istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
istio.io/archive/v0.8/docs/tasks/traffic-management/egress/index.html

8130 lines
130 KiB
HTML
Raw Blame History

<!DOCTYPE html>
<html lang="en" itemscope itemtype="https://schema.org/WebPage">
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
<meta name="theme-color" content="#466BB0"/>
<meta name="title" content="Control Egress Traffic">
<meta name="description" content="Describes how to configure Istio to route traffic from services in the mesh to external services.">
<meta name="og:title" content="Control Egress Traffic">
<meta name="og:description" content="Describes how to configure Istio to route traffic from services in the mesh to external services.">
<meta name="og:url" content="/v0.8/docs/tasks/traffic-management/egress/">
<meta name="og.site_name" content="Istio">
<title>Istioldie 0.8 / Control Egress Traffic</title>
<script>
window.ga=window.ga||function(){(ga.q=ga.q||[]).push(arguments)};ga.l=+new Date;
ga('create', 'UA-98480406-2', 'auto');
ga('send', 'pageview');
</script>
<script async src='https://www.google-analytics.com/analytics.js'></script>
<script>
var branchName = "release-0.8";
</script>
<link rel="alternate" type="application/rss+xml" title="Istio Blog" href="/v0.8/feed.xml">
<link rel="shortcut icon" href="/v0.8/favicons/favicon.ico" >
<link rel="apple-touch-icon" href="/v0.8/favicons/apple-touch-icon-180x180.png" sizes="180x180">
<link rel="icon" type="image/png" href="/v0.8/favicons/favicon-16x16.png" sizes="16x16">
<link rel="icon" type="image/png" href="/v0.8/favicons/favicon-32x32.png" sizes="32x32">
<link rel="icon" type="image/png" href="/v0.8/favicons/android-36x36.png" sizes="36x36">
<link rel="icon" type="image/png" href="/v0.8/favicons/android-48x48.png" sizes="48x48">
<link rel="icon" type="image/png" href="/v0.8/favicons/android-72x72.png" sizes="72x72">
<link rel="icon" type="image/png" href="/v0.8/favicons/android-96x196.png" sizes="96x196">
<link rel="icon" type="image/png" href="/v0.8/favicons/android-144x144.png" sizes="144x144">
<link rel="icon" type="image/png" href="/v0.8/favicons/android-192x192.png" sizes="192x192">
<link rel="manifest" href="/v0.8/manifest.json">
<meta name="apple-mobile-web-app-title" content="Istio">
<meta name="application-name" content="Istio">
<link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Roboto:400,100,100italic,300,300italic,400italic,500,500italic,700,700italic,900,900italic">
<link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/css/bootstrap.min.css" integrity="sha384-Gn5384xqQ1aoWXA+058RXPxPg6fy4IWvTNh0E263XmFcJlSAwiGgFAW/dAiS6JXm" crossorigin="anonymous">
<link rel="stylesheet" href="https://use.fontawesome.com/releases/v5.0.6/css/all.css">
<link rel="stylesheet" href="/v0.8/css/light_theme_archive.css" title="light">
<link rel="alternate stylesheet" href="/v0.8/css/dark_theme_archive.css" title="dark">
<script src="/v0.8/js/styleSwitcher.min.js"></script>
</head>
<body class="language-unknown">
<header>
<nav class="navbar navbar-expand-md navbar-dark fixed-top bg-dark justify-content-between">
<a class="navbar-brand" href="/v0.8/">
<span class="logo"><svg viewBox="0 0 300 300">
<circle cx="150" cy="150" r="150" stroke-width="2" />
<polygon points="65,240 225,240 125,270"/>
<polygon points="65,230 125,220 125,110"/>
<polygon points="135,220 225,230 135,30"/>
</svg>
</span>
<span class="brand-name">Istioldie 0.8</span>
</a>
<button class="navbar-toggler" type="button" data-toggle="collapse" data-target="#navbarCollapse" aria-controls="navbarCollapse" aria-expanded="false" aria-label="Toggle navigation">
<span class="navbar-toggler-icon"></span>
</button>
<div class="collapse navbar-collapse justify-content-end" id="navbarCollapse">
<ul id="navbar-links" class="navbar-nav active">
<li class="nav-item">
<a class="nav-link active" href="/v0.8/docs/">Docs</a>
</li>
<li class="nav-item">
<a class="nav-link " href="/v0.8/blog/2018/egress-monitoring-access-control/">Blog</a>
</li>
<li class="nav-item">
<a class="nav-link " href="/v0.8/help/">Help</a>
</li>
<li class="nav-item">
<a class="nav-link " href="/v0.8/community/">Community</a>
</li>
<li class="nav-item">
<a class="nav-link " href="/v0.8/about/">About</a>
</li>
<li class="nav-item dropdown" id="gearDropdown" style="white-space: nowrap">
<a href="" class="nav-link" data-toggle="dropdown" aria-label="Tools" aria-haspopup="true" aria-expanded="false">
<i style="width: 1em" class='fa fa-lg fa-cog'></i>
</a>
<div class="dropdown-menu dropdown-menu-right" aria-labelledby="gearDropdown">
<a class="dropdown-item" id="light-theme-item" href="" onclick="setActiveStyleSheet('light');return false;">Light Theme</a>
<a class="dropdown-item" id="dark-theme-item" href="" onclick="setActiveStyleSheet('dark');return false;">Dark Theme</a>
<div class="dropdown-divider"></div>
<h6 class="dropdown-header">Other versions of this site</h6>
<a href="https://istio.io" class="dropdown-item">Current Release</a>
<a href="https://preliminary.istio.io" class="dropdown-item">Next Release</a>
<a href="https://archive.istio.io" class="dropdown-item">Older Releases</a>
</div>
</li>
<li class="nav-item">
<a id="search_show" class="nav-link" href="" aria-label="Search"><i style="width: 1em" class="fa fa-lg fa-search"></i></a>
</li>
</ul>
<form name="cse" id="search_form" class="form-inline mr-sm-2" role="search">
<input type="hidden" name="cx" value="013699703217164175118:iwwf17ikgf4" />
<input type="hidden" name="ie" value="utf-8" />
<input type="hidden" name="hl" value="en" />
<input type="hidden" id="search_page_url" value="/v0.8/search.html" />
<input id="search_textbox" class="form-control" name="q" type="text" aria-label="Search this site"/>
<button id="search_close" type="reset" aria-label="Cancel Search"><i class="far fa-lg fa-times-circle"></i></button>
</form>
</div>
</nav>
</header>
<div class="container-fluid">
<div class="row row-offcanvas">
<div class="col-0 col-md-3 col-xl-2 sidebar-offcanvas">
<nav class="sidebar d-print-none">
<div class="spacer"></div>
<div class="directory" role="tablist">
<div class="card">
<div class="card-header" role="tab" id="header7">
<a data-toggle="collapse" href="#collapse7" title="Concepts help you learn about the different parts of the Istio system and the abstractions it uses." role="button" aria-controls="collapse7">
<div>
Concepts
</div>
</a>
</div>
<div id="collapse7" class="collapse" data-parent="#sidebar" role="tabpanel" aria-labelledby="header7">
<div class="card-body">
<ul class="tree">
<li class="sublist">
<label class='tree-toggle'>
<i class='fa fa-lg fa-caret-right'></i>
<a title="A broad overview of the Istio system." href="/v0.8/docs/concepts/what-is-istio/">What is Istio? </a>
</label>
<ul class="tree collapse">
<li>
<a title="Provides a conceptual introduction to Istio, including the problems it solves and its high-level architecture." href="/v0.8/docs/concepts/what-is-istio/overview/">Overview</a>
</li>
<li>
<a title="Describes the core principles that Istio&#39;s design adheres to." href="/v0.8/docs/concepts/what-is-istio/goals/">Design Goals</a>
</li>
</ul>
</li>
<li class="sublist">
<label class='tree-toggle'>
<i class='fa fa-lg fa-caret-right'></i>
<a title="Describes the various Istio features focused on traffic routing and control." href="/v0.8/docs/concepts/traffic-management/">Traffic Management </a>
</label>
<ul class="tree collapse">
<li>
<a title="Provides a conceptual overview of traffic management in Istio and the features it enables." href="/v0.8/docs/concepts/traffic-management/overview/">Overview</a>
</li>
<li>
<a title="Introduces Pilot, the component responsible for managing a distributed deployment of Envoy proxies in the service mesh." href="/v0.8/docs/concepts/traffic-management/pilot/">Pilot</a>
</li>
<li>
<a title="Describes how requests are routed between services in an Istio service mesh." href="/v0.8/docs/concepts/traffic-management/request-routing/">Request Routing</a>
</li>
<li>
<a title="Describes how traffic is load balanced across instances of a service in the mesh." href="/v0.8/docs/concepts/traffic-management/load-balancing/">Discovery &amp; Load Balancing</a>
</li>
<li>
<a title="An overview of failure recovery capabilities in Envoy that can be leveraged by unmodified applications to improve robustness and prevent cascading failures." href="/v0.8/docs/concepts/traffic-management/handling-failures/">Handling Failures</a>
</li>
<li>
<a title="Introduces the idea of systematic fault injection that can be used to uncover conflicting failure recovery policies across services." href="/v0.8/docs/concepts/traffic-management/fault-injection/">Fault Injection</a>
</li>
