istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
istio.io/archive/v1.8/blog/2018/egress-mongo/index.html

818 lines
88 KiB
HTML
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<!doctype html><html lang=en itemscope itemtype=https://schema.org/WebPage><head><meta charset=utf-8><meta http-equiv=x-ua-compatible content="IE=edge"><meta name=viewport content="width=device-width,initial-scale=1,shrink-to-fit=no"><meta name=theme-color content="#466BB0"><meta name=title content="Consuming External MongoDB Services"><meta name=description content="Describes a simple scenario based on Istio's Bookinfo example."><meta name=author content="Vadim Eisenberg"><meta name=keywords content="microservices,services,mesh,traffic-management,egress,tcp,mongo"><meta property="og:title" content="Consuming External MongoDB Services"><meta property="og:type" content="website"><meta property="og:description" content="Describes a simple scenario based on Istio's Bookinfo example."><meta property="og:url" content="/v1.8/blog/2018/egress-mongo/"><meta property="og:image" content="/v1.8/img/istio-whitelogo-bluebackground-framed.svg"><meta property="og:image:alt" content="Istio Logo"><meta property="og:image:width" content="112"><meta property="og:image:height" content="150"><meta property="og:site_name" content="Istio"><meta name=twitter:card content="summary"><meta name=twitter:site content="@IstioMesh"><title>Istioldie 1.8 / Consuming External MongoDB Services</title><script async src="https://www.googletagmanager.com/gtag/js?id=UA-98480406-2"></script><script>window.dataLayer=window.dataLayer||[];function gtag(){dataLayer.push(arguments);}
gtag('js',new Date());gtag('config','UA-98480406-2');</script><link rel=alternate type=application/rss+xml title="Istio Blog" href=/v1.8/blog/feed.xml><link rel=alternate type=application/rss+xml title="Istio News" href=/v1.8/news/feed.xml><link rel=alternate type=application/rss+xml title="Istio Blog and News" href=/v1.8/feed.xml><link rel="shortcut icon" href=/v1.8/favicons/favicon.ico><link rel=apple-touch-icon href=/v1.8/favicons/apple-touch-icon-180x180.png sizes=180x180><link rel=icon type=image/png href=/v1.8/favicons/favicon-16x16.png sizes=16x16><link rel=icon type=image/png href=/v1.8/favicons/favicon-32x32.png sizes=32x32><link rel=icon type=image/png href=/v1.8/favicons/android-36x36.png sizes=36x36><link rel=icon type=image/png href=/v1.8/favicons/android-48x48.png sizes=48x48><link rel=icon type=image/png href=/v1.8/favicons/android-72x72.png sizes=72x72><link rel=icon type=image/png href=/v1.8/favicons/android-96x96.png sizes=96xW96><link rel=icon type=image/png href=/v1.8/favicons/android-144x144.png sizes=144x144><link rel=icon type=image/png href=/v1.8/favicons/android-192x192.png sizes=192x192><link rel=manifest href=/v1.8/manifest.json><meta name=apple-mobile-web-app-title content="Istio"><meta name=application-name content="Istio"><link rel=stylesheet href="https://fonts.googleapis.com/css?family=Work+Sans:400|Chivo:400|Work+Sans:500,300,600,300italic,400italic,500italic,600italic|Chivo:500,300,600,300italic,400italic,500italic,600italic"><link rel=stylesheet href=/v1.8/css/all.css><script src=/v1.8/js/themes_init.min.js></script></head><body class="language-unknown archive-site"><script>const branchName="release-1.8";const docTitle="Consuming External MongoDB Services";const iconFile="\/v1.8/img/icons.svg";const buttonCopy='Copy to clipboard';const buttonPrint='Print';const buttonDownload='Download';</script><script src="https://www.google.com/cse/brand?form=search-form" defer></script><script src=/v1.8/js/all.min.js data-manual defer></script><header><nav><a id=brand href=/v1.8/><span class=logo><svg viewBox="0 0 300 300"><circle cx="150" cy="150" r="146" stroke-width="2"/><polygon points="65 240 225 240 125 270"/><polygon points="65 230 125 220 125 110"/><polygon points="135 220 225 230 135 30"/></svg></span><span class=name>Istioldie 1.8</span></a><div id=hamburger><svg class="icon hamburger"><use xlink:href="/v1.8/img/icons.svg#hamburger"/></svg></div><div id=header-links><a title="Learn how to deploy, use, and operate Istio." href=/v1.8/docs/>Docs</a>
<a class=current title="Posts about using Istio." href=/v1.8/blog/2020/>Blog<i class=dot data-prefix=/blog></i></a>
<a title="Timely news about the Istio project." href=/v1.8/news/>News<i class=dot data-prefix=/news></i></a>
<a title="Frequently Asked Questions about Istio." href=/v1.8/faq/>FAQ</a>
<a title="Get a bit more in-depth info about the Istio project." href=/v1.8/about/>About</a><div class=menu><button id=gearDropdownButton class=menu-trigger title="Options and settings" aria-label="Options and Settings" aria-controls=gearDropdownContent><svg class="icon gear"><use xlink:href="/v1.8/img/icons.svg#gear"/></svg></button><div id=gearDropdownContent class=menu-content aria-labelledby=gearDropdownButton role=menu><a tabindex=-1 role=menuitem lang=en id=switch-lang-en class=active>English</a>
<a tabindex=-1 role=menuitem lang=zh id=switch-lang-zh>中文</a><div role=separator></div><a tabindex=-1 role=menuitem class=active id=light-theme-item>Light Theme</a>
<a tabindex=-1 role=menuitem id=dark-theme-item>Dark Theme</a><div role=separator></div><a tabindex=-1 role=menuitem id=syntax-coloring-item>Color Examples</a><div role=separator></div><h6>Other versions of this site</h6><a tabindex=-1 role=menuitem onclick="navigateToUrlOrRoot('https://istio.io/blog\/2018\/egress-mongo\/');return false;">Current Release</a>
<a tabindex=-1 role=menuitem onclick="navigateToUrlOrRoot('https://preliminary.istio.io/blog\/2018\/egress-mongo\/');return false;">Next Release</a>
<a tabindex=-1 role=menuitem href=https://istio.io/archive>Older Releases</a></div></div><button id=search-show title="Search this site" aria-label=Search><svg class="icon magnifier"><use xlink:href="/v1.8/img/icons.svg#magnifier"/></svg></button></div><form id=search-form name=cse role=search><input type=hidden name=cx value=002184991200833970123:iwwf17ikgf4>
<input type=hidden name=ie value=utf-8>
<input type=hidden name=hl value=en>
<input type=hidden id=search-page-url value=/v1.8/search>
<input id=search-textbox class=form-control name=q type=search aria-label="Search this site">
<button id=search-close title="Cancel search" type=reset aria-label="Cancel search"><svg class="icon cancel-x"><use xlink:href="/v1.8/img/icons.svg#cancel-x"/></svg></button></form></nav></header><div class=banner-container><a href=/v1.8/news/releases/1.8.x/announcing-1.8.3/ class=banner data-title="Latest Release-2021-02-08 00:00:00 +0000 UTC" data-period-start=1612742400000 data-period-end=1613347200000 data-max-impressions=3 data-timeout><div class=content><p>Istio 1.8.3 is now available! Click here to learn more</p></div><div class=frame></div></a></div><main class=primary><div id=sidebar-container class="sidebar-container sidebar-offcanvas"><nav id=sidebar aria-label="Section Navigation"><div class=directory><div class=card><button class="header dynamic" id=card0 title="Blog posts for 2020." aria-controls=card0-body><svg class="icon blog"><use xlink:href="/v1.8/img/icons.svg#blog"/></svg>2020 Posts</button><div class=body aria-labelledby=card0 role=region id=card0-body><ul role=tree aria-expanded=true class=leaf-section aria-labelledby=card0><li role=none><a role=treeitem title="Deploy multiple Istio egress gateways independently to have fine-grained control of egress communication from the mesh (December 16, 2020)" href=/v1.8/blog/2020/proxying-legacy-services-using-egress-gateways/>Proxying legacy services using Istio egress gateways</a></li><li role=none><a role=treeitem title="How to enable proxy protocol on AWS NLB and Istio ingress gateway (December 11, 2020)" href=/v1.8/blog/2020/show-source-ip/>Proxy protocol on AWS NLB and Istio ingress gateway</a></li><li role=none><a role=treeitem title="The inaugural conference for Istio will take place at the end of February (December 8, 2020)" href=/v1.8/blog/2020/istiocon-2021/>Join us for the first IstioCon in 2021!</a></li><li role=none><a role=treeitem title="How to ensure your clusters are not impacted by Docker Hub rate limiting (December 7, 2020)" href=/v1.8/blog/2020/docker-rate-limit/>Handling Docker Hub rate limiting</a></li><li role=none><a role=treeitem title="Workload Local DNS resolution to simplify VM integration, multicluster, and more (November 12, 2020)" href=/v1.8/blog/2020/dns-proxy/>Expanding into New Frontiers - Smart DNS Proxying in Istio</a></li><li role=none><a role=treeitem title="Announcing the four newest Istio Steering Committee members (September 29, 2020)" href=/v1.8/blog/2020/steering-election-results/>2020 Steering Committee Election Results</a></li><li role=none><a role=treeitem title="The effect of security policies on latency of requests (September 15, 2020)" href=/v1.8/blog/2020/large-scale-security-policy-performance-tests/>Large Scale Security Policy Performance Tests</a></li><li role=none><a role=treeitem title="A new deployment model for Istio (August 27, 2020)" href=/v1.8/blog/2020/new-deployment-model/>Deploying Istio Control Planes Outside the Mesh</a></li><li role=none><a role=treeitem title="The Istio Steering Committee is now in part proportionally allocated to companies based on contribution, and in part elected by community members (August 24, 2020)" href=/v1.8/blog/2020/steering-changes/>Introducing the new Istio steering committee</a></li><li role=none><a role=treeitem title="An alternative sidecar proxy for Istio (July 28, 2020)" href=/v1.8/blog/2020/mosn-proxy/>Using MOSN with Istio: an alternative data plane</a></li><li role=none><a role=treeitem title="An update on trademarks and project governance (July 8, 2020)" href=/v1.8/blog/2020/open-usage/>Open and neutral: transferring our trademarks to the Open Usage Commons</a></li><li role=none><a role=treeitem title="A new way to manage installation of telemetry addons (June 4, 2020)" href=/v1.8/blog/2020/addon-rework/>Reworking our Addon Integrations</a></li><li role=none><a role=treeitem title="Describing the new functionality of Workload Entries (May 21, 2020)" href=/v1.8/blog/2020/workload-entry/>Introducing Workload Entries</a></li><li role=none><a role=treeitem title="Simplifying Istio upgrades by offering safe canary deployments of the control plane (May 19, 2020)" href=/v1.8/blog/2020/multiple-control-planes/>Safely Upgrade Istio using a Canary Control Plane Deployment</a></li><li role=none><a role=treeitem title="Configure the IBM Cloud Kubernetes Service Application Load Balancer to direct traffic to the Istio Ingress gateway with mutual TLS (May 15, 2020)" href=/v1.8/blog/2020/alb-ingress-gateway-iks/>Direct encrypted traffic from IBM Cloud Kubernetes Service Ingress to Istio Ingress Gateway</a></li><li role=none><a role=treeitem title="A mechanism to acquire and share an application certificate and key through mounted files (March 25, 2020)" href=/v1.8/blog/2020/proxy-cert/>Provision a certificate and key for an application without sidecars</a></li><li role=none><a role=treeitem title="Community partner tooling of Wasm for Istio by Solo.io (March 25, 2020)" href=/v1.8/blog/2020/wasmhub-istio/>Extended and Improved WebAssemblyHub to Bring the Power of WebAssembly to Envoy and Istio</a></li><li role=none><a role=treeitem title="Istiod consolidates the Istio control plane components into a single binary (March 19, 2020)" href=/v1.8/blog/2020/istiod/>Introducing istiod: simplifying the control plane</a></li><li role=none><a role=treeitem title="Configuring Wasm extensions for Envoy and Istio declaratively (March 16, 2020)" href=/v1.8/blog/2020/deploy-wasm-declarative/>Declarative WebAssembly deployment for Istio</a></li><li role=none><a role=treeitem title="The future of Istio extensibility using WASM (March 5, 2020)" href=/v1.8/blog/2020/wasm-announce/>Redefining extensibility in proxies - introducing WebAssembly to Envoy and Istio</a></li><li role=none><a role=treeitem title="A vision statement and roadmap for Istio in 2020 (March 3, 2020)" href=/v1.8/blog/2020/tradewinds-2020/>Istio in 2020 - Following the Trade Winds</a></li><li role=none><a role=treeitem title="A more secure way to manage secrets (February 20, 2020)" href=/v1.8/blog/2020/istio-agent/>Remove cross-pod unix domain sockets</a></li><li role=none><a role=treeitem title="Automating Istio configuration for Istio deployments (clusters) that work as a single mesh (January 5, 2020)" href=/v1.8/blog/2020/multi-cluster-mesh-automation/>Multicluster Istio configuration and service discovery using Admiral</a></li></ul></div></div><div class=card><button class="header dynamic" id=card1 title="Blog posts for 2019." aria-controls=card1-body><svg class="icon blog"><use xlink:href="/v1.8/img/icons.svg#blog"/></svg>2019 Posts</button><div class=body aria-labelledby=card1 role=region id=card1-body><ul role=tree aria-expanded=true class=leaf-section aria-labelledby=card1><li role=none><a role=treeitem title="A more secure way to manage Istio webhooks (November 14, 2019)" href=/v1.8/blog/2019/webhook/>Secure Webhook Management</a></li><li role=none><a role=treeitem title="Analyze your Istio configuration to detect potential issues and get general insights (November 14, 2019)" href=/v1.8/blog/2019/introducing-istioctl-analyze/>Introducing istioctl analyze</a></li><li role=none><a role=treeitem title="Introduction to Istio's new operator-based installation and control plane management feature (November 14, 2019)" href=/v1.8/blog/2019/introducing-istio-operator/>Introducing the Istio Operator</a></li><li role=none><a role=treeitem title="Introduction, motivation and design principles for the Istio v1beta1 Authorization Policy (November 14, 2019)" href=/v1.8/blog/2019/v1beta1-authorization-policy/>Introducing the Istio v1beta1 Authorization Policy</a></li><li role=none><a role=treeitem title="Getting programmatic access to Istio resources (November 14, 2019)" href=/v1.8/blog/2019/announcing-istio-client-go/>Announcing Istio client-go</a></li><li role=none><a role=treeitem title="Provision and manage DNS certificates in Istio (November 14, 2019)" href=/v1.8/blog/2019/dns-cert/>DNS Certificate Management</a></li><li role=none><a role=treeitem title="Configure Istio ingress gateway to act as a proxy for external services (October 15, 2019)" href=/v1.8/blog/2019/proxy/>Istio as a Proxy for External Services</a></li><li role=none><a role=treeitem title="Deploy environments that require isolation into separate meshes and enable inter-mesh communication by mesh federation (October 2, 2019)" href=/v1.8/blog/2019/isolated-clusters/>Multi-Mesh Deployments for Isolation and Boundary Protection</a></li><li role=none><a role=treeitem title="How can you use Istio to monitor blocked and passthrough external