istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
istio.io/content/docs/tasks/traffic-management/egress-tcp.md

5.1 KiB
Raw Blame History

title description weight
Control Egress TCP Traffic Describes how to configure Istio to route TCP traffic from services in the mesh to external services. 41

This task uses the new v1alpha3 traffic management API. The old API has been deprecated and will be removed in the next Istio release. If you need to use the old version, follow the docs here.

The Control Egress Traffic task demonstrates how external (outside the Kubernetes cluster) HTTP and HTTPS services can be accessed from applications inside the mesh. A quick reminder: by default, Istio-enabled applications are unable to access URLs outside the cluster. To enable such access, a ServiceEntry for the external service must be defined, or, alternatively, direct access to external services must be configured.

This task describes how to configure Istio to expose external TCP services to applications inside the Istio service mesh.

Before you begin

  • Setup Istio by following the instructions in the Installation guide.

  • Start the sleep sample application which will be used as a test source for external calls.

    $ kubectl apply -f <(istioctl kube-inject -f @samples/sleep/sleep.yaml@)

    Note: any pod that you can execute curl from is good enough.

Using Istio service entries to enable external TCP traffic

In this task we access wikipedia.org by HTTPS originated from the application. This task demonstrates the use case where an application cannot use HTTP with TLS origination by the sidecar proxy. Using HTTP with TLS origination by the sidecar proxy is described in the Control Egress Traffic task. In that task, https://google.com was accessed by issuing HTTP requests to http://www.google.com:443.

The HTTPS traffic originated from the application will be treated by Istio as opaque TCP. To enable such traffic, we define a TCP ServiceEntry on port 443. In TCP service entries, as opposed to HTTP-based ones, the destinations are specified by IPs or by blocks of IPs in CIDR notation.

Let's assume for the sake of this example that we want to access wikipedia.org by the domain name. This means that we have to specify all the IPs of wikipedia.org in our TCP ServiceEntry. Fortunately, the IPs of wikipedia.org are published here. It is a list of IP blocks in CIDR notation: 91.198.174.192/27, 103.102.166.224/27, and more.

Creating a service entry

Let's create a ServiceEntry to enable TCP access to wikipedia.org:

cat <<EOF | istioctl create -f -
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: wikipedia-ext
spec:
  hosts:
  - wikipedia.org
  addresses:
  - 91.198.174.192/27
  - 103.102.166.224/27
  - 198.35.26.96/27
  - 208.80.153.224/27
  - 208.80.154.224/27
  ports:
  - number: 443
    protocol: TCP
    name: tcp-port
  resolution: NONE
EOF

This command instructs the Istio proxy to forward requests on port 443 of any of the wikipedia.org IP addresses to the same IP address to which the connection was bound.

Access wikipedia.org by HTTPS

  1. kubectl exec into the pod to be used as the test source. If you are using the sleep application, run the following command:

    $ kubectl exec -it $(kubectl get pod -l app=sleep -o jsonpath={.items..metadata.name}) -c sleep bash

  2. Make a request and verify that we can access https://www.wikipedia.org successfully:

    $ curl -o /dev/null -s -w "%{http_code}\n" https://www.wikipedia.org
200

    We should see 200 printed as the output, which is the HTTP code OK.

  3. Now let's fetch the current number of the articles available on Wikipedia in the English language:

    $ curl -s https://en.wikipedia.org/wiki/Main_Page | grep articlecount | grep 'Special:Statistics'
<div id="articlecount" style="font-size:85%;"><a href="/wiki/Special:Statistics" title="Special:Statistics">5,563,121</a> articles in <a  href="/wiki/English_language" title="English language">English</a></div>

    This means there were 5,563,121 articles in Wikipedia in English when this task was written.

Cleanup

  1. Remove the ServiceEntry we created.

    $ istioctl delete serviceentry wikipedia-ext

  2. Shutdown the sleep application.

    $ kubectl delete -f @samples/sleep/sleep.yaml@

What's next