<li>
<a title="Provides a high-level overview of the configuration model used by Istio to configure traffic management rules in the service mesh." href="/v0.8/docs/concepts/traffic-management/rules-configuration/">Rules Configuration</a>
</li>
</ul>
</li>
<li class="sublist">
<label class='tree-toggle'>
<i class='fa fa-lg fa-caret-right'></i>
<a title="Describes Istio&#39;s authorization and authentication functionality." href="/v0.8/docs/concepts/security/">Security </a>
</label>
<ul class="tree collapse">
<li>
<a title="Describes Istio&#39;s authentication policy" href="/v0.8/docs/concepts/security/authn-policy/">Authentication Policy</a>
</li>
<li>
<a title="Describes Istio&#39;s mutual TLS authentication architecture which provides a strong service identity and secure communication channels between services." href="/v0.8/docs/concepts/security/mutual-tls/">Mutual TLS Authentication</a>
</li>
<li>
<a title="Describes Istio RBAC which provides access control for services in Istio Mesh." href="/v0.8/docs/concepts/security/rbac/">Istio Role-Based Access Control (RBAC)</a>
</li>
</ul>
</li>
<li class="sublist">
<label class='tree-toggle'>
<i class='fa fa-lg fa-caret-right'></i>
<a title="Introduces the policy control snd telemetry collection mechanisms." href="/v0.8/docs/concepts/policies-and-telemetry/">Policies and Telemetry </a>
</label>
<ul class="tree collapse">
<li>
<a title="Describes the design of the policy and telemetry mechanisms." href="/v0.8/docs/concepts/policies-and-telemetry/overview/">Overview</a>
</li>
<li>
<a title="An overview of the key concepts used to configure Istio&#39;s policy enforcement and telemetry collection features." href="/v0.8/docs/concepts/policies-and-telemetry/config/">Configuration</a>
</li>
</ul>
</li>
</ul>
</div>
</div>
</div>
<div class="card">
<div class="card-header" role="tab" id="header22">
<a data-toggle="collapse" href="#collapse22" title="Setup contains instructions for installing the Istio control plane in various environments (e.g., Kubernetes, Consul, etc.), as well as instructions for installing the sidecar in the application deployment." role="button" aria-controls="collapse22">
<div>
Setup
</div>
</a>
</div>
<div id="collapse22" class="collapse" data-parent="#sidebar" role="tabpanel" aria-labelledby="header22">
<div class="card-body">
<ul class="tree">
<li class="sublist">
<label class='tree-toggle'>
<i class='fa fa-lg fa-caret-right'></i>
<a title="Instructions for installing the Istio control plane on Kubernetes and adding VMs into the mesh." href="/v0.8/docs/setup/kubernetes/">Kubernetes </a>
</label>
<ul class="tree collapse">
<li>
<a title="Quick start instructions to setup the Istio service mesh in a Kubernetes cluster." href="/v0.8/docs/setup/kubernetes/quick-start/">Quick Start</a>
</li>
<li>
<a title="Quick Start instructions to setup the Istio service using Google Kubernetes Engine (GKE)" href="/v0.8/docs/setup/kubernetes/quick-start-gke-dm/">Quick Start with Google Kubernetes Engine</a>
</li>
<li>
<a title="Install Istio with the included Helm chart." href="/v0.8/docs/setup/kubernetes/helm-install/">Installation with Helm</a>
</li>
<li>
<a title="Install Istio with the included Ansible playbook." href="/v0.8/docs/setup/kubernetes/ansible-install/">Installation with Ansible</a>
</li>
<li>
<a title="Instructions for installing the Istio sidecar in application pods automatically using the sidecar injector webhook or manually using istioctl CLI." href="/v0.8/docs/setup/kubernetes/sidecar-injection/">Installing the Istio Sidecar</a>
</li>
<li>
<a title="Instructions for integrating VMs and bare metal hosts into an Istio mesh deployed on Kubernetes." href="/v0.8/docs/setup/kubernetes/mesh-expansion/">Mesh Expansion</a>
</li>
<li>
<a title="Install Istio with multicluster support." href="/v0.8/docs/setup/kubernetes/multicluster-install/">Istio Multicluster</a>
</li>
<li>
<a title="This guide demonstrates how to upgrade the Istio control plane and data plane independently." href="/v0.8/docs/setup/kubernetes/upgrading-istio/">Upgrading Istio</a>
</li>
</ul>
</li>
<li class="sublist">
<label class='tree-toggle'>
<i class='fa fa-lg fa-caret-right'></i>
<a title="Instructions for installing the Istio control plane in a Consul based environment, with or without Nomad." href="/v0.8/docs/setup/consul/">Nomad &amp; Consul </a>
</label>
<ul class="tree collapse">
<li>
<a title="Quick Start instructions to setup the Istio service mesh with Docker Compose." href="/v0.8/docs/setup/consul/quick-start/">Quick Start on Docker</a>
</li>
<li>
<a title="Instructions for installing the Istio control plane in a Consul based environment, with or without Nomad." href="/v0.8/docs/setup/consul/install/">Installation</a>
</li>
</ul>
</li>
<li class="sublist">
<label class='tree-toggle'>
<i class='fa fa-lg fa-caret-right'></i>
<a title="Instructions for installing the Istio control plane in a Eureka based environment." href="/v0.8/docs/setup/eureka/">Eureka </a>
</label>
<ul class="tree collapse">
<li>
<a title="Quick Start instructions to setup the Istio service mesh with Docker Compose." href="/v0.8/docs/setup/eureka/quick-start/">Quick Start on Docker</a>
</li>
<li>
<a title="Instructions for installing the Istio control plane in an Eureka based environment." href="/v0.8/docs/setup/eureka/install/">Installation</a>
</li>
</ul>
</li>
</ul>
</div>
</div>
</div>
<div class="card">
<div class="card-header" role="tab" id="header37">
<a data-toggle="collapse" href="#collapse37" title="Tasks show you how to do a single specific targeted activity with the Istio system." role="button" aria-controls="collapse37">
<div>
Tasks
</div>
</a>
</div>
<div id="collapse37" class="collapse show" data-parent="#sidebar" role="tabpanel" aria-labelledby="header37">
<div class="card-body">
<ul class="tree">
<li class="sublist">
<label class='tree-toggle'>
<i class='fa fa-lg fa-caret-down'></i>
<a title="Describes tasks that demonstrate traffic routing features of Istio service mesh." href="/v0.8/docs/tasks/traffic-management/">Traffic Management </a>
</label>
<ul class="tree">
<li>
<a title="This task shows you how to configure dynamic request routing based on weights and HTTP headers." href="/v0.8/docs/tasks/traffic-management/request-routing/">Configuring Request Routing</a>
</li>
<li>
<a title="This task shows how to inject delays and test the resiliency of your application." href="/v0.8/docs/tasks/traffic-management/fault-injection/">Fault Injection</a>
</li>
<li>
<a title="Shows you how to migrate traffic from an old to new version of a service." href="/v0.8/docs/tasks/traffic-management/traffic-shifting/">Traffic Shifting</a>
</li>
<li>
<a title="This task shows you how to setup request timeouts in Envoy using Istio." href="/v0.8/docs/tasks/traffic-management/request-timeouts/">Setting Request Timeouts</a>
</li>
<li>
<a title="Describes how to configure Istio to expose a service outside of the service mesh." href="/v0.8/docs/tasks/traffic-management/ingress/">Control Ingress Traffic</a>
</li>
<li>
<a title="Describes how to configure Istio to expose a service outside of the service mesh, over TLS or Mutual TLS." href="/v0.8/docs/tasks/traffic-management/secure-ingress/">Securing Gateways with HTTPS</a>
</li>
<li>
<span class="current" title="Describes how to configure Istio to route traffic from services in the mesh to external services.">Control Egress Traffic</span>
</li>
<li>
<a title="Describes how to configure Istio to perform TLS origination for traffic to external services" href="/v0.8/docs/tasks/traffic-management/egress-tls-origination/">TLS Origination for Egress Traffic</a>
</li>
<li>
<a title="Describes how to configure Istio to direct traffic to external services through a dedicated gateway service" href="/v0.8/docs/tasks/traffic-management/egress-gateway/">Configure an Egress Gateway</a>
</li>
<li>
<a title="This task demonstrates the circuit-breaking capability for resilient applications" href="/v0.8/docs/tasks/traffic-management/circuit-breaking/">Circuit Breaking</a>
</li>
<li>
<a title="This task demonstrates the traffic shadowing/mirroring capabilities of Istio" href="/v0.8/docs/tasks/traffic-management/mirroring/">Mirroring</a>
</li>
</ul>
</li>
<li class="sublist">
<label class='tree-toggle'>
<i class='fa fa-lg fa-caret-right'></i>
<a title="Demonstrates how to secure the mesh." href="/v0.8/docs/tasks/security/">Security </a>
</label>
<ul class="tree collapse">
<li>
<a title="Shows you how to use Istio authentication policy to setup mutual TLS and basic end-user authentication." href="/v0.8/docs/tasks/security/authn-policy/">Basic Authentication Policy</a>
</li>
<li>
<a title="Shows you how to verify and test Istio&#39;s automatic mutual TLS authentication." href="/v0.8/docs/tasks/security/mutual-tls/">Testing Mutual TLS</a>
</li>
<li>
<a title="Shows how to control access to a service using the Kubernetes labels." href="/v0.8/docs/tasks/security/basic-access-control/">Basic Access Control</a>
</li>
<li>
<a title="Shows how to securely control access to a service using service accounts." href="/v0.8/docs/tasks/security/secure-access-control/">Secure Access Control</a>
</li>
<li>
<a title="Shows how to set up role-based access control for services in Istio mesh." href="/v0.8/docs/tasks/security/role-based-access-control/">Role-Based Access Control</a>
</li>
<li>
<a title="Shows how operators can configure Citadel with existing root certificate, signing certificate and key." href="/v0.8/docs/tasks/security/plugin-ca-cert/">Plugging in external CA key and certificate</a>
</li>
<li>
<a title="Shows how to enable Citadel health checking with Kubernetes." href="/v0.8/docs/tasks/security/health-check/">Citadel health checking</a>
</li>
<li>
<a title="Shows how to enable mutual TLS on HTTPS services." href="/v0.8/docs/tasks/security/https-overlay/">Mutual TLS over HTTPS</a>
</li>
</ul>
</li>
<li class="sublist">
<label class='tree-toggle'>
<i class='fa fa-lg fa-caret-right'></i>
<a title="Demonstrates policy enforcement features." href="/v0.8/docs/tasks/policy-enforcement/">Policies </a>
</label>
<ul class="tree collapse">
<li>
<a title="This task shows you how to use Istio to dynamically limit the traffic to a service." href="/v0.8/docs/tasks/policy-enforcement/rate-limiting/">Enabling Rate Limits</a>
</li>
</ul>
</li>
<li class="sublist">
<label class='tree-toggle'>
<i class='fa fa-lg fa-caret-right'></i>
<a title="Demonstrates how to collect telemetry information from the mesh." href="/v0.8/docs/tasks/telemetry/">Telemetry </a>
</label>
<ul class="tree collapse">
<li>
<a title="How to configure the proxies to send tracing requests to Zipkin or Jaeger" href="/v0.8/docs/tasks/telemetry/distributed-tracing/">Distributed Tracing</a>
</li>
<li>
<a title="This task shows you how to configure Istio to collect metrics and logs." href="/v0.8/docs/tasks/telemetry/metrics-logs/">Collecting Metrics and Logs</a>
</li>
<li>
<a title="This task shows you how to configure Istio to collect metrics for TCP services." href="/v0.8/docs/tasks/telemetry/tcp-metrics/">Collecting Metrics for TCP services</a>
</li>
<li>
<a title="This task shows you how to query for Istio Metrics using Prometheus." href="/v0.8/docs/tasks/telemetry/querying-metrics/">Querying Metrics from Prometheus</a>
</li>
<li>
<a title="This task shows you how to setup and use the Istio Dashboard to monitor mesh traffic." href="/v0.8/docs/tasks/telemetry/using-istio-dashboard/">Visualizing Metrics with Grafana</a>
</li>
<li>
<a title="This task shows you how to generate a graph of services within an Istio mesh." href="/v0.8/docs/tasks/telemetry/servicegraph/">Generating a Service Graph</a>
</li>
<li>
<a title="This task shows you how to configure Istio to log to a Fluentd daemon" href="/v0.8/docs/tasks/telemetry/fluentd/">Logging with Fluentd</a>
</li>
</ul>
</li>
</ul>
</div>
</div>
</div>
<div class="card">
<div class="card-header" role="tab" id="header48">
<a data-toggle="collapse" href="#collapse48" title="Guides include a variety of fully working example uses for Istio that you can experiment with." role="button" aria-controls="collapse48">
<div>
Guides
</div>
</a>
</div>
<div id="collapse48" class="collapse" data-parent="#sidebar" role="tabpanel" aria-labelledby="header48">
<div class="card-body">
<ul class="tree">
<li>
<a title="This guide deploys a sample application composed of four separate microservices which will be used to demonstrate various features of the Istio service mesh." href="/v0.8/docs/guides/bookinfo/">Bookinfo Sample Application</a>
</li>
<li>
<a title="This guide demonstrates how to use various traffic management capabilities of an Istio service mesh." href="/v0.8/docs/guides/intelligent-routing/">Intelligent Routing</a>
</li>
<li>
<a title="This sample demonstrates how to obtain uniform metrics, logs, traces across different services using Istio Mixer and Istio sidecar." href="/v0.8/docs/guides/telemetry/">In-Depth Telemetry</a>
</li>
<li>
<a title="Explains how to manually integrate Google Cloud Endpoints services with Istio." href="/v0.8/docs/guides/endpoints/">Install Istio for Google Cloud Endpoints Services</a>
</li>
<li>
<a title="This sample deploys the Bookinfo services across Kubernetes and a set of virtual machines, and illustrates how to use the Istio service mesh to control this infrastructure as a single mesh." href="/v0.8/docs/guides/integrating-vms/">Integrating Virtual Machines</a>
</li>
</ul>
</div>
</div>
</div>
<div class="card">
<div class="card-header" role="tab" id="header77">
<a data-toggle="collapse" href="#collapse77" title="Introduces Performance and Scalability methodology, results and best practices for Istio components." role="button" aria-controls="collapse77">
<div>
Performance and Scalability
</div>
</a>
</div>
<div id="collapse77" class="collapse" data-parent="#sidebar" role="tabpanel" aria-labelledby="header77">
<div class="card-body">
<ul class="tree">
<li>
<a title="Provides a conceptual introduction to Istio&#39;s Performance and Scalability" href="/v0.8/docs/performance-and-scalability/overview/">Overview</a>
</li>
<li>
<a title="Performance measurement through code level micro-benchmarks." href="/v0.8/docs/performance-and-scalability/microbenchmarks/">Micro Benchmarks</a>
</li>
<li>
<a title="The different scenarios we are tracking for performance and scalability." href="/v0.8/docs/performance-and-scalability/scenarios/">Testing scenarios</a>
</li>
<li>
<a title="Fortio is our simple synthetic http and grpc benchmarking tool." href="/v0.8/docs/performance-and-scalability/synthetic-benchmarks/">Synthetic End to End benchmarks</a>
</li>
<li>
<a title="Performance measurement through realistic micro service application tests." href="/v0.8/docs/performance-and-scalability/realistic-app-benchmark/">Realistic Application Benchmark</a>
</li>
<li>
<a title="How we ensure performance is tracked and improves or does not regress across releases." href="/v0.8/docs/performance-and-scalability/performance-testing-automation/">Automation</a>
</li>
<li>
<a title="Setup of Istio components to scale horizontally. High availability. Sizing guide." href="/v0.8/docs/performance-and-scalability/scalability/">Scalability and Sizing Guide</a>
</li>
</ul>
</div>
</div>
</div>
<div class="card">
<div class="card-header" role="tab" id="header85">
<a data-toggle="collapse" href="#collapse85" title="The Reference section contains detailed authoritative reference material such as command-line options, configuration options, and API calling parameters." role="button" aria-controls="collapse85">
<div>
Reference
</div>
</a>
</div>
<div id="collapse85" class="collapse" data-parent="#sidebar" role="tabpanel" aria-labelledby="header85">
<div class="card-body">
<ul class="tree">
<li class="sublist">
<label class='tree-toggle'>
<i class='fa fa-lg fa-caret-right'></i>
<a title="Detailed information on configuration options." href="/v0.8/docs/reference/config/">Configuration </a>
</label>
<ul class="tree collapse">
<li class="sublist">
<label class='tree-toggle'>
<i class='fa fa-lg fa-caret-right'></i>
<a title="Describes how to configure Istio&#39;s policy and telemetry features." href="/v0.8/docs/reference/config/policy-and-telemetry/">Policies and Telemetry </a>
</label>
<ul class="tree collapse">
<li>
<a title="Describes the base attribute vocabulary used for policy and control." href="/v0.8/docs/reference/config/policy-and-telemetry/attribute-vocabulary/">Attribute Vocabulary</a>
</li>
<li>
<a title="Mixer config expression language reference." href="/v0.8/docs/reference/config/policy-and-telemetry/expression-language/">Expression Language</a>
</li>
<li class="sublist">
<label class='tree-toggle'>
<i class='fa fa-lg fa-caret-right'></i>
<a title="Mixer adapters allow Istio to interface to a variety of infrastructure backends for such things as metrics and logs." href="/v0.8/docs/reference/config/policy-and-telemetry/adapters/">Adapters </a>
</label>
<ul class="tree collapse">
<li>
<a title="Adapter for circonus.com&#39;s monitoring solution." href="/v0.8/docs/reference/config/policy-and-telemetry/adapters/circonus/">Circonus</a>
</li>
<li>
<a title="Adapter for cloudwatch metrics." href="/v0.8/docs/reference/config/policy-and-telemetry/adapters/cloudwatch/">CloudWatch</a>
</li>
<li>
<a title="Adapter to deliver metrics to a dogstatsd agent for delivery to DataDog" href="/v0.8/docs/reference/config/policy-and-telemetry/adapters/datadog/">Datadog</a>
</li>
<li>
<a title="Adapter that always returns a precondition denial." href="/v0.8/docs/reference/config/policy-and-telemetry/adapters/denier/">Denier</a>
</li>
<li>
<a title="Adapter that delivers logs to a fluentd daemon." href="/v0.8/docs/reference/config/policy-and-telemetry/adapters/fluentd/">Fluentd</a>
</li>
<li>
<a title="Adapter that extracts information from a Kubernetes environment." href="/v0.8/docs/reference/config/policy-and-telemetry/adapters/kubernetesenv/">Kubernetes Env</a>
</li>
<li>
<a title="Adapter that performs whitelist or blacklist checks" href="/v0.8/docs/reference/config/policy-and-telemetry/adapters/list/">List</a>
</li>
<li>
<a title="Adapter for a simple in-memory quota management system." href="/v0.8/docs/reference/config/policy-and-telemetry/adapters/memquota/">Memory quota</a>
</li>
<li>
<a title="Adapter that implements an Open Policy Agent engine" href="/v0.8/docs/reference/config/policy-and-telemetry/adapters/opa/">OPA</a>
</li>
<li>
<a title="Adapter that exposes Istio metrics for ingestion by a Prometheus harvester." href="/v0.8/docs/reference/config/policy-and-telemetry/adapters/prometheus/">Prometheus</a>
</li>
<li>
<a title="Adapter that exposes Istio&#39;s Role-Based Access Control model." href="/v0.8/docs/reference/config/policy-and-telemetry/adapters/rbac/">RBAC</a>
</li>
<li>
<a title="Adapter for a Redis-based quota management system." href="/v0.8/docs/reference/config/policy-and-telemetry/adapters/redisquota/">Redis Quota</a>
</li>
<li>
<a title="Adapter that delivers logs and metrics to Google Service Control" href="/v0.8/docs/reference/config/policy-and-telemetry/adapters/servicecontrol/">Service Control</a>
</li>
<li>
<a title="Adapter to deliver logs and metrics to Papertrail and AppOptics backends" href="/v0.8/docs/reference/config/policy-and-telemetry/adapters/solarwinds/">SolarWinds</a>
</li>
<li>
<a title="Adapter to deliver logs and metrics to Stackdriver" href="/v0.8/docs/reference/config/policy-and-telemetry/adapters/stackdriver/">Stackdriver</a>
</li>
<li>
<a title="Adapter to deliver metrics to a StatsD backend" href="/v0.8/docs/reference/config/policy-and-telemetry/adapters/statsd/">StatsD</a>
</li>
<li>
<a title="Adapter for outputting logs and metrics locally." href="/v0.8/docs/reference/config/policy-and-telemetry/adapters/stdio/">Stdio</a>
</li>
</ul>
</li>
<li>
<a title="Default Metrics exported from Istio through Mixer." href="/v0.8/docs/reference/config/policy-and-telemetry/metrics/">Default Metrics</a>
</li>
<li class="sublist">
<label class='tree-toggle'>
<i class='fa fa-lg fa-caret-right'></i>
<a title="Mixer templates are used to send data to individual adapters." href="/v0.8/docs/reference/config/policy-and-telemetry/templates/">Templates </a>
</label>
<ul class="tree collapse">
<li>
<a title="A template that represents a single API key." href="/v0.8/docs/reference/config/policy-and-telemetry/templates/apikey/">API Key</a>
</li>
<li>
<a title="A template used to represent an access control query." href="/v0.8/docs/reference/config/policy-and-telemetry/templates/authorization/">Authorization</a>
</li>
<li>
<a title="A template that carries no data, useful for testing." href="/v0.8/docs/reference/config/policy-and-telemetry/templates/checknothing/">Check Nothing</a>
</li>
<li>
<a title="A template that is used to control the production of Kubernetes-specific attributes." href="/v0.8/docs/reference/config/policy-and-telemetry/templates/kubernetes/">Kubernetes</a>
</li>
<li>
<a title="A template designed to let you perform list checking operations." href="/v0.8/docs/reference/config/policy-and-telemetry/templates/listentry/">List Entry</a>
</li>
<li>
<a title="A template that represents a single runtime log entry." href="/v0.8/docs/reference/config/policy-and-telemetry/templates/logentry/">Log Entry</a>
</li>
<li>
<a title="A template that represents a single runtime metric." href="/v0.8/docs/reference/config/policy-and-telemetry/templates/metric/">Metric</a>
</li>
<li>
<a title="A template that represents a quota allocation request" href="/v0.8/docs/reference/config/policy-and-telemetry/templates/quota/">Quota</a>
</li>
<li>
<a title="A template that carries no data, useful for testing." href="/v0.8/docs/reference/config/policy-and-telemetry/templates/reportnothing/">Report Nothing</a>
</li>
<li>
<a title="A template used by the Google Service Control adapter." href="/v0.8/docs/reference/config/policy-and-telemetry/templates/servicecontrolreport/">Service Control Report</a>
</li>
</ul>
</li>
<li>
<a title="Describes the rules used to configure Mixer&#39;s policy and telemetry features." href="/v0.8/docs/reference/config/policy-and-telemetry/istio.policy.v1beta1/">Rules</a>
</li>
</ul>
</li>
<li>
<a title="Configuration for Role Based Access Control" href="/v0.8/docs/reference/config/istio.rbac.v1alpha1/">RBAC</a>
</li>
<li>
<a title="Configuration affecting traffic routing" href="/v0.8/docs/reference/config/istio.routing.v1alpha1/">Route Rules v1alpha1 (deprecated)</a>
</li>
<li>
<a title="Configuration affecting traffic routing" href="/v0.8/docs/reference/config/istio.networking.v1alpha3/">Route Rules v1alpha3</a>
</li>
</ul>
</li>
<li class="sublist">
<label class='tree-toggle'>
<i class='fa fa-lg fa-caret-right'></i>
<a title="Describes usage and options of the Istio commands and utilities." href="/v0.8/docs/reference/commands/">Commands </a>
</label>
<ul class="tree collapse">
<li>
<a title="Istio Certificate Authority (CA)" href="/v0.8/docs/reference/commands/istio_ca/">istio_ca</a>
</li>
<li>
<a title="Istio control interface" href="/v0.8/docs/reference/commands/istioctl/">istioctl</a>
</li>
<li>
<a title="Utility to trigger direct calls to Mixer&amp;#39;s API." href="/v0.8/docs/reference/commands/mixc/">mixc</a>
</li>
<li>
<a title="Mixer is Istio&amp;#39;s abstraction on top of infrastructure backends." href="/v0.8/docs/reference/commands/mixs/">mixs</a>
</li>
<li>
<a title="Istio security per-node agent" href="/v0.8/docs/reference/commands/node_agent/">node_agent</a>
</li>
<li>
<a title="Istio Pilot agent" href="/v0.8/docs/reference/commands/pilot-agent/">pilot-agent</a>
</li>
<li>
<a title="Istio Pilot" href="/v0.8/docs/reference/commands/pilot-discovery/">pilot-discovery</a>
</li>
<li>
<a title="Kubernetes webhook for automatic Istio sidecar injection" href="/v0.8/docs/reference/commands/sidecar-injector/">sidecar-injector</a>
</li>
</ul>
</li>
</ul>
</div>
</div>
</div>
</div>
</nav>
</div>
<div class="col-12 col-md-9 col-xl-8">
<p class="d-md-none">
<label class="sidebar-toggler" data-toggle="offcanvas">
<i class="fa fa-sign-out-alt"></i>
</label>
</p>
<main aria-labelledby="title">
<h1 id="title">Control Egress Traffic</h1>
<nav class="toc-inlined d-xl-none d-print-none" >
<div class="directory" role="directory">
<nav id="InlinedTableOfContents">
<ul>
<li><a href="#before-you-begin">Before you begin</a></li>
<li><a href="#configuring-istio-external-services">Configuring Istio external services</a>
<ul>
<li><a href="#configuring-the-external-services">Configuring the external services</a></li>
<li><a href="#make-requests-to-the-external-services">Make requests to the external services</a></li>
<li><a href="#setting-route-rules-on-an-external-service">Setting route rules on an external service</a></li>
</ul>
</li>
<li><a href="#calling-external-services-directly">Calling external services directly</a>
<ul>
<li><a href="#determine-the-value-of-globalproxyincludeipranges">Determine the value of global.proxy.includeIPRanges</a></li>
<li><a href="#access-the-external-services">Access the external services</a></li>
</ul>
</li>
<li><a href="#understanding-what-happened">Understanding what happened</a></li>
<li><a href="#security-note">Security note</a></li>
<li><a href="#cleanup">Cleanup</a></li>
<li><a href="#whats-next">What's next</a></li>
</ul>
</nav>
</div>
</nav>
<blockquote>
<p>This task uses the new <a href="/v0.8/blog/2018/v1alpha3-routing/">v1alpha3 traffic management API</a>. The old API has been deprecated and will be removed in the next Istio release. If you need to use the old version, follow the docs <a href="https://archive.istio.io/v0.7/docs/tasks/traffic-management/">here</a>.</p>
</blockquote>
<p>By default, Istio-enabled services are unable to access URLs outside of the cluster because
iptables is used in the pod to transparently redirect all outbound traffic to the sidecar proxy,
which only handles intra-cluster destinations.</p>
<p>This task describes how to configure Istio to expose external services to Istio-enabled clients.
You'll learn how to enable access to external services by defining
<a href="/v0.8/docs/reference/config/istio.networking.v1alpha3/#ServiceEntry">ServiceEntry</a> configurations,
or alternatively, to simply bypass the Istio proxy for a specific range of IPs.</p>
<h2 id="before-you-begin">Before you begin</h2>
<ul>
<li>
<p>Setup Istio by following the instructions in the
<a href="/v0.8/docs/setup/">Installation guide</a>.</p>
</li>
<li>
<p>Start the <a href="https://github.com/istio/istio/tree/release-0.8/samples/sleep">sleep</a> sample
which will be used as a test source for external calls.</p>
<p>If you have enabled <a href="/v0.8/docs/setup/kubernetes/sidecar-injection/#automatic-sidecar-injection">automatic sidecar injection</a>, do</p>
<pre><code class="language-command" data-lang="command">$ kubectl apply -f @samples/sleep/sleep.yaml@
</code></pre><p>otherwise, you have to manually inject the sidecar before deploying the <code>sleep</code> application:</p>
<pre><code class="language-command" data-lang="command">$ kubectl apply -f &lt;(istioctl kube-inject -f @samples/sleep/sleep.yaml@)
</code></pre><p>Note that any pod that you can <code>exec</code> and <code>curl</code> from would do.</p>
</li>
</ul>
<h2 id="configuring-istio-external-services">Configuring Istio external services</h2>
<p>Using Istio <code>ServiceEntry</code> configurations, you can access any publicly accessible service
from within your Istio cluster. In this task we will use
<a href="http://httpbin.org">httpbin.org</a> and <a href="https://www.google.com">www.google.com</a> as examples.</p>
<h3 id="configuring-the-external-services">Configuring the external services</h3>
<ol>
<li>
<p>Create an <code>ServiceEntry</code> to allow access to an external HTTP service:</p>
<div class="highlight"><pre style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-bash" data-lang="bash"> cat <span style="color:#e6db74">&lt;&lt;EOF | istioctl create -f -
</span><span style="color:#e6db74"> apiVersion: networking.istio.io/v1alpha3
</span><span style="color:#e6db74"> kind: ServiceEntry
</span><span style="color:#e6db74"> metadata:
</span><span style="color:#e6db74"> name: httpbin-ext
</span><span style="color:#e6db74"> spec:
</span><span style="color:#e6db74"> hosts:
</span><span style="color:#e6db74"> - httpbin.org
</span><span style="color:#e6db74"> ports:
</span><span style="color:#e6db74"> - number: 80
</span><span style="color:#e6db74"> name: http
</span><span style="color:#e6db74"> protocol: HTTP
</span><span style="color:#e6db74"> EOF</span>
</code></pre></div></li>
<li>
<p>Create an <code>ServiceEntry</code> to allow access to an external HTTPS service:</p>
<div class="highlight"><pre style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-bash" data-lang="bash"> cat <span style="color:#e6db74">&lt;&lt;EOF | istioctl create -f -
</span><span style="color:#e6db74"> apiVersion: networking.istio.io/v1alpha3
</span><span style="color:#e6db74"> kind: ServiceEntry
</span><span style="color:#e6db74"> metadata:
</span><span style="color:#e6db74"> name: google-ext
</span><span style="color:#e6db74"> spec:
</span><span style="color:#e6db74"> hosts:
</span><span style="color:#e6db74"> - www.google.com
</span><span style="color:#e6db74"> ports:
</span><span style="color:#e6db74"> - number: 443
</span><span style="color:#e6db74"> name: https
</span><span style="color:#e6db74"> protocol: HTTPS
</span><span style="color:#e6db74"> EOF</span>
</code></pre></div></li>
</ol>
<h3 id="make-requests-to-the-external-services">Make requests to the external services</h3>
<ol>
<li>
<p>Exec into the pod being used as the test source. For example,
if you are using the sleep service, run the following commands:</p>
<pre><code class="language-command" data-lang="command">$ export SOURCE_POD=$(kubectl get pod -l app=sleep -o jsonpath={.items..metadata.name})
$ kubectl exec -it $SOURCE_POD -c sleep bash
</code></pre></li>
<li>
<p>Make a request to the external HTTP service:</p>
<pre><code class="language-command" data-lang="command">$ curl http://httpbin.org/headers
</code></pre></li>
<li>
<p>Make a request to the external HTTPS service:</p>
<pre><code class="language-command" data-lang="command">$ curl https://www.google.com
</code></pre></li>
</ol>
<h3 id="setting-route-rules-on-an-external-service">Setting route rules on an external service</h3>
<p>Similar to inter-cluster requests, Istio
<a href="/v0.8/docs/concepts/traffic-management/rules-configuration/">routing rules</a>
can also be set for external services that are accessed using <code>ServiceEntry</code> configurations.
To illustrate we will use <a href="/v0.8/docs/reference/commands/istioctl/">istioctl</a>
to set a timeout rule on calls to the httpbin.org service.</p>
<ol>
<li>
<p>From inside the pod being used as the test source, invoke the <code>/delay</code> endpoint of the httpbin.org external service:</p>
<pre><code class="language-command" data-lang="command">$ kubectl exec -it $SOURCE_POD -c sleep bash
$ time curl -o /dev/null -s -w &quot;%{http_code}\n&quot; http://httpbin.org/delay/5
200
real 0m5.024s
user 0m0.003s
sys 0m0.003s
</code></pre><p>The request should return 200 (OK) in approximately 5 seconds.</p>
</li>
<li>
<p>Exit the source pod and use <code>istioctl</code> to set a 3s timeout on calls to the httpbin.org external service:</p>
<div class="highlight"><pre style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-bash" data-lang="bash"> cat <span style="color:#e6db74">&lt;&lt;EOF | istioctl create -f -
</span><span style="color:#e6db74"> apiVersion: networking.istio.io/v1alpha3
</span><span style="color:#e6db74"> kind: VirtualService
</span><span style="color:#e6db74"> metadata:
</span><span style="color:#e6db74"> name: httpbin-ext
</span><span style="color:#e6db74"> spec:
</span><span style="color:#e6db74"> hosts:
</span><span style="color:#e6db74"> - httpbin.org
</span><span style="color:#e6db74"> http:
</span><span style="color:#e6db74"> - timeout: 3s
</span><span style="color:#e6db74"> route:
</span><span style="color:#e6db74"> - destination:
</span><span style="color:#e6db74"> host: httpbin.org
</span><span style="color:#e6db74"> weight: 100
</span><span style="color:#e6db74"> EOF</span>
</code></pre></div></li>
<li>
<p>Wait a few seconds, then issue the <em>curl</em> request again:</p>
<pre><code class="language-command" data-lang="command">$ kubectl exec -it $SOURCE_POD -c sleep bash
$ time curl -o /dev/null -s -w &quot;%{http_code}\n&quot; http://httpbin.org/delay/5
504
real 0m3.149s
user 0m0.004s
sys 0m0.004s
</code></pre><p>This time a 504 (Gateway Timeout) appears after 3 seconds.
Although httpbin.org was waiting 5 seconds, Istio cut off the request at 3 seconds.</p>
</li>
</ol>
<h2 id="calling-external-services-directly">Calling external services directly</h2>
<p>If you want to completely bypass Istio for a specific IP range,
you can configure the Envoy sidecars to prevent them from
<a href="/v0.8/docs/concepts/traffic-management/request-routing/#communication-between-services">intercepting</a>
the external requests. This can be done by setting the <code>global.proxy.includeIPRanges</code> variable of
<a href="/v0.8/docs/setup/kubernetes/helm-install/#customization-with-helm">Helm</a> and updating the <code>ConfigMap</code> <em>istio-sidecar-injector</em> by <code>kubectl apply</code>. After <em>istio-sidecar-injector</em> is updated, the value of <code>global.proxy.includeIPRanges</code> will affect all the future deployments of the application pods.</p>
<p>The simplest way to use the <code>global.proxy.includeIPRanges</code> variable is to pass it the IP range(s)
used for internal cluster services, thereby excluding external IPs from being redirected
to the sidecar proxy.
The values used for internal IP range(s), however, depends on where your cluster is running.
For example, with Minikube the range is 10.0.0.1/24, so you would update your <code>ConfigMap</code> <em>istio-sidecar-injector</em> like this:</p>
<pre><code class="language-command" data-lang="command">$ helm template @install/kubernetes/helm/istio@ &lt;the flags you used to install Istio&gt; --set global.proxy.includeIPRanges=&quot;10.0.0.1/24&quot; -x @templates/sidecar-injector-configmap.yaml@ | kubectl apply -f -
</code></pre><p>Note that you should use the same Helm command you used <a href="/v0.8/docs/setup/kubernetes/helm-install">to install Istio</a>,
in particular, the same value of the <code>--namespace</code> flag. In addition to the flags you used to install Istio, add <code>--set global.proxy.includeIPRanges=&quot;10.0.0.1/24&quot; -x templates/sidecar-injector-configmap.yaml</code>.</p>
<p>Redeploy the <em>sleep</em> application as described in the <a href="/v0.8/docs/tasks/traffic-management/egress/#before-you-begin">Before you begin</a> section.</p>
<h3 id="determine-the-value-of-globalproxyincludeipranges">Determine the value of <code>global.proxy.includeIPRanges</code></h3>
<p>Set the value of <code>global.proxy.includeIPRanges</code> according to your cluster provider.</p>
<h4 id="ibm-cloud-private">IBM Cloud Private</h4>
<ol>
<li>
<p>Get your <code>service_cluster_ip_range</code> from IBM Cloud Private configuration file under <code>cluster/config.yaml</code>.</p>
<pre><code class="language-command" data-lang="command">$ cat cluster/config.yaml | grep service_cluster_ip_range
</code></pre><p>A sample output is as following:</p>
<div class="highlight"><pre style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-plain" data-lang="plain">service_cluster_ip_range: 10.0.0.1/24
</code></pre></div></li>
<li>
<p>Use <code>--set global.proxy.includeIPRanges=&quot;10.0.0.1/24&quot;</code></p>
</li>
</ol>
<h4 id="ibm-cloud-kubernetes-service">IBM Cloud Kubernetes Service</h4>
<p>Use <code>--set global.proxy.includeIPRanges=&quot;172.30.0.0/16\,172.20.0.0/16\,10.10.10.0/24&quot;</code></p>
<h4 id="google-container-engine-gke">Google Container Engine (GKE)</h4>
<p>The ranges are not fixed, so you will need to run the <code>gcloud container clusters describe</code> command to determine the ranges to use. For example:</p>
<pre><code class="language-command" data-lang="command">$ gcloud container clusters describe XXXXXXX --zone=XXXXXX | grep -e clusterIpv4Cidr -e servicesIpv4Cidr
clusterIpv4Cidr: 10.4.0.0/14
servicesIpv4Cidr: 10.7.240.0/20
</code></pre><p>Use <code>--set global.proxy.includeIPRanges=&quot;10.4.0.0/14\,10.7.240.0/20&quot;</code></p>
<h4 id="azure-container-serviceacs">Azure Container Service(ACS)</h4>
<p>Use <code>--set global.proxy.includeIPRanges=&quot;10.244.0.0/16\,10.240.0.0/16</code></p>
<h4 id="minikube">Minikube</h4>
<p>Use <code>--set global.proxy.includeIPRanges=&quot;10.0.0.1/24&quot;</code></p>
<h3 id="access-the-external-services">Access the external services</h3>
<p>After updating the <code>ConfigMap</code> <em>istio-sidecar-injector</em> and redeploying the <em>sleep</em> application,
the Istio sidecar will only intercept and manage internal requests
within the cluster. Any external request will simply bypass the sidecar and go straight to its intended
destination.</p>
<pre><code class="language-command" data-lang="command">$ export SOURCE_POD=$(kubectl get pod -l app=sleep -o jsonpath={.items..metadata.name})
$ kubectl exec -it $SOURCE_POD -c sleep curl http://httpbin.org/headers
</code></pre><h2 id="understanding-what-happened">Understanding what happened</h2>
<p>In this task we looked at two ways to call external services from an Istio mesh:</p>
<ol>
<li>
<p>Using a <code>ServiceEntry</code> (recommended)</p>
</li>
<li>
<p>Configuring the Istio sidecar to exclude external IPs from its remapped IP table</p>
</li>
</ol>
<p>The first approach (<code>ServiceEntry</code>) allows
you to use all of the same Istio service mesh features for calls to services within or outside
of the cluster. We demonstrated this by setting a timeout rule for calls to an external service.</p>
<p>The second approach bypasses the Istio sidecar proxy, giving your services direct access to any
external URL. However, configuring the proxy this way does require
cloud provider specific knowledge and configuration.</p>
<h2 id="security-note">Security note</h2>
<p><img src="/v0.8/img/exclamation-mark.svg" alt="Warning" title="Warning" style="width: 2rem; display:inline" /> Note that configuration examples in this task <strong>do not enable secure egress traffic control</strong> in
Istio.
A malicious application can bypass the Istio sidecar proxy and access any external service without Istio control.</p>
<p>To implement egress traffic control in a secure way, you must <a href="/v0.8/docs/tasks/traffic-management/egress-gateway">direct egress traffic through an egress gateway</a> and address the security concerns expressed in
<a href="/v0.8/docs/tasks/traffic-management/egress-gateway#additional-security-considerations">Configure an Egress Gateway task, Additional Security Considerations</a>.</p>
<h2 id="cleanup">Cleanup</h2>
<ol>
<li>
<p>Remove the rules.</p>
<pre><code class="language-command" data-lang="command">$ istioctl delete serviceentry httpbin-ext google-ext
$ istioctl delete virtualservice httpbin-ext
</code></pre></li>
<li>
<p>Shutdown the <a href="https://github.com/istio/istio/tree/release-0.8/samples/sleep">sleep</a> service.</p>
<pre><code class="language-command" data-lang="command">$ kubectl delete -f @samples/sleep/sleep.yaml@
</code></pre></li>
<li>
<p>Update the <code>ConfigMap</code> <em>istio-sidecar-injector</em> to redirect all outbound traffic to the sidecar proxies:</p>
<pre><code class="language-command" data-lang="command">$ helm template @install/kubernetes/helm/istio@ &lt;the flags you used to install Istio&gt; -x @templates/sidecar-injector-configmap.yaml@ | kubectl apply -f -
</code></pre></li>
</ol>
<h2 id="whats-next">What's next</h2>
<ul>
<li>
<p>Learn more about <a href="/v0.8/docs/concepts/traffic-management/rules-configuration/#service-entries">service entries</a>.</p>
</li>
<li>
<p>Learn how to setup
<a href="/v0.8/docs/reference/config/istio.networking.v1alpha3/#HTTPRoute.timeout">timeouts</a>,
<a href="/v0.8/docs/reference/config/istio.networking.v1alpha3/#HTTPRoute.retries">retries</a>,
and <a href="/v0.8/docs/reference/config/istio.networking.v1alpha3/#OutlierDetection">circuit breakers</a> for egress traffic.</p>
</li>
</ul>
</main>
<div class="container-fluid d-print-none">
<br/><hr/><br/>
<div class="row">
<div class="col-6">
<a title="Describes how to configure Istio to expose a service outside of the service mesh, over TLS or Mutual TLS." href="/v0.8/docs/tasks/traffic-management/secure-ingress/"><i class="fa fa-arrow-left"></i> Securing Gateways with HTTPS</a>
</div>
<div class="col-6" style="text-align: right">
<a title="Describes how to configure Istio to perform TLS origination for traffic to external services" href="/v0.8/docs/tasks/traffic-management/egress-tls-origination/">TLS Origination for Egress Traffic <i class="fa fa-arrow-right"></i></a>
</div>
</div>
</div>
<div class="d-none d-print-block" aria-hidden="true">
<h2>Links</h2>
<ol id="endnotes"></ol>
</div>
</div>
<div class="col-12 col-md-2 d-none d-xl-block d-print-none">
<nav class="toc">
<div class="spacer"></div>
<div id="toc" class="directory" role="directory">
<nav id="TableOfContents">
<ul>
<li><a href="#before-you-begin">Before you begin</a></li>
<li><a href="#configuring-istio-external-services">Configuring Istio external services</a>
<ul>
<li><a href="#configuring-the-external-services">Configuring the external services</a></li>
<li><a href="#make-requests-to-the-external-services">Make requests to the external services</a></li>
<li><a href="#setting-route-rules-on-an-external-service">Setting route rules on an external service</a></li>
</ul>
</li>
<li><a href="#calling-external-services-directly">Calling external services directly</a>
<ul>
<li><a href="#determine-the-value-of-globalproxyincludeipranges">Determine the value of global.proxy.includeIPRanges</a></li>
<li><a href="#access-the-external-services">Access the external services</a></li>
</ul>
</li>
<li><a href="#understanding-what-happened">Understanding what happened</a></li>
<li><a href="#security-note">Security note</a></li>
<li><a href="#cleanup">Cleanup</a></li>
<li><a href="#whats-next">What's next</a></li>
</ul>
</nav>
</div>
</nav>
</div>
</div>
</div>
<footer class="d-print-none container-fluid">
<div class="row">
<div class="col-6 col-lg-4" role="navigation">
<div class="container-fluid">
<div class="row">
<div class="icon">
<span>istio-users@</span>
<a title="Join the istio-users@ mailing list to participate in discussions and get help troubleshooting problems"
href="https://groups.google.com/forum/#!forum/istio-users" aria-label="istio-users mailing list">
<svg viewBox="0 0 490 490">
<path d="M480,410.248H10c-5.523,0-10-4.477-10-10V89.752c0-5.523,4.477-10,10-10h470c5.522,0,10,4.477,10,10v310.495
C490,405.771,485.522,410.248,480,410.248z M20,390.248h450V99.752H20V390.248z"/>
<path d="M245,286.131c-2.083,0-4.167-0.649-5.931-1.948L48.64,143.929c-4.446-3.275-5.396-9.535-2.121-13.982
c3.275-4.447,9.535-5.396,13.982-2.121L245,263.712l184.5-135.886c4.447-3.274,10.709-2.326,13.982,2.121
c3.275,4.447,2.325,10.707-2.121,13.982L250.931,284.183C249.167,285.482,247.083,286.131,245,286.131z"/>
</svg>
</a>
</div>
<div class="icon">
<span>twitter</span>
<a title="Follow us on Twitter to get the latest news"
href="https://twitter.com/IstioMesh" aria-label="Twitter">
<svg viewBox="0 0 310 310">
<path d="M302.973,57.388c-4.87,2.16-9.877,3.983-14.993,5.463c6.057-6.85,10.675-14.91,13.494-23.73
c0.632-1.977-0.023-4.141-1.648-5.434c-1.623-1.294-3.878-1.449-5.665-0.39c-10.865,6.444-22.587,11.075-34.878,13.783
c-12.381-12.098-29.197-18.983-46.581-18.983c-36.695,0-66.549,29.853-66.549,66.547c0,2.89,0.183,5.764,0.545,8.598
C101.163,99.244,58.83,76.863,29.76,41.204c-1.036-1.271-2.632-1.956-4.266-1.825c-1.635,0.128-3.104,1.05-3.93,2.467
c-5.896,10.117-9.013,21.688-9.013,33.461c0,16.035,5.725,31.249,15.838,43.137c-3.075-1.065-6.059-2.396-8.907-3.977
c-1.529-0.851-3.395-0.838-4.914,0.033c-1.52,0.871-2.473,2.473-2.513,4.224c-0.007,0.295-0.007,0.59-0.007,0.889
c0,23.935,12.882,45.484,32.577,57.229c-1.692-0.169-3.383-0.414-5.063-0.735c-1.732-0.331-3.513,0.276-4.681,1.597
c-1.17,1.32-1.557,3.16-1.018,4.84c7.29,22.76,26.059,39.501,48.749,44.605c-18.819,11.787-40.34,17.961-62.932,17.961
c-4.714,0-9.455-0.277-14.095-0.826c-2.305-0.274-4.509,1.087-5.294,3.279c-0.785,2.193,0.047,4.638,2.008,5.895
c29.023,18.609,62.582,28.445,97.047,28.445c67.754,0,110.139-31.95,133.764-58.753c29.46-33.421,46.356-77.658,46.356-121.367
c0-1.826-0.028-3.67-0.084-5.508c11.623-8.757,21.63-19.355,29.773-31.536c1.237-1.85,1.103-4.295-0.33-5.998
C307.394,57.037,305.009,56.486,302.973,57.388z"/>
</svg>
</a>
</div>
<div class="icon">
<span>stack overflow</span>
<a title="Stack Overflow is where you can ask questions and find curated answers on deploying, configuring, and using Istio"
href="https://stackoverflow.com/questions/tagged/istio" aria-label="Stack Overflow">
<svg viewBox="0 0 120 120">
<polygon points="84.4,93.8 84.4,70.6 92.1,70.6 92.1,101.5 22.6,101.5 22.6,70.6 30.3,70.6 30.3,93.8 "/>
<path d="M38.8,68.4l37.8,7.9l1.6-7.6l-37.8-7.9L38.8,68.4z M43.8,50.4l35,16.3l3.2-7l-35-16.4L43.8,50.4z M53.5,33.2
l29.7,24.7l4.9-5.9L58.4,27.3L53.5,33.2z M72.7,14.9l-6.2,4.6l23,31l6.2-4.6L72.7,14.9z M38,86h38.6v-7.7H38V86z"/>
</svg>
</a>
</div>
<div class="icon">
<span>rocket chat</span>
<a title="Interactively chat with members of the Istio community."
href="https://istio.rocket.chat" aria-label="Rocket Chat">
<svg viewBox="0 0 512 512">
<path d="M496.293,255.338c0-24.103-7.21-47.215-21.437-68.699c-12.771-19.288-30.666-36.362-53.184-50.745
c-43.474-27.771-100.612-43.065-160.885-43.065c-20.131,0-39.974,1.702-59.222,5.072c-11.942-11.176-25.919-21.233-40.712-29.187
c-79.026-38.298-144.561-0.9-144.561-0.9s60.931,50.053,51.023,93.93c-27.259,27.041-42.033,59.646-42.033,93.594
c0,0.108,0.005,0.216,0.006,0.324c-0.001,0.108-0.006,0.216-0.006,0.324c0,33.949,14.774,66.554,42.033,93.595
c9.907,43.874-51.023,93.93-51.023,93.93s65.535,37.397,144.561-0.901c14.792-7.953,28.77-18.01,40.712-29.188
c19.249,3.372,39.091,5.072,59.222,5.072c60.272,0,117.411-15.294,160.885-43.064c22.518-14.383,40.412-31.457,53.184-50.742
c14.227-21.487,21.437-44.599,21.437-68.702c0-0.107-0.006-0.216-0.006-0.324C496.287,255.554,496.293,255.446,496.293,255.338z
M260.882,387.763c-25.367,0-49.66-2.932-72.107-8.282c-22.81,27.443-72.993,65.596-121.742,53.26
c15.857-17.031,39.352-45.81,34.32-93.207c-29.218-22.738-46.759-51.832-46.759-83.541c0-72.776,92.36-131.769,206.288-131.769
c113.928,0,206.288,58.993,206.288,131.769C467.17,328.765,374.81,387.763,260.882,387.763z M288.283,255.991
c0,15.133-12.27,27.403-27.4,27.403c-15.134,0-27.402-12.271-27.402-27.403s12.268-27.401,27.402-27.401
C276.014,228.59,288.283,240.858,288.283,255.991z M356.163,228.59c-15.133,0-27.4,12.268-27.4,27.401s12.268,27.403,27.4,27.403
c15.134,0,27.399-12.271,27.399-27.403S371.297,228.59,356.163,228.59z M165.601,228.59c-15.133,0-27.4,12.268-27.4,27.401
s12.268,27.403,27.4,27.403c15.134,0,27.401-12.271,27.401-27.403S180.735,228.59,165.601,228.59z"/>
</svg>
</a>
</div>
</div>
<div class="tag row d-none d-lg-flex">
for users
</div>
</div>
</div>
<div class="col-6 col-lg-4">
<p class="text-center copyright" role="contentinfo">
Istio
Archive
0.8<br>&copy; 2018 Istio Authors, <a href="https://policies.google.com/privacy">Privacy Policy</a><br>
Archived on July 31, 2018
</p>
</div>
<div class="col-6 col-lg-4 d-none d-lg-flex" role="navigation">
<div class="container-fluid">
<div class="row justify-content-end">
<div class="icon">
<span>istio-dev@</span>
<a title="Join the istio-dev@ mailing list to discuss development issues around the Istio project"
href="https://groups.google.com/forum/#!forum/istio-dev" aria-label="istio-dev mailing list">
<svg viewBox="0 0 490 490">
<path d="M480,410.248H10c-5.523,0-10-4.477-10-10V89.752c0-5.523,4.477-10,10-10h470c5.522,0,10,4.477,10,10v310.495
C490,405.771,485.522,410.248,480,410.248z M20,390.248h450V99.752H20V390.248z"/>
<path d="M245,286.131c-2.083,0-4.167-0.649-5.931-1.948L48.64,143.929c-4.446-3.275-5.396-9.535-2.121-13.982
c3.275-4.447,9.535-5.396,13.982-2.121L245,263.712l184.5-135.886c4.447-3.274,10.709-2.326,13.982,2.121
c3.275,4.447,2.325,10.707-2.121,13.982L250.931,284.183C249.167,285.482,247.083,286.131,245,286.131z"/>
</svg>
</a>
</div>
<div class="icon">
<span>github</span>
<a title="GitHub is where development takes place on Istio code"
href="https://github.com/istio/community" aria-label="GitHub">
<svg viewBox="0 0 478.165 478.165">
<path d="M349.22,55.768c6.136,14.046,10.241,37.556,4.224,54.69
c24.426,20.999,33.073,71.904,21.079,113.704c35.006,2.73,76.666-1.235,103.642,9.484c-25.183-3.248-59.651-9.563-91.987-7.431
c-6.136,0.458-15.361-0.239-14.903,8.408c37.735,3.008,75.092,6.117,105.894,15.779c-30.702-4.981-67.74-12.552-105.894-13.668
c-15.54,30.921-47.239,46.262-90.991,49.49c4.682,10.261,13.847,14.066,15.879,30.702c3.267,24.406-4.881,60.328,3.208,76.686
c4.064,7.89,10.579,8.009,14.863,14.604c-10.699,12.871-37.257-1.395-40.186-14.604c-5.14-22.852,7.89-58.256-6.415-73.737
c0.996,24.865-5.718,59.85,0.996,82.145c2.789,8.806,10.659,12.113,8.647,20.063c-49.809,5.08-28.989-64.373-37.177-105.356
c-7.471,0.697-4.204,11.197-4.224,15.76c-0.199,40.106,8.189,94.836-34.846,89.556c-1.315-8.348,5.838-11.217,8.467-19.007
c7.91-22.434-1.454-56.045,2.112-83.161c-16.417,12.512,1.793,55.666-8.428,77.961c-5.838,12.671-24.785,18.27-39.19,12.651
c1.873-9.464,11.695-7.989,15.879-16.875c5.818-12.452,0.02-30.244,2.092-48.494c-30.423,6.097-53.993-0.877-65.608-20.023
c-5.12-8.507-6.356-18.708-12.632-26.219c-6.117-7.551-16.098-8.507-19.087-18.808c37.755-9.185,39.17,38.771,73.06,39.807
c10.44,0.418,15.799-2.909,25.402-5.16c2.749-12.113,8.428-21.039,16.875-27.494c-42.078-5.658-76.865-18.788-93.023-50.466
c-38.293,1.893-73.339,7.013-105.894,14.843c29.547-10.679,65.807-14.604,104.778-15.819c-2.351-13.807-22.434-10.022-34.866-9.543
C47.677,227.17,18.449,230.138,0,233.645c26.817-9.543,64.233-8.348,100.454-8.428c-11.038-34.767-7.232-90.014,17.015-110.615
c-6.854-17.254-4.722-45.346,4.184-58.834c27.036,1.175,43.374,12.891,60.388,24.247c21.019-6.017,43.035-9.045,71.904-7.451
c12.133,0.677,24.705,6.097,33.731,5.32c8.906-0.877,18.728-10.898,27.534-14.843C326.507,58.099,336.17,56.206,349.22,55.768z"/>
</svg>
</a>
</div>
<div class="icon">
<span>drive</span>
<a title="Access our team drive if you'd like to take a look at the Istio technical design documents"
href="https://groups.google.com/forum/#!forum/istio-team-drive-access" aria-label="team drive">
<svg viewBox="0 0 207.027 207.027">
<path d="M69.866,15.557L0,138.919l28.732,52.552l143.288-0.029l35.008-59.588L136.39,15.735L69.866,15.557z M17.166,139.046
L74.268,38.205L91.21,67.783L33.24,168.447L17.166,139.046z M99.841,82.851l23.805,41.558l-47.732-0.006L99.841,82.851z
M163.434,176.443l-117.332,0.024l21.53-37.065l64.606,0.008l0.067,0.119l52.865-0.085L163.434,176.443z M140.932,124.411
L90.157,35.767l-2.966-5.178l40.751,0.121l57.003,93.706L140.932,124.411z"/>
</svg>
</a>
</div>
<div class="icon">
<span>working groups</span>
<a title="If you'd like to contribute to the Istio project, consider participating in our working groups"
href="https://github.com/istio/community/blob/master/WORKING-GROUPS.md" aria-label="working groups">
<svg viewBox="0 -45 439.833 439.833">
<polygon points="246.048,195.833 299.966,235.085 319.497,227.296 276.278,195.833"/>
<polygon points="193.786,195.833 163.556,195.833 120.33,227.3 139.862,235.089"/>
<path d="M219.927,11.558c-23.854,0-37.057,12.362-36.814,36.182c0.348,32.623,14.211,52.414,36.814,52.068
c0,0,36.802,1.492,36.802-52.068C256.729,23.918,244.294,11.558,219.927,11.558z"/>
<path d="M285.017,124.567l-36.77-14.659l-8.608-7.256c-2.274-1.922-5.636-1.78-7.741,0.317l-11.973,11.904l-12.008-11.907
c-2.109-2.094-5.465-2.229-7.736-0.313l-8.611,7.256l-36.77,14.661c-11.842,4.715-11.83,46.647-12.848,50.497h155.93
C296.866,171.228,296.862,129.28,285.017,124.567z"/>
<path d="M77.976,228.568c0,0,36.801,1.492,36.801-52.068c0-23.82-12.434-36.182-36.801-36.182
c-23.854,0-37.057,12.362-36.814,36.182C41.509,209.124,55.372,228.915,77.976,228.568z"/>
<path d="M143.065,253.329l-36.77-14.658l-8.609-7.256c-2.275-1.923-5.635-1.781-7.742,0.315l-11.971,11.904l-12.008-11.908
c-2.109-2.094-5.465-2.229-7.736-0.312l-8.611,7.256l-36.77,14.66C1.006,258.045,1.018,299.977,0,303.827h155.93
C154.915,299.988,154.911,258.042,143.065,253.329z"/>
<path d="M361.878,228.568c0,0,36.801,1.492,36.801-52.068c0-23.82-12.434-36.182-36.801-36.182
c-23.854,0-37.057,12.362-36.812,36.182C325.411,209.124,339.274,228.915,361.878,228.568z"/>
<path d="M426.968,253.329l-36.77-14.658l-8.609-7.256c-2.273-1.923-5.635-1.781-7.742,0.315l-11.971,11.904l-12.008-11.908
c-2.109-2.094-5.465-2.229-7.736-0.312l-8.61,7.256l-36.771,14.66c-11.842,4.715-11.83,46.646-12.848,50.497h155.93
C438.817,299.988,438.812,258.042,426.968,253.329z"/>
</svg>
</a>
</div>
<div class="icon">
<span>slack</span>
<a title="Interactively discuss development issues with the Istio community on Slack (invitation-only)"
href="https://istio.slack.com" aria-label="slack">
<svg viewBox="0 0 31.444 31.443">
<path d="M31.202,16.369c-0.62-1.388-2.249-2.011-3.637-1.391l-1.325,0.594l-3.396-7.591l1.325-0.592
c1.388-0.622,2.01-2.25,1.389-3.637c-0.62-1.389-2.248-2.012-3.637-1.39l-1.324,0.593l-0.593-1.326
c-0.621-1.388-2.249-2.009-3.637-1.388c-1.388,0.62-2.009,2.247-1.389,3.637l0.593,1.325L7.98,8.598L7.388,7.273
c-0.621-1.39-2.249-2.009-3.637-1.39C2.363,6.504,1.742,8.132,2.362,9.52l0.592,1.324L1.63,11.438
c-1.388,0.621-2.01,2.247-1.389,3.636c0.62,1.388,2.249,2.01,3.637,1.39l1.325-0.594l3.394,7.592l-1.325,0.592
c-1.388,0.621-2.009,2.25-1.389,3.637c0.621,1.389,2.249,2.011,3.637,1.391l1.324-0.593l0.593,1.325
c0.621,1.389,2.249,2.01,3.637,1.389c1.387-0.62,2.009-2.248,1.388-3.636l-0.591-1.326l7.591-3.394l0.592,1.321
c0.621,1.391,2.248,2.013,3.637,1.392c1.388-0.619,2.01-2.248,1.389-3.637l-0.592-1.324l1.323-0.594
C31.201,19.384,31.823,17.757,31.202,16.369z M13.623,21.215l-3.395-7.593l7.591-3.394l3.395,7.591L13.623,21.215z"/>
</svg>
</a>
</div>
</div>
<div class="tag row justify-content-end text-right">
for developers
</div>
</div>
</div>
</div>
</footer>
<div class="d-xl-none d-print-none">
<button id="scroll-to-top" aria-hidden="true" onclick="scrollToTop()" title="Back to top"><i class="fa fa-lg fa-arrow-up"></i></button>
</div>
<script src="https://code.jquery.com/jquery-3.2.1.slim.min.js" integrity="sha384-KJ3o2DKtIkvYIK3UENzmM7KCkRr/rE9/Qpg6aAZGJwFDMVNA/GpGFF93hXpG5KkN" crossorigin="anonymous"></script>
<script src="https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/js/bootstrap.min.js" integrity="sha384-JZR6Spejh4U02d8jOt6vLEHfe/JQGiRRSQQxSfFWpi1MquVdAyjUar5+76PVCmYl" crossorigin="anonymous"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/clipboard.js/1.7.1/clipboard.min.js"></script>
<script src="https://www.google.com/cse/brand?form=search_form"></script>
<script src="/v0.8/js/all.min.js" data-manual></script>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink