div class=tab-content><div id=tabset-docs-reference-config-networking-service-entry-8-0-panel role=tabpanel tabindex=0 aria-labelledby=tabset-docs-reference-config-networking-service-entry-8-0-tab><pre><code class=language-yaml>apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: gateway-routing
namespace: egress
spec:
hosts:
- httpbin.com
exportTo:
- &quot;*&quot;
gateways:
- mesh
- istio-egressgateway
http:
- match:
- port: 80
gateways:
- mesh
route:
- destination:
host: istio-egressgateway.istio-system.svc.cluster.local
- match:
- port: 80
gateways:
- istio-egressgateway
route:
- destination:
host: httpbin.com
</code></pre></div><div hidden id=tabset-docs-reference-config-networking-service-entry-8-1-panel role=tabpanel tabindex=0 aria-labelledby=tabset-docs-reference-config-networking-service-entry-8-1-tab><pre><code class=language-yaml>apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: gateway-routing
namespace: egress
spec:
hosts:
- httpbin.com
exportTo:
- &quot;*&quot;
gateways:
- mesh
- istio-egressgateway
http:
- match:
- port: 80
gateways:
- mesh
route:
- destination:
host: istio-egressgateway.istio-system.svc.cluster.local
- match:
- port: 80
gateways:
- istio-egressgateway
route:
- destination:
host: httpbin.com
</code></pre></div></div></div><p>The following example demonstrates the use of wildcards in the hosts for
external services. If the connection has to be routed to the IP address
requested by the application (i.e. application resolves DNS and attempts
to connect to a specific IP), the discovery mode must be set to <code>NONE</code>.</p><div id=tabset-docs-reference-config-networking-service-entry-9 role=tablist class=tabset><div class=tab-strip data-category-name=example><button aria-selected=true data-category-value=v1alpha3 aria-controls=tabset-docs-reference-config-networking-service-entry-9-0-panel id=tabset-docs-reference-config-networking-service-entry-9-0-tab role=tab><span>v1alpha3</span>
</button><button tabindex=-1 data-category-value=v1beta1 aria-controls=tabset-docs-reference-config-networking-service-entry-9-1-panel id=tabset-docs-reference-config-networking-service-entry-9-1-tab role=tab><span>v1beta1</span></button></div><div class=tab-content><div id=tabset-docs-reference-config-networking-service-entry-9-0-panel role=tabpanel tabindex=0 aria-labelledby=tabset-docs-reference-config-networking-service-entry-9-0-tab><pre><code class=language-yaml>apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: external-svc-wildcard-example
spec:
hosts:
- &quot;*.bar.com&quot;
location: MESH_EXTERNAL
ports:
- number: 80
name: http
protocol: HTTP
resolution: NONE
</code></pre></div><div hidden id=tabset-docs-reference-config-networking-service-entry-9-1-panel role=tabpanel tabindex=0 aria-labelledby=tabset-docs-reference-config-networking-service-entry-9-1-tab><pre><code class=language-yaml>apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
name: external-svc-wildcard-example
spec:
hosts:
- &quot;*.bar.com&quot;
location: MESH_EXTERNAL
ports:
- number: 80
name: http
protocol: HTTP
resolution: NONE
</code></pre></div></div></div><p>The following example demonstrates a service that is available via a
Unix Domain Socket on the host of the client. The resolution must be
set to STATIC to use Unix address endpoints.</p><div id=tabset-docs-reference-config-networking-service-entry-10 role=tablist class=tabset><div class=tab-strip data-category-name=example><button aria-selected=true data-category-value=v1alpha3 aria-controls=tabset-docs-reference-config-networking-service-entry-10-0-panel id=tabset-docs-reference-config-networking-service-entry-10-0-tab role=tab><span>v1alpha3</span>
</button><button tabindex=-1 data-category-value=v1beta1 aria-controls=tabset-docs-reference-config-networking-service-entry-10-1-panel id=tabset-docs-reference-config-networking-service-entry-10-1-tab role=tab><span>v1beta1</span></button></div><div class=tab-content><div id=tabset-docs-reference-config-networking-service-entry-10-0-panel role=tabpanel tabindex=0 aria-labelledby=tabset-docs-reference-config-networking-service-entry-10-0-tab><pre><code class=language-yaml>apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: unix-domain-socket-example
spec:
hosts:
- &quot;example.unix.local&quot;
location: MESH_EXTERNAL
ports:
- number: 80
name: http
protocol: HTTP
resolution: STATIC
endpoints:
- address: unix:///var/run/example/socket
</code></pre></div><div hidden id=tabset-docs-reference-config-networking-service-entry-10-1-panel role=tabpanel tabindex=0 aria-labelledby=tabset-docs-reference-config-networking-service-entry-10-1-tab><pre><code class=language-yaml>apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
name: unix-domain-socket-example
spec:
hosts:
- &quot;example.unix.local&quot;
location: MESH_EXTERNAL
ports:
- number: 80
name: http
protocol: HTTP
resolution: STATIC
endpoints:
- address: unix:///var/run/example/socket
</code></pre></div></div></div><p>For HTTP-based services, it is possible to create a <code>VirtualService</code>
backed by multiple DNS addressable endpoints. In such a scenario, the
application can use the <code>HTTP_PROXY</code> environment variable to transparently
reroute API calls for the <code>VirtualService</code> to a chosen backend. For
example, the following configuration creates a non-existent external
service called foo.bar.com backed by three domains: us.foo.bar.com:8080,
uk.foo.bar.com:9080, and in.foo.bar.com:7080</p><div id=tabset-docs-reference-config-networking-service-entry-11 role=tablist class=tabset><div class=tab-strip data-category-name=example><button aria-selected=true data-category-value=v1alpha3 aria-controls=tabset-docs-reference-config-networking-service-entry-11-0-panel id=tabset-docs-reference-config-networking-service-entry-11-0-tab role=tab><span>v1alpha3</span>
</button><button tabindex=-1 data-category-value=v1beta1 aria-controls=tabset-docs-reference-config-networking-service-entry-11-1-panel id=tabset-docs-reference-config-networking-service-entry-11-1-tab role=tab><span>v1beta1</span></button></div><div class=tab-content><div id=tabset-docs-reference-config-networking-service-entry-11-0-panel role=tabpanel tabindex=0 aria-labelledby=tabset-docs-reference-config-networking-service-entry-11-0-tab><pre><code class=language-yaml>apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: external-svc-dns
spec:
hosts:
- foo.bar.com
location: MESH_EXTERNAL
ports:
- number: 80
name: http
protocol: HTTP
resolution: DNS
endpoints:
- address: us.foo.bar.com
ports:
http: 8080
- address: uk.foo.bar.com
ports:
http: 9080
- address: in.foo.bar.com
ports:
http: 7080
</code></pre></div><div hidden id=tabset-docs-reference-config-networking-service-entry-11-1-panel role=tabpanel tabindex=0 aria-labelledby=tabset-docs-reference-config-networking-service-entry-11-1-tab><pre><code class=language-yaml>apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
name: external-svc-dns
spec:
hosts:
- foo.bar.com
location: MESH_EXTERNAL
ports:
- number: 80
name: http
protocol: HTTP
resolution: DNS
endpoints:
- address: us.foo.bar.com
ports:
https: 8080
- address: uk.foo.bar.com
ports:
https: 9080
- address: in.foo.bar.com
ports:
https: 7080
</code></pre></div></div></div><p>With <code>HTTP_PROXY=http://localhost/</code>, calls from the application to
<code>http://foo.bar.com</code> will be load balanced across the three domains
specified above. In other words, a call to <code>http://foo.bar.com/baz</code> would
be translated to <code>http://uk.foo.bar.com/baz</code>.</p><p>The following example illustrates the usage of a <code>ServiceEntry</code>
containing a subject alternate name
whose format conforms to the <a href=https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md>SPIFFE standard</a>:</p><div id=tabset-docs-reference-config-networking-service-entry-12 role=tablist class=tabset><div class=tab-strip data-category-name=example><button aria-selected=true data-category-value=v1alpha3 aria-controls=tabset-docs-reference-config-networking-service-entry-12-0-panel id=tabset-docs-reference-config-networking-service-entry-12-0-tab role=tab><span>v1alpha3</span>
</button><button tabindex=-1 data-category-value=v1beta1 aria-controls=tabset-docs-reference-config-networking-service-entry-12-1-panel id=tabset-docs-reference-config-networking-service-entry-12-1-tab role=tab><span>v1beta1</span></button></div><div class=tab-content><div id=tabset-docs-reference-config-networking-service-entry-12-0-panel role=tabpanel tabindex=0 aria-labelledby=tabset-docs-reference-config-networking-service-entry-12-0-tab><pre><code class=language-yaml>apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: httpbin
namespace : httpbin-ns
spec:
hosts:
- httpbin.com
location: MESH_INTERNAL
ports:
- number: 80
name: http
protocol: HTTP
resolution: STATIC
endpoints:
- address: 2.2.2.2
- address: 3.3.3.3
subjectAltNames:
- &quot;spiffe://cluster.local/ns/httpbin-ns/sa/httpbin-service-account&quot;
</code></pre></div><div hidden id=tabset-docs-reference-config-networking-service-entry-12-1-panel role=tabpanel tabindex=0 aria-labelledby=tabset-docs-reference-config-networking-service-entry-12-1-tab><pre><code class=language-yaml>apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
name: httpbin
namespace : httpbin-ns
spec:
hosts:
- httpbin.com
location: MESH_INTERNAL
ports:
- number: 80
name: http
protocol: HTTP
resolution: STATIC
endpoints:
- address: 2.2.2.2
- address: 3.3.3.3
subjectAltNames:
- &quot;spiffe://cluster.local/ns/httpbin-ns/sa/httpbin-service-account&quot;
</code></pre></div></div></div><p>The following example demonstrates the use of <code>ServiceEntry</code> with a
<code>workloadSelector</code> to handle the migration of a service
<code>details.bookinfo.com</code> from VMs to Kubernetes. The service has two
VM-based instances with sidecars as well as a set of Kubernetes
pods managed by a standard deployment object. Consumers of this
service in the mesh will be automatically load balanced across the
VMs and Kubernetes. VM for the <code>details.bookinfo.com</code>
service. This VM has sidecar installed and bootstrapped using the
<code>details-legacy</code> service account. The sidecar receives HTTP traffic
on port 80 (wrapped in istio mutual TLS) and forwards it to the
application on the localhost on the same port.</p><div id=tabset-docs-reference-config-networking-service-entry-13 role=tablist class=tabset><div class=tab-strip data-category-name=example><button aria-selected=true data-category-value=v1alpha3 aria-controls=tabset-docs-reference-config-networking-service-entry-13-0-panel id=tabset-docs-reference-config-networking-service-entry-13-0-tab role=tab><span>v1alpha3</span>
</button><button tabindex=-1 data-category-value=v1beta1 aria-controls=tabset-docs-reference-config-networking-service-entry-13-1-panel id=tabset-docs-reference-config-networking-service-entry-13-1-tab role=tab><span>v1beta1</span></button></div><div class=tab-content><div id=tabset-docs-reference-config-networking-service-entry-13-0-panel role=tabpanel tabindex=0 aria-labelledby=tabset-docs-reference-config-networking-service-entry-13-0-tab><pre><code class=language-yaml>apiVersion: networking.istio.io/v1alpha3
kind: WorkloadEntry
metadata:
name: details-vm-1
spec:
serviceAccount: details
address: 2.2.2.2
labels:
app: details
instance-id: vm1
---
apiVersion: networking.istio.io/v1alpha3
kind: WorkloadEntry
metadata:
name: details-vm-2
spec:
serviceAccount: details
address: 3.3.3.3
labels:
app: details
instance-id: vm2
</code></pre></div><div hidden id=tabset-docs-reference-config-networking-service-entry-13-1-panel role=tabpanel tabindex=0 aria-labelledby=tabset-docs-reference-config-networking-service-entry-13-1-tab><pre><code class=language-yaml>apiVersion: networking.istio.io/v1beta1
kind: WorkloadEntry
metadata:
name: details-vm-1
spec:
serviceAccount: details
address: 2.2.2.2
labels:
app: details
instance-id: vm1
---
apiVersion: networking.istio.io/v1beta1
kind: WorkloadEntry
metadata:
name: details-vm-2
spec:
serviceAccount: details
address: 3.3.3.3
labels:
app: details
instance-id: vm2
</code></pre></div></div></div><p>Assuming there is also a Kubernetes deployment with pod labels
<code>app: details</code> using the same service account <code>details</code>, the
following service entry declares a service spanning both VMs and
Kubernetes:</p><div id=tabset-docs-reference-config-networking-service-entry-14 role=tablist class=tabset><div class=tab-strip data-category-name=example><button aria-selected=true data-category-value=v1alpha3 aria-controls=tabset-docs-reference-config-networking-service-entry-14-0-panel id=tabset-docs-reference-config-networking-service-entry-14-0-tab role=tab><span>v1alpha3</span>
</button><button tabindex=-1 data-category-value=v1beta1 aria-controls=tabset-docs-reference-config-networking-service-entry-14-1-panel id=tabset-docs-reference-config-networking-service-entry-14-1-tab role=tab><span>v1beta1</span></button></div><div class=tab-content><div id=tabset-docs-reference-config-networking-service-entry-14-0-panel role=tabpanel tabindex=0 aria-labelledby=tabset-docs-reference-config-networking-service-entry-14-0-tab><pre><code class=language-yaml>apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: details-svc
spec:
hosts:
- details.bookinfo.com
location: MESH_INTERNAL
ports:
- number: 80
name: http
protocol: HTTP
resolution: STATIC
workloadSelector:
labels:
app: details
</code></pre></div><div hidden id=tabset-docs-reference-config-networking-service-entry-14-1-panel role=tabpanel tabindex=0 aria-labelledby=tabset-docs-reference-config-networking-service-entry-14-1-tab><pre><code class=language-yaml>apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
name: details-svc
spec:
hosts:
- details.bookinfo.com
location: MESH_INTERNAL
ports:
- number: 80
name: http
protocol: HTTP
resolution: STATIC
workloadSelector:
labels:
app: details
</code></pre></div></div></div><h2 id=ServiceEntry>ServiceEntry</h2><section><p>ServiceEntry enables adding additional entries into Istio&rsquo;s internal
service registry.</p><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th><th>Required</th></tr></thead><tbody><tr id=ServiceEntry-hosts><td><code>hosts</code></td><td><code>string[]</code></td><td><p>The hosts associated with the ServiceEntry. Could be a DNS
name with wildcard prefix.</p><ol><li>The hosts field is used to select matching hosts in VirtualServices and DestinationRules.</li><li>For HTTP traffic the HTTP Host/Authority header will be matched against the hosts field.</li><li>For HTTPs or TLS traffic containing Server Name Indication (SNI), the SNI value
will be matched against the hosts field.</li></ol><p><strong>NOTE 1:</strong> When resolution is set to type DNS and no endpoints
are specified, the host field will be used as the DNS name of the
endpoint to route traffic to.</p><p><strong>NOTE 2:</strong> If the hostname matches with the name of a service
from another service registry such as Kubernetes that also
supplies its own set of endpoints, the ServiceEntry will be
treated as a decorator of the existing Kubernetes
service. Properties in the service entry will be added to the
Kubernetes service if applicable. Currently, the only the
following additional properties will be considered by <code>istiod</code>:</p><ol><li>subjectAltNames: In addition to verifying the SANs of the
service accounts associated with the pods of the service, the
SANs specified here will also be verified.</li></ol></td><td>Yes</td></tr><tr id=ServiceEntry-addresses><td><code>addresses</code></td><td><code>string[]</code></td><td><p>The virtual IP addresses associated with the service. Could be CIDR
prefix. For HTTP traffic, generated route configurations will include http route
domains for both the <code>addresses</code> and <code>hosts</code> field values and the destination will
be identified based on the HTTP Host/Authority header.
If one or more IP addresses are specified,
the incoming traffic will be identified as belonging to this service
if the destination IP matches the IP/CIDRs specified in the addresses
field. If the Addresses field is empty, traffic will be identified
solely based on the destination port. In such scenarios, the port on
which the service is being accessed must not be shared by any other
service in the mesh. In other words, the sidecar will behave as a
simple TCP proxy, forwarding incoming traffic on a specified port to
the specified destination endpoint IP/host. Unix domain socket
addresses are not supported in this field.</p></td><td>No</td></tr><tr id=ServiceEntry-ports><td><code>ports</code></td><td><code><a href=/v1.8/docs/reference/config/networking/gateway/#Port>Port[]</a></code></td><td><p>The ports associated with the external service. If the
Endpoints are Unix domain socket addresses, there must be exactly one
port.</p></td><td>Yes</td></tr><tr id=ServiceEntry-location><td><code>location</code></td><td><code><a href=#ServiceEntry-Location>Location</a></code></td><td><p>Specify whether the service should be considered external to the mesh
or part of the mesh.</p></td><td>No</td></tr><tr id=ServiceEntry-resolution><td><code>resolution</code></td><td><code><a href=#ServiceEntry-Resolution>Resolution</a></code></td><td><p>Service discovery mode for the hosts. Care must be taken
when setting the resolution mode to NONE for a TCP port without
accompanying IP addresses. In such cases, traffic to any IP on
said port will be allowed (i.e. <code>0.0.0.0:&lt;port></code>).</p></td><td>Yes</td></tr><tr id=ServiceEntry-endpoints><td><code>endpoints</code></td><td><code><a href=/v1.8/docs/reference/config/networking/workload-entry/#WorkloadEntry>WorkloadEntry[]</a></code></td><td><p>One or more endpoints associated with the service. Only one of
<code>endpoints</code> or <code>workloadSelector</code> can be specified.</p></td><td>No</td></tr><tr id=ServiceEntry-workload_selector><td><code>workloadSelector</code></td><td><code><a href=/v1.8/docs/reference/config/networking/sidecar/#WorkloadSelector>WorkloadSelector</a></code></td><td><p>Applicable only for MESH_INTERNAL services. Only one of
<code>endpoints</code> or <code>workloadSelector</code> can be specified. Selects one
or more Kubernetes pods or VM workloads (specified using
<code>WorkloadEntry</code>) based on their labels. The <code>WorkloadEntry</code> object
representing the VMs should be defined in the same namespace as
the ServiceEntry.</p></td><td>No</td></tr><tr id=ServiceEntry-export_to><td><code>exportTo</code></td><td><code>string[]</code></td><td><p>A list of namespaces to which this service is exported. Exporting a service
allows it to be used by sidecars, gateways and virtual services defined in
other namespaces. This feature provides a mechanism for service owners
and mesh administrators to control the visibility of services across
namespace boundaries.</p><p>If no namespaces are specified then the service is exported to all
namespaces by default.</p><p>The value &ldquo;.&rdquo; is reserved and defines an export to the same namespace that
the service is declared in. Similarly the value &ldquo;*&rdquo; is reserved and
defines an export to all namespaces.</p><p>For a Kubernetes Service, the equivalent effect can be achieved by setting
the annotation &ldquo;networking.istio.io/exportTo&rdquo; to a comma-separated list
of namespace names.</p><p>NOTE: in the current release, the <code>exportTo</code> value is restricted to
&ldquo;.&rdquo; or &ldquo;*&rdquo; (i.e., the current namespace or all namespaces).</p></td><td>No</td></tr><tr id=ServiceEntry-subject_alt_names><td><code>subjectAltNames</code></td><td><code>string[]</code></td><td><p>If specified, the proxy will verify that the server certificate&rsquo;s
subject alternate name matches one of the specified values.</p><p>NOTE: When using the workloadEntry with workloadSelectors, the
service account specified in the workloadEntry will also be used
to derive the additional subject alternate names that should be
verified.</p></td><td>No</td></tr></tbody></table></section><h2 id=ServiceEntry-Location>ServiceEntry.Location</h2><section><p>Location specifies whether the service is part of Istio mesh or
outside the mesh. Location determines the behavior of several
features, such as service-to-service mTLS authentication, policy
enforcement, etc. When communicating with services outside the mesh,
Istio&rsquo;s mTLS authentication is disabled, and policy enforcement is
performed on the client-side as opposed to server-side.</p><table class=enum-values><thead><tr><th>Name</th><th>Description</th></tr></thead><tbody><tr id=ServiceEntry-Location-MESH_EXTERNAL><td><code>MESH_EXTERNAL</code></td><td><p>Signifies that the service is external to the mesh. Typically used
to indicate external services consumed through APIs.</p></td></tr><tr id=ServiceEntry-Location-MESH_INTERNAL><td><code>MESH_INTERNAL</code></td><td><p>Signifies that the service is part of the mesh. Typically used to
indicate services added explicitly as part of expanding the service
mesh to include unmanaged infrastructure (e.g., VMs added to a
Kubernetes based service mesh).</p></td></tr></tbody></table></section><h2 id=ServiceEntry-Resolution>ServiceEntry.Resolution</h2><section><p>Resolution determines how the proxy will resolve the IP addresses of
the network endpoints associated with the service, so that it can
route to one of them. The resolution mode specified here has no impact
on how the application resolves the IP address associated with the
service. The application may still have to use DNS to resolve the
service to an IP so that the outbound traffic can be captured by the
Proxy. Alternatively, for HTTP services, the application could
directly communicate with the proxy (e.g., by setting HTTP_PROXY) to
talk to these services.</p><table class=enum-values><thead><tr><th>Name</th><th>Description</th></tr></thead><tbody><tr id=ServiceEntry-Resolution-NONE><td><code>NONE</code></td><td><p>Assume that incoming connections have already been resolved (to a
specific destination IP address). Such connections are typically
routed via the proxy using mechanisms such as IP table REDIRECT/
eBPF. After performing any routing related transformations, the
proxy will forward the connection to the IP address to which the
connection was bound.</p></td></tr><tr id=ServiceEntry-Resolution-STATIC><td><code>STATIC</code></td><td><p>Use the static IP addresses specified in endpoints (see below) as the
backing instances associated with the service.</p></td></tr><tr id=ServiceEntry-Resolution-DNS><td><code>DNS</code></td><td><p>Attempt to resolve the IP address by querying the ambient DNS,
during request processing. If no endpoints are specified, the proxy
will resolve the DNS address specified in the hosts field, if
wildcards are not used. If endpoints are specified, the DNS
addresses specified in the endpoints will be resolved to determine
the destination IP address. DNS resolution cannot be used with Unix
domain socket endpoints.</p></td></tr></tbody></table></section></article><nav class=pagenav><div class=left><a title="Configuration affecting edge load balancer." href=/v1.8/docs/reference/config/networking/gateway/><svg class="icon left-arrow"><use xlink:href="/v1.8/img/icons.svg#left-arrow"/></svg>Gateway</a></div><div class=right><a title="Configuration affecting network reachability of a sidecar." href=/v1.8/docs/reference/config/networking/sidecar/>Sidecar<svg class="icon right-arrow"><use xlink:href="/v1.8/img/icons.svg#right-arrow"/></svg></a></div></nav><div id=feedback><div id=feedback-initial>Was this information useful?<br><button class="btn feedback" onclick="sendFeedback('en',1)">Yes</button>
<button class="btn feedback" onclick="sendFeedback('en',0)">No</button></div><div id=feedback-comment>Do you have any suggestions for improvement?<br><br><input id=feedback-textbox type=text placeholder="Help us improve..." data-lang=en></div><div id=feedback-thankyou>Thanks for your feedback!</div></div><div id=endnotes-container aria-hidden=true><h2>Links</h2><ol id=endnotes></ol></div></div><div class=toc-container><nav class=toc aria-label="Table of Contents"><div id=toc><ol><li role=none aria-label=ServiceEntry><a href=#ServiceEntry>ServiceEntry</a><li role=none aria-label=ServiceEntry.Location><a href=#ServiceEntry-Location>ServiceEntry.Location</a><li role=none aria-label=ServiceEntry.Resolution><a href=#ServiceEntry-Resolution>ServiceEntry.Resolution</a></ol></div></nav></div></main><footer><div class=user-links><a class=channel title="Go download Istio 1.8.3 now" href=/v1.8/docs/setup/getting-started/#download aria-label="Download Istio"><span>download</span><svg class="icon download"><use xlink:href="/v1.8/img/icons.svg#download"/></svg>
</a><a class=channel title="Join the Istio discussion board to participate in discussions and get help troubleshooting problems" href=https://discuss.istio.io aria-label="Istio discussion board"><span>discuss</span><svg class="icon discourse"><use xlink:href="/v1.8/img/icons.svg#discourse"/></svg></a>
<a class=channel title="Stack Overflow is where you can ask questions and find curated answers on deploying, configuring, and using Istio" href=https://stackoverflow.com/questions/tagged/istio aria-label="Stack Overflow"><span>stack overflow</span><svg class="icon stackoverflow"><use xlink:href="/v1.8/img/icons.svg#stackoverflow"/></svg></a>
<a class=channel title="Interactively discuss issues with the Istio community on Slack" href=https://slack.istio.io aria-label=slack><span>slack</span><svg class="icon slack"><use xlink:href="/v1.8/img/icons.svg#slack"/></svg></a>
<a class=channel title="Follow us on Twitter to get the latest news" href=https://twitter.com/IstioMesh aria-label=Twitter><span>twitter</span><svg class="icon twitter"><use xlink:href="/v1.8/img/icons.svg#twitter"/></svg></a><div class=tag>for everyone</div></div><div class=info><p class=copyright>Istio Archive
1.8.3<br>&copy; 2020 Istio Authors, <a href=https://policies.google.com/privacy>Privacy Policy</a><br>Archived on February 9, 2021</p></div><div class=dev-links><a class=channel title="GitHub is where development takes place on Istio code" href=https://github.com/istio/community aria-label=GitHub><span>github</span><svg class="icon github"><use xlink:href="/v1.8/img/icons.svg#github"/></svg></a>
<a class=channel title="Access our team drive if you'd like to take a look at the Istio technical design documents" href=https://groups.google.com/forum/#!forum/istio-team-drive-access aria-label="team drive"><span>drive</span><svg class="icon drive"><use xlink:href="/v1.8/img/icons.svg#drive"/></svg></a>
<a class=channel title="If you'd like to contribute to the Istio project, consider participating in our working groups" href=https://github.com/istio/community/blob/master/WORKING-GROUPS.md aria-label="working groups"><span>working groups</span><svg class="icon working-groups"><use xlink:href="/v1.8/img/icons.svg#working-groups"/></svg></a><div class=tag>for developers</div></div></footer><div id=scroll-to-top-container aria-hidden=true><button id=scroll-to-top title="Back to top"><svg class="icon top"><use xlink:href="/v1.8/img/icons.svg#top"/></svg></button></div></body></html>