traffic (September 28, 2019)" href=/v1.8/blog/2019/monitoring-external-service-traffic/>Monitoring Blocked and Passthrough External Service Traffic</a></li><li role=none><a role=treeitem title="Demonstrates a Mixer out-of-process adapter which implements the Knative scale-from-zero logic (September 18, 2019)" href=/v1.8/blog/2019/knative-activator-adapter/>Mixer Adapter for Knative</a></li><li role=none><a role=treeitem title="Using Istio to secure multi-cloud Kubernetes applications with zero code changes (September 18, 2019)" href=/v1.8/blog/2019/app-identity-and-access-adapter/>App Identity and Access Adapter</a></li><li role=none><a role=treeitem title="Taking advantage of Kubernetes trustworthy JWTs to issue certificates for workload instances more securely (September 10, 2019)" href=/v1.8/blog/2019/trustworthy-jwt-sds/>Change in Secret Discovery Service in Istio 1.3</a></li><li role=none><a role=treeitem title="The design principles behind Istio's APIs and how those APIs are evolving (August 5, 2019)" href=/v1.8/blog/2019/evolving-istios-apis/>The Evolution of Istio's APIs</a></li><li role=none><a role=treeitem title="Comparison of alternative solutions to control egress traffic including performance considerations (July 22, 2019)" href=/v1.8/blog/2019/egress-traffic-control-in-istio-part-3/>Secure Control of Egress Traffic in Istio, part 3</a></li><li role=none><a role=treeitem title="Use Istio Egress Traffic Control to prevent attacks involving egress traffic (July 10, 2019)" href=/v1.8/blog/2019/egress-traffic-control-in-istio-part-2/>Secure Control of Egress Traffic in Istio, part 2</a></li><li role=none><a role=treeitem title="Tools and guidance for evaluating Istio's data plane performance (July 9, 2019)" href=/v1.8/blog/2019/performance-best-practices/>Best Practices: Benchmarking Service Mesh Performance</a></li><li role=none><a role=treeitem title="Learn how to extend the lifetime of Istio self-signed root certificate (June 7, 2019)" href=/v1.8/blog/2019/root-transition/>Extending Istio Self-Signed Root Certificate Lifetime</a></li><li role=none><a role=treeitem title="Attacks involving egress traffic and requirements for egress traffic control (May 22, 2019)" href=/v1.8/blog/2019/egress-traffic-control-in-istio-part-1/>Secure Control of Egress Traffic in Istio, part 1</a></li><li role=none><a role=treeitem title="An overview of Istio 1.1 performance (March 19, 2019)" href=/v1.8/blog/2019/istio1.1_perf/>Architecting Istio 1.1 for Performance</a></li><li role=none><a role=treeitem title="Configuring Istio route rules in a multicluster service mesh (February 7, 2019)" href=/v1.8/blog/2019/multicluster-version-routing/>Version Routing in a Multicluster Service Mesh</a></li><li role=none><a role=treeitem title="Announces the new Istio blog policy (February 5, 2019)" href=/v1.8/blog/2019/sail-the-blog/>Sail the Blog!</a></li><li role=none><a role=treeitem title="Verifies the performance impact of adding an egress gateway (January 31, 2019)" href=/v1.8/blog/2019/egress-performance/>Egress Gateway Performance Investigation</a></li><li role=none><a role=treeitem title="De-mystify how Istio manages to plugin its data-plane components into an existing deployment (January 31, 2019)" href=/v1.8/blog/2019/data-plane-setup/>Demystifying Istio's Sidecar Injection Model</a></li><li role=none><a role=treeitem title="Addressing application startup ordering and startup latency using AppSwitch (January 14, 2019)" href=/v1.8/blog/2019/appswitch/>Sidestepping Dependency Ordering with AppSwitch</a></li><li role=none><a role=treeitem title="Istio has a new discussion board (January 10, 2019)" href=/v1.8/blog/2019/announcing-discuss.istio.io/>Announcing discuss.istio.io</a></li><li role=none><a role=treeitem title="Describes how to deploy a custom ingress gateway using cert-manager manually (January 10, 2019)" href=/v1.8/blog/2019/custom-ingress-gateway/>Deploy a Custom Ingress Gateway Using Cert-Manager</a></li></ul></div></div><div class=card><button class="header dynamic" id=card2 title="Blog posts for 2018." aria-controls=card2-body><svg class="icon blog"><use xlink:href="/v1.8/img/icons.svg#blog"/></svg>2018 Posts</button><div class="body default" aria-labelledby=card2 role=region id=card2-body><ul role=tree aria-expanded=true class=leaf-section aria-labelledby=card2><li role=none><a role=treeitem title="How to use Istio for traffic management without deploying sidecar proxies (November 21, 2018)" href=/v1.8/blog/2018/incremental-traffic-management/>Incremental Istio Part 1, Traffic Management</a></li><li role=none><span role=treeitem class=current title="Describes a simple scenario based on Istio's Bookinfo example (November 16, 2018)">Consuming External MongoDB Services</span></li><li role=none><a role=treeitem title="Istio hosting an all day Twitch stream to celebrate the 1.0 release (August 3, 2018)" href=/v1.8/blog/2018/istio-twitch-stream/>All Day Istio Twitch Stream</a></li><li role=none><a role=treeitem title="How HP is building its next-generation footwear personalization platform on Istio (July 31, 2018)" href=/v1.8/blog/2018/hp/>Istio a Game Changer for HP's FitStation Platform</a></li><li role=none><a role=treeitem title="Automatic application onboarding and latency optimizations using AppSwitch (July 30, 2018)" href=/v1.8/blog/2018/delayering-istio/>Delayering Istio with AppSwitch</a></li><li role=none><a role=treeitem title="Describe Istio's authorization feature and how to use it in various use cases (July 20, 2018)" href=/v1.8/blog/2018/istio-authorization/>Micro-Segmentation with Istio Authorization</a></li><li role=none><a role=treeitem title="How to export Istio Access Logs to different sinks like BigQuery, GCS, Pub/Sub through Stackdriver (July 9, 2018)" href=/v1.8/blog/2018/export-logs-through-stackdriver/>Exporting Logs to BigQuery, GCS, Pub/Sub through Stackdriver</a></li><li role=none><a role=treeitem title="Describes how to configure Istio for monitoring and access policies of HTTP egress traffic (June 22, 2018)" href=/v1.8/blog/2018/egress-monitoring-access-control/>Monitoring and Access Policies for HTTP Egress Traffic</a></li><li role=none><a role=treeitem title="Introduction, motivation and design principles for the Istio v1alpha3 routing API (April 25, 2018)" href=/v1.8/blog/2018/v1alpha3-routing/>Introducing the Istio v1alpha3 routing API</a></li><li role=none><a role=treeitem title="Describes how to configure Istio ingress with a network load balancer on AWS (April 20, 2018)" href=/v1.8/blog/2018/aws-nlb/>Configuring Istio Ingress with AWS NLB</a></li><li role=none><a role=treeitem title="Using Kubernetes namespaces and RBAC to create an Istio soft multi-tenancy environment (April 19, 2018)" href=/v1.8/blog/2018/soft-multitenancy/>Istio Soft Multi-Tenancy Support</a></li><li role=none><a role=treeitem title="An introduction to safer, lower-risk deployments and release to production (February 8, 2018)" href=/v1.8/blog/2018/traffic-mirroring/>Traffic Mirroring with Istio for Testing in Production</a></li><li role=none><a role=treeitem title="Describes a simple scenario based on Istio's Bookinfo example (February 6, 2018)" href=/v1.8/blog/2018/egress-tcp/>Consuming External TCP Services</a></li><li role=none><a role=treeitem title="Describes a simple scenario based on Istio's Bookinfo example (January 31, 2018)" href=/v1.8/blog/2018/egress-https/>Consuming External Web Services</a></li></ul></div></div><div class=card><button class="header dynamic" id=card3 title="Blog posts for 2017." aria-controls=card3-body><svg class="icon blog"><use xlink:href="/v1.8/img/icons.svg#blog"/></svg>2017 Posts</button><div class=body aria-labelledby=card3 role=region id=card3-body><ul role=tree aria-expanded=true class=leaf-section aria-labelledby=card3><li role=none><a role=treeitem title="Improving availability and reducing latency (December 7, 2017)" href=/v1.8/blog/2017/mixer-spof-myth/>Mixer and the SPOF Myth</a></li><li role=none><a role=treeitem title="Provides an overview of Mixer's plug-in architecture (November 3, 2017)" href=/v1.8/blog/2017/adapter-model/>Mixer Adapter Model</a></li><li role=none><a role=treeitem title="How Kubernetes Network Policy relates to Istio policy (August 10, 2017)" href=/v1.8/blog/2017/0.1-using-network-policy/>Using Network Policy with Istio</a></li><li role=none><a role=treeitem title="Using Istio to create autoscaled canary deployments (June 14, 2017)" href=/v1.8/blog/2017/0.1-canary/>Canary Deployments using Istio</a></li><li role=none><a role=treeitem title="Istio Authentication 0.1 announcement (May 25, 2017)" href=/v1.8/blog/2017/0.1-auth/>Using Istio to Improve End-to-End Security</a></li></ul></div></div></div></nav></div><div class=article-container><button tabindex=-1 id=sidebar-toggler title="Toggle the navigation bar"><svg class="icon pull"><use xlink:href="/v1.8/img/icons.svg#pull"/></svg></button><nav aria-label=Breadcrumb><ol><li><a href=/v1.8/ title="Connect, secure, control, and observe services.">Istio</a></li><li><a href=/v1.8/blog/ title="Posts about using Istio.">Blog</a></li><li><a href=/v1.8/blog/2018/ title="Blog posts for 2018.">2018 Posts</a></li><li>Consuming External MongoDB Services</li></ol></nav><article aria-labelledby=title><div class=title-area><div style=width:100%><h1 id=title>Consuming External MongoDB Services</h1><p class=subtitle>Istio Egress Control Options for MongoDB traffic</p><p class=byline><span>By</span>
<span class=attribution>Vadim Eisenberg</span><span> | </span><span><svg class="icon calendar"><use xlink:href="/v1.8/img/icons.svg#calendar"/></svg><span>&nbsp;</span>November 16, 2018<span>&nbsp;</span>(updated on November 12, 2019)</span><span> | </span><span title="4590 words"><svg class="icon clock"><use xlink:href="/v1.8/img/icons.svg#clock"/></svg><span>&nbsp;</span>22 minute read</span>
<span>&nbsp;</span>
<span></span></p></div></div><nav class=toc-inlined aria-label="Table of Contents"><div><hr><ol><li role=none aria-label="Bookinfo with external ratings database"><a href=#bookinfo-with-external-ratings-database>Bookinfo with external ratings database</a><ol><li role=none aria-label="Setting up the ratings database"><a href=#setting-up-the-ratings-database>Setting up the ratings database</a><li role=none aria-label="Initial setting of Bookinfo application"><a href=#initial-setting-of-bookinfo-application>Initial setting of Bookinfo application</a><li role=none aria-label="Use the external database in Bookinfo application"><a href=#use-the-external-database-in-bookinfo-application>Use the external database in Bookinfo application</a><li role=none aria-label="Access the webpage"><a href=#access-the-webpage>Access the webpage</a></ol></li><li role=none aria-label="Egress control for TCP"><a href=#egress-control-for-tcp>Egress control for TCP</a><ol><li role=none aria-label="Control TCP egress traffic without a gateway"><a href=#control-tcp-egress-traffic-without-a-gateway>Control TCP egress traffic without a gateway</a><li role=none aria-label="Direct TCP Egress traffic through an egress gateway"><a href=#direct-tcp-egress-traffic-through-an-egress-gateway>Direct TCP Egress traffic through an egress gateway</a><ol><li role=none aria-label="Configure TCP traffic from sidecars to the egress gateway"><a href=#configure-tcp-traffic-from-sidecars-to-the-egress-gateway>Configure TCP traffic from sidecars to the egress gateway</a><li role=none aria-label="Mutual TLS between the sidecar proxies and the egress gateway"><a href=#mutual-tls-between-the-sidecar-proxies-and-the-egress-gateway>Mutual TLS between the sidecar proxies and the egress gateway</a><li role=none aria-label="Verify that egress traffic is directed through the egress gateway"><a href=#verify-that-egress-traffic-is-directed-through-the-egress-gateway>Verify that egress traffic is directed through the egress gateway</a></ol></li><li role=none aria-label="Cleanup of TCP egress traffic control"><a href=#cleanup-of-tcp-egress-traffic-control>Cleanup of TCP egress traffic control</a></ol></li><li role=none aria-label="Egress control for TLS"><a href=#egress-control-for-tls>Egress control for TLS</a><ol><li role=none aria-label="Control TLS egress traffic without a gateway"><a href=#control-tls-egress-traffic-without-a-gateway>Control TLS egress traffic without a gateway</a><ol><li role=none aria-label="Cleanup of the egress configuration for TLS"><a href=#cleanup-of-the-egress-configuration-for-tls>Cleanup of the egress configuration for TLS</a></ol></li><li role=none aria-label="Direct TLS Egress traffic through an egress gateway"><a href=#direct-tls-egress-traffic-through-an-egress-gateway>Direct TLS Egress traffic through an egress gateway</a><ol><li role=none aria-label="Cleanup directing TLS egress traffic through an egress gateway"><a href=#cleanup-directing-tls-egress-traffic-through-an-egress-gateway>Cleanup directing TLS egress traffic through an egress gateway</a></ol></li><li role=none aria-label="Enable MongoDB TLS egress traffic to arbitrary wildcarded domains"><a href=#enable-mongodb-tls-egress-traffic-to-arbitrary-wildcarded-domains>Enable MongoDB TLS egress traffic to arbitrary wildcarded domains</a><ol><li role=none aria-label="Prepare a new egress gateway with an SNI proxy"><a href=#prepare-a-new-egress-gateway-with-an-sni-proxy>Prepare a new egress gateway with an SNI proxy</a><li role=none aria-label="Configure access to *.com using the new egress gateway"><a href=#configure-access-to-com-using-the-new-egress-gateway>Configure access to <code>*.com</code> using the new egress gateway</a><li role=none aria-label="Understanding what happened"><a href=#understanding-what-happened>Understanding what happened</a><li role=none aria-label="Cleanup of configuration for MongoDB TLS egress traffic to arbitrary wildcarded domains"><a href=#cleanup-of-configuration-for-mongodb-tls-egress-traffic-to-arbitrary-wildcarded-domains>Cleanup of configuration for MongoDB TLS egress traffic to arbitrary wildcarded domains</a></ol></li></ol></li><li role=none aria-label=Cleanup><a href=#cleanup>Cleanup</a><li role=none aria-label=Conclusion><a href=#conclusion>Conclusion</a><li role=none aria-label="See also"><a href=#see-also>See also</a></li></ol><hr></div></nav><div><aside class="callout warning"><div class=type><svg class="large-icon"><use xlink:href="/v1.8/img/icons.svg#callout-warning"/></svg></div><div class=content>This blog post was written assuming Istio 1.1, so some of this content may now be outdated.</div></aside></div><p>In the <a href=/v1.8/blog/2018/egress-tcp/>Consuming External TCP Services</a> blog post, I described how external services
can be consumed by in-mesh Istio applications via TCP. In this post, I demonstrate consuming external MongoDB services.
You use the <a href=/v1.8/docs/examples/bookinfo/>Istio Bookinfo sample application</a>, the version in which the book
ratings data is persisted in a MongoDB database. You deploy this database outside the cluster and configure the
<em>ratings</em> microservice to use it. You will learn multiple options of controlling traffic to external MongoDB services and their
pros and cons.</p><h2 id=bookinfo-with-external-ratings-database>Bookinfo with external ratings database</h2><p>First, you set up a MongoDB database instance to hold book ratings data outside of your Kubernetes cluster. Then you
modify the <a href=/v1.8/docs/examples/bookinfo/>Bookinfo sample application</a> to use your database.</p><h3 id=setting-up-the-ratings-database>Setting up the ratings database</h3><p>For this task you set up an instance of <a href=https://www.mongodb.com>MongoDB</a>. You can use any MongoDB instance; I used
<a href=https://www.ibm.com/cloud/compose/mongodb>Compose for MongoDB</a>.</p><ol><li><p>Set an environment variable for the password of your <code>admin</code> user. To prevent the password from being preserved in
the Bash history, remove the command from the history immediately after running the command, using
<a href=https://www.gnu.org/software/bash/manual/html_node/Bash-History-Builtins.html#Bash-History-Builtins>history -d</a>.</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ export MONGO_ADMIN_PASSWORD=&lt;your MongoDB admin password&gt;
</code></pre></li><li><p>Set an environment variable for the password of the new user you will create, namely <code>bookinfo</code>.
Remove the command from the history using
<a href=https://www.gnu.org/software/bash/manual/html_node/Bash-History-Builtins.html#Bash-History-Builtins>history -d</a>.</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ export BOOKINFO_PASSWORD=&lt;password&gt;
</code></pre></li><li><p>Set environment variables for your MongoDB service, <code>MONGODB_HOST</code> and <code>MONGODB_PORT</code>.</p></li><li><p>Create the <code>bookinfo</code> user:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ cat &lt;&lt;EOF | mongo --ssl --sslAllowInvalidCertificates $MONGODB_HOST:$MONGODB_PORT -u admin -p $MONGO_ADMIN_PASSWORD --authenticationDatabase admin
use test
db.createUser(
{
user: &#34;bookinfo&#34;,
pwd: &#34;$BOOKINFO_PASSWORD&#34;,
roles: [ &#34;read&#34;]
}
);
EOF
</code></pre></li><li><p>Create a <em>collection</em> to hold ratings. The following command sets both ratings to be equal <code>1</code> to provide a visual
clue when your database is used by the Bookinfo <em>ratings</em> service (the default Bookinfo <em>ratings</em> are <code>4</code> and <code>5</code>).</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ cat &lt;&lt;EOF | mongo --ssl --sslAllowInvalidCertificates $MONGODB_HOST:$MONGODB_PORT -u admin -p $MONGO_ADMIN_PASSWORD --authenticationDatabase admin
use test
db.createCollection(&#34;ratings&#34;);
db.ratings.insert(
[{rating: 1},
{rating: 1}]
);
EOF
</code></pre></li><li><p>Check that <code>bookinfo</code> user can get ratings:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ cat &lt;&lt;EOF | mongo --ssl --sslAllowInvalidCertificates $MONGODB_HOST:$MONGODB_PORT -u bookinfo -p $BOOKINFO_PASSWORD --authenticationDatabase test
use test
db.ratings.find({});
EOF
</code></pre><p>The output should be similar to:</p><pre><code class=language-plain data-expandlinks=true data-repo=istio>MongoDB server version: 3.4.10
switched to db test
{ &#34;_id&#34; : ObjectId(&#34;5b7c29efd7596e65b6ed2572&#34;), &#34;rating&#34; : 1 }
{ &#34;_id&#34; : ObjectId(&#34;5b7c29efd7596e65b6ed2573&#34;), &#34;rating&#34; : 1 }
bye
</code></pre></li></ol><h3 id=initial-setting-of-bookinfo-application>Initial setting of Bookinfo application</h3><p>To demonstrate the scenario of using an external database, you start with a Kubernetes cluster with <a href=/v1.8/docs/setup/getting-started/>Istio installed</a>. Then you deploy the
<a href=/v1.8/docs/examples/bookinfo/>Istio Bookinfo sample application</a>, <a href=/v1.8/docs/examples/bookinfo/#apply-default-destination-rules>apply the default destination rules</a>, and
<a href=/v1.8/docs/tasks/traffic-management/egress/egress-control/#change-to-the-blocking-by-default-policy>change Istio to the blocking-egress-by-default policy</a>.</p><p>This application uses the <code>ratings</code> microservice to fetch book ratings, a number between 1 and 5. The ratings are
displayed as stars for each review. There are several versions of the <code>ratings</code> microservice. You will deploy the
version that uses <a href=https://www.mongodb.com>MongoDB</a> as the ratings database in the next subsection.</p><p>The example commands in this blog post work with Istio 1.0.</p><p>As a reminder, here is the end-to-end architecture of the application from the
<a href=/v1.8/docs/examples/bookinfo/>Bookinfo sample application</a>.</p><figure style=width:80%><div class=wrapper-with-intrinsic-ratio style=padding-bottom:59.086918235567985%><a data-skipendnotes=true href=/v1.8/docs/examples/bookinfo/withistio.svg title="The original Bookinfo application"><img class=element-to-stretch src=/v1.8/docs/examples/bookinfo/withistio.svg alt="The original Bookinfo application"></a></div><figcaption>The original Bookinfo application</figcaption></figure><h3 id=use-the-external-database-in-bookinfo-application>Use the external database in Bookinfo application</h3><ol><li><p>Deploy the spec of the <em>ratings</em> microservice that uses a MongoDB database (<em>ratings v2</em>):</p><div><a data-skipendnotes=true style=display:none href=https://raw.githubusercontent.com/istio/istio/release-1.8/samples/bookinfo/platform/kube/bookinfo-ratings-v2.yaml>Zip</a><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl apply -f @samples/bookinfo/platform/kube/bookinfo-ratings-v2.yaml@
serviceaccount &#34;bookinfo-ratings-v2&#34; created
deployment &#34;ratings-v2&#34; created
</code></pre></div></li><li><p>Update the <code>MONGO_DB_URL</code> environment variable to the value of your MongoDB:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl set env deployment/ratings-v2 &#34;MONGO_DB_URL=mongodb://bookinfo:$BOOKINFO_PASSWORD@$MONGODB_HOST:$MONGODB_PORT/test?authSource=test&amp;ssl=true&#34;
deployment.extensions/ratings-v2 env updated
</code></pre></li><li><p>Route all the traffic destined to the <em>reviews</em> service to its <em>v3</em> version. You do this to ensure that the
<em>reviews</em> service always calls the <em>ratings</em> service. In addition, route all the traffic destined to the <em>ratings</em>
service to <em>ratings v2</em> that uses your database.</p><p>Specify the routing for both services above by adding two
<a href=/v1.8/docs/reference/config/networking/virtual-service/>virtual services</a>. These virtual services are
specified in <code>samples/bookinfo/networking/virtual-service-ratings-mongodb.yaml</code> of an Istio release archive.
<strong><em>Important:</em></strong> make sure you
<a href=/v1.8/docs/examples/bookinfo/#apply-default-destination-rules>applied the default destination rules</a> before running the
following command.</p><div><a data-skipendnotes=true style=display:none href=https://raw.githubusercontent.com/istio/istio/release-1.8/samples/bookinfo/networking/virtual-service-ratings-db.yaml>Zip</a><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl apply -f @samples/bookinfo/networking/virtual-service-ratings-db.yaml@
</code></pre></div></li></ol><p>The updated architecture appears below. Note that the blue arrows inside the mesh mark the traffic configured according
to the virtual services we added. According to the virtual services, the traffic is sent to <em>reviews v3</em> and
<em>ratings v2</em>.</p><figure style=width:80%><div class=wrapper-with-intrinsic-ratio style=padding-bottom:59.314858206480224%><a data-skipendnotes=true href=/v1.8/blog/2018/egress-mongo/bookinfo-ratings-v2-mongodb-external.svg title="The Bookinfo application with ratings v2 and an external MongoDB database"><img class=element-to-stretch src=/v1.8/blog/2018/egress-mongo/bookinfo-ratings-v2-mongodb-external.svg alt="The Bookinfo application with ratings v2 and an external MongoDB database"></a></div><figcaption>The Bookinfo application with ratings v2 and an external MongoDB database</figcaption></figure><p>Note that the MongoDB database is outside the Istio service mesh, or more precisely outside the Kubernetes cluster. The
boundary of the service mesh is marked by a dashed line.</p><h3 id=access-the-webpage>Access the webpage</h3><p>Access the webpage of the application, after
<a href=/v1.8/docs/examples/bookinfo/#determine-the-ingress-ip-and-port>determining the ingress IP and port</a>.</p><p>Since you did not configure the egress traffic control yet, the access to the MongoDB service is blocked by Istio.
This is why instead of the rating stars, the message <em>&ldquo;Ratings service is currently unavailable&rdquo;</em> is currently
displayed below each review:</p><figure style=width:80%><div class=wrapper-with-intrinsic-ratio style=padding-bottom:36.18705035971223%><a data-skipendnotes=true href=/v1.8/blog/2018/egress-mongo/errorFetchingBookRating.png title="The Ratings service error messages"><img class=element-to-stretch src=/v1.8/blog/2018/egress-mongo/errorFetchingBookRating.png alt="The Ratings service error messages"></a></div><figcaption>The Ratings service error messages</figcaption></figure><p>In the following sections you will configure egress access to the external MongoDB service, using different options for
egress control in Istio.</p><h2 id=egress-control-for-tcp>Egress control for TCP</h2><p>Since <a href=https://docs.mongodb.com/manual/reference/mongodb-wire-protocol/>MongoDB Wire Protocol</a> runs on top of TCP, you
can control the egress traffic to your MongoDB as traffic to any other <a href=/v1.8/blog/2018/egress-tcp/>external TCP service</a>. To
control TCP traffic, a block of IPs in the <a href=https://tools.ietf.org/html/rfc2317>CIDR</a> notation that includes the IP
address of your MongoDB host must be specified. The caveat here is that sometimes the IP of the MongoDB host is not
stable or known in advance.</p><p>In the cases when the IP of the MongoDB host is not stable, the egress traffic can either be
<a href=#egress-control-for-tls>controlled as TLS traffic</a>, or the traffic can be routed
<a href=/v1.8/docs/tasks/traffic-management/egress/egress-control/#direct-access-to-external-services>directly</a>, bypassing the Istio sidecar
proxies.</p><p>Get the IP address of your MongoDB database instance. As an option, you can use the
<a href=https://linux.die.net/man/1/host>host</a> command:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ export MONGODB_IP=$(host $MONGODB_HOST | grep &#34; has address &#34; | cut -d&#34; &#34; -f4)
</code></pre><h3 id=control-tcp-egress-traffic-without-a-gateway>Control TCP egress traffic without a gateway</h3><p>In case you do not need to direct the traffic through an
<a href=/v1.8/docs/tasks/traffic-management/egress/egress-gateway/#use-case>egress gateway</a>, for example if you do not have a
requirement that all the traffic that exists your mesh must exit through the gateway, follow the
instructions in this section. Alternatively, if you do want to direct your traffic through an egress gateway, proceed to
<a href=#direct-tcp-egress-traffic-through-an-egress-gateway>Direct TCP egress traffic through an egress gateway</a>.</p><ol><li><p>Define a TCP mesh-external service entry:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl apply -f - &lt;&lt;EOF
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: mongo
spec:
hosts:
- my-mongo.tcp.svc
addresses:
- $MONGODB_IP/32
ports:
- number: $MONGODB_PORT
name: tcp
protocol: TCP
location: MESH_EXTERNAL
resolution: STATIC
endpoints:
- address: $MONGODB_IP
EOF
</code></pre><p>Note that the protocol <code>TCP</code> is specified instead of <code>MONGO</code> due to the fact that the traffic can be encrypted in
case <a href=https://docs.mongodb.com/manual/tutorial/configure-ssl/>the MongoDB protocol runs on top of TLS</a>.
If the traffic is encrypted, the encrypted MongoDB protocol cannot be parsed by the Istio proxy.</p><p>If you know that the plain MongoDB protocol is used, without encryption, you can specify the protocol as <code>MONGO</code> and
let the Istio proxy produce
<a href=https://www.envoyproxy.io/docs/envoy/latest/configuration/listeners/network_filters/mongo_proxy_filter#statistics>MongoDB related statistics</a>.
Also note that when the protocol <code>TCP</code> is specified, the configuration is not specific for MongoDB, but is the same
for any other database with the protocol on top of TCP.</p><p>Note that the host of your MongoDB is not used in TCP routing, so you can use any host, for example <code>my-mongo.tcp.svc</code>. Notice the <code>STATIC</code> resolution and the endpoint with the IP of your MongoDB service. Once you define such an endpoint, you can access MongoDB services that do not have a domain name.</p></li><li><p>Refresh the web page of the application. Now the application should display the ratings without error:</p><figure style=width:80%><div class=wrapper-with-intrinsic-ratio style=padding-bottom:36.69064748201439%><a data-skipendnotes=true href=/v1.8/blog/2018/egress-mongo/externalDBRatings.png title="Book Ratings Displayed Correctly"><img class=element-to-stretch src=/v1.8/blog/2018/egress-mongo/externalDBRatings.png alt="Book Ratings Displayed Correctly"></a></div><figcaption>Book Ratings Displayed Correctly</figcaption></figure><p>Note that you see a one-star rating for both displayed reviews, as expected. You set the ratings to be one star to
provide yourself with a visual clue that your external database is indeed being used.</p></li><li><p>If you want to direct the traffic through an egress gateway, proceed to the next section. Otherwise, perform
<a href=#cleanup-of-tcp-egress-traffic-control>cleanup</a>.</p></li></ol><h3 id=direct-tcp-egress-traffic-through-an-egress-gateway>Direct TCP Egress traffic through an egress gateway</h3><p>In this section you handle the case when you need to direct the traffic through an
<a href=/v1.8/docs/tasks/traffic-management/egress/egress-gateway/#use-case>egress gateway</a>. The sidecar proxy routes TCP
connections from the MongoDB client to the egress gateway, by matching the IP of the MongoDB host (a CIDR block of
length 32). The egress gateway forwards the traffic to the MongoDB host, by its hostname.</p><ol><li><p><a href=/v1.8/docs/tasks/traffic-management/egress/egress-gateway/#deploy-istio-egress-gateway>Deploy Istio egress gateway</a>.</p></li><li><p>If you did not perform the steps in <a href=#control-tcp-egress-traffic-without-a-gateway>the previous section</a>, perform them now.</p></li><li><p>You may want to enable <span class=term data-title="Mutual TLS Authentication" data-body='<p>Mutual TLS provides strong service-to-service authentication with built-in identity and credential management.
<a href="/docs/concepts/security/#mutual-tls-authentication">Learn more about mutual TLS authentication</a>.</p>'>mutual TLS Authentication</span> between the sidecar proxies of
your MongoDB clients and the egress gateway to let the egress gateway monitor the identity of the source pods and to
enable Mixer policy enforcement based on that identity. By enabling mutual TLS you also encrypt the traffic.
If you do not want to enable mutual TLS, proceed to the <a href=/v1.8/blog/2018/egress-mongo/#mutual-tls-between-the-sidecar-proxies-and-the-egress-gateway>Mutual TLS between the sidecar proxies and the egress gateway</a> section.
Otherwise, proceed to the following section.</p></li></ol><h4 id=configure-tcp-traffic-from-sidecars-to-the-egress-gateway>Configure TCP traffic from sidecars to the egress gateway</h4><ol><li><p>Define the <code>EGRESS_GATEWAY_MONGODB_PORT</code> environment variable to hold some port for directing traffic through
the egress gateway, e.g. <code>7777</code>. You must select a port that is not used for any other service in the mesh.</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ export EGRESS_GATEWAY_MONGODB_PORT=7777
</code></pre></li><li><p>Add the selected port to the <code>istio-egressgateway</code> service. You should use the same values you used for installing
Istio, in particular you have to specify all the ports of the <code>istio-egressgateway</code> service that you previously
configured.</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ helm template install/kubernetes/helm/istio/ --name istio-egressgateway --namespace istio-system -x charts/gateways/templates/deployment.yaml -x charts/gateways/templates/service.yaml --set gateways.istio-ingressgateway.enabled=false --set gateways.istio-egressgateway.enabled=true --set gateways.istio-egressgateway.ports[0].port=80 --set gateways.istio-egressgateway.ports[0].name=http --set gateways.istio-egressgateway.ports[1].port=443 --set gateways.istio-egressgateway.ports[1].name=https --set gateways.istio-egressgateway.ports[2].port=$EGRESS_GATEWAY_MONGODB_PORT --set gateways.istio-egressgateway.ports[2].name=mongo | kubectl apply -f -
</code></pre></li><li><p>Check that the <code>istio-egressgateway</code> service indeed has the selected port:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl get svc istio-egressgateway -n istio-system
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
istio-egressgateway ClusterIP 172.21.202.204 &lt;none&gt; 80/TCP,443/TCP,7777/TCP 34d
</code></pre></li><li><p>Disable mutual TLS authentication for the <code>istio-egressgateway</code> service:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl apply -f - &lt;&lt;EOF
apiVersion: authentication.istio.io/v1alpha1
kind: Policy
metadata:
name: istio-egressgateway
namespace: istio-system
spec:
targets:
- name: istio-egressgateway
EOF
</code></pre></li><li><p>Create an egress <code>Gateway</code> for your MongoDB service, and destination rules and a virtual service to direct the
traffic through the egress gateway and from the egress gateway to the external service.</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl apply -f - &lt;&lt;EOF
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: istio-egressgateway
spec:
selector:
istio: egressgateway
servers:
- port:
number: $EGRESS_GATEWAY_MONGODB_PORT
name: tcp
protocol: TCP
hosts:
- my-mongo.tcp.svc
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: egressgateway-for-mongo
spec:
host: istio-egressgateway.istio-system.svc.cluster.local
subsets:
- name: mongo
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: mongo
spec:
host: my-mongo.tcp.svc
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: direct-mongo-through-egress-gateway
spec:
hosts:
- my-mongo.tcp.svc
gateways:
- mesh
- istio-egressgateway
tcp:
- match:
- gateways:
- mesh
destinationSubnets:
- $MONGODB_IP/32
port: $MONGODB_PORT
route:
- destination:
host: istio-egressgateway.istio-system.svc.cluster.local
subset: mongo
port:
number: $EGRESS_GATEWAY_MONGODB_PORT
- match:
- gateways:
- istio-egressgateway
port: $EGRESS_GATEWAY_MONGODB_PORT
route:
- destination:
host: my-mongo.tcp.svc
port:
number: $MONGODB_PORT
weight: 100
EOF
</code></pre></li><li><p><a href=#verify-that-egress-traffic-is-directed-through-the-egress-gateway>Verify that egress traffic is directed through the egress gateway</a>.</p></li></ol><h4 id=mutual-tls-between-the-sidecar-proxies-and-the-egress-gateway>Mutual TLS between the sidecar proxies and the egress gateway</h4><ol><li><p>Delete the previous configuration:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl delete gateway istio-egressgateway --ignore-not-found=true
$ kubectl delete virtualservice direct-mongo-through-egress-gateway --ignore-not-found=true
$ kubectl delete destinationrule egressgateway-for-mongo mongo --ignore-not-found=true
$ kubectl delete policy istio-egressgateway -n istio-system --ignore-not-found=true
</code></pre></li><li><p>Enforce mutual TLS authentication for the <code>istio-egressgateway</code> service:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl apply -f - &lt;&lt;EOF
apiVersion: authentication.istio.io/v1alpha1
kind: Policy
metadata:
name: istio-egressgateway
namespace: istio-system
spec:
targets:
- name: istio-egressgateway
peers:
- mtls: {}
EOF
</code></pre></li><li><p>Create an egress <code>Gateway</code> for your MongoDB service, and destination rules and a virtual service
to direct the traffic through the egress gateway and from the egress gateway to the external service.</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl apply -f - &lt;&lt;EOF
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: istio-egressgateway
spec:
selector:
istio: egressgateway
servers:
- port:
number: 443
name: tls
protocol: TLS
hosts:
- my-mongo.tcp.svc
tls:
mode: MUTUAL
serverCertificate: /etc/certs/cert-chain.pem
privateKey: /etc/certs/key.pem
caCertificates: /etc/certs/root-cert.pem
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: egressgateway-for-mongo
spec:
host: istio-egressgateway.istio-system.svc.cluster.local
subsets:
- name: mongo
trafficPolicy:
loadBalancer:
simple: ROUND_ROBIN
portLevelSettings:
- port:
number: 443
tls:
mode: ISTIO_MUTUAL
sni: my-mongo.tcp.svc
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: mongo
spec:
host: my-mongo.tcp.svc
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: direct-mongo-through-egress-gateway
spec:
hosts:
- my-mongo.tcp.svc
gateways:
- mesh
- istio-egressgateway
tcp:
- match:
- gateways:
- mesh
destinationSubnets:
- $MONGODB_IP/32
port: $MONGODB_PORT
route:
- destination:
host: istio-egressgateway.istio-system.svc.cluster.local
subset: mongo
port:
number: 443
- match:
- gateways:
- istio-egressgateway
port: 443
route:
- destination:
host: my-mongo.tcp.svc
port:
number: $MONGODB_PORT
weight: 100
EOF
</code></pre></li><li><p>Proceed to the next section.</p></li></ol><h4 id=verify-that-egress-traffic-is-directed-through-the-egress-gateway>Verify that egress traffic is directed through the egress gateway</h4><ol><li><p>Refresh the web page of the application again and verify that the ratings are still displayed correctly.</p></li><li><p><a href=/v1.8/docs/tasks/observability/logs/access-log/#enable-envoy-s-access-logging>Enable Envoys access logging</a></p></li><li><p>Check the log of the egress gateway&rsquo;s Envoy and see a line that corresponds to your
requests to the MongoDB service. If Istio is deployed in the <code>istio-system</code> namespace, the command to print the
log is:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl logs -l istio=egressgateway -n istio-system
[2019-04-14T06:12:07.636Z] &#34;- - -&#34; 0 - &#34;-&#34; 1591 4393 94 - &#34;-&#34; &#34;-&#34; &#34;-&#34; &#34;-&#34; &#34;&lt;Your MongoDB IP&gt;:&lt;your MongoDB port&gt;&#34; outbound|&lt;your MongoDB port&gt;||my-mongo.tcp.svc 172.30.146.119:59924 172.30.146.119:443 172.30.230.1:59206 -
</code></pre></li></ol><h3 id=cleanup-of-tcp-egress-traffic-control>Cleanup of TCP egress traffic control</h3><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl delete serviceentry mongo
$ kubectl delete gateway istio-egressgateway --ignore-not-found=true
$ kubectl delete virtualservice direct-mongo-through-egress-gateway --ignore-not-found=true
$ kubectl delete destinationrule egressgateway-for-mongo mongo --ignore-not-found=true
$ kubectl delete policy istio-egressgateway -n istio-system --ignore-not-found=true
</code></pre><h2 id=egress-control-for-tls>Egress control for TLS</h2><p>In the real life, most of the communication to the external services must be encrypted and
<a href=https://docs.mongodb.com/manual/tutorial/configure-ssl/>the MongoDB protocol runs on top of TLS</a>.
Also, the TLS clients usually send
<a href=https://en.wikipedia.org/wiki/Server_Name_Indication>Server Name Indication</a>, SNI, as part of their handshake. If your
MongoDB server runs TLS and your MongoDB client sends SNI as part of the handshake, you can control your MongoDB egress
traffic as any other TLS-with-SNI traffic. With TLS and SNI, you do not need to specify the IP addresses of your MongoDB
servers. You specify their host names instead, which is more convenient since you do not have to rely on the stability of
the IP addresses. You can also specify wildcards as a prefix of the host names, for example allowing access to any
server from the <code>*.com</code> domain.</p><p>To check if your MongoDB server supports TLS, run:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ openssl s_client -connect $MONGODB_HOST:$MONGODB_PORT -servername $MONGODB_HOST
</code></pre><p>If the command above prints a certificate returned by the server, the server supports TLS. If not, you have to control
your MongoDB egress traffic on the TCP level, as described in the previous sections.</p><h3 id=control-tls-egress-traffic-without-a-gateway>Control TLS egress traffic without a gateway</h3><p>In case you <a href=/v1.8/docs/tasks/traffic-management/egress/egress-gateway/#use-case>do not need an egress gateway</a>, follow the
instructions in this section. If you want to direct your traffic through an egress gateway, proceed to
<a href=#direct-tcp-egress-traffic-through-an-egress-gateway>Direct TCP Egress traffic through an egress gateway</a>.</p><ol><li><p>Create a <code>ServiceEntry</code> for the MongoDB service:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl apply -f - &lt;&lt;EOF
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: mongo
spec:
hosts:
- $MONGODB_HOST
ports:
- number: $MONGODB_PORT
name: tls
protocol: TLS
resolution: DNS
EOF
</code></pre></li><li><p>Refresh the web page of the application. The application should display the ratings without error.</p></li></ol><h4 id=cleanup-of-the-egress-configuration-for-tls>Cleanup of the egress configuration for TLS</h4><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl delete serviceentry mongo
</code></pre><h3 id=direct-tls-egress-traffic-through-an-egress-gateway>Direct TLS Egress traffic through an egress gateway</h3><p>In this section you handle the case when you need to direct the traffic through an
<a href=/v1.8/docs/tasks/traffic-management/egress/egress-gateway/#use-case>egress gateway</a>. The sidecar proxy routes TLS
connections from the MongoDB client to the egress gateway, by matching the SNI of the MongoDB host.
The egress gateway forwards the traffic to the MongoDB host. Note that the sidecar proxy rewrites the destination port
to be 443. The egress gateway accepts the MongoDB traffic on the port 443, matches the MongoDB host by SNI, and rewrites
the port again to be the port of the MongoDB server.</p><ol><li><p><a href=/v1.8/docs/tasks/traffic-management/egress/egress-gateway/#deploy-istio-egress-gateway>Deploy Istio egress gateway</a>.</p></li><li><p>Create a <code>ServiceEntry</code> for the MongoDB service:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl apply -f - &lt;&lt;EOF
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: mongo
spec:
hosts:
- $MONGODB_HOST
ports:
- number: $MONGODB_PORT
name: tls
protocol: TLS
- number: 443
name: tls-port-for-egress-gateway
protocol: TLS
resolution: DNS
location: MESH_EXTERNAL
EOF
</code></pre></li><li><p>Refresh the web page of the application and verify that the ratings are displayed correctly.</p></li><li><p>Create an egress <code>Gateway</code> for your MongoDB service, and destination rules and virtual services
to direct the traffic through the egress gateway and from the egress gateway to the external service.</p><p>If you want to enable <a href=/v1.8/docs/tasks/security/authentication/authn-policy/>mutual TLS Authentication</a> between the sidecar proxies of
your application pods and the egress gateway, use the following command. (You may want to enable mutual TLS to let
the egress gateway monitor the identity of the source pods and to enable Mixer policy enforcement based on that
identity.)</p><div id=tabset-blog-2018-egress-mongo-1 role=tablist class=tabset><div class=tab-strip data-category-name=mtls><button aria-selected=true data-category-value=enabled aria-controls=tabset-blog-2018-egress-mongo-1-0-panel id=tabset-blog-2018-egress-mongo-1-0-tab role=tab><span>mutual TLS enabled</span>
</button><button tabindex=-1 data-category-value=disabled aria-controls=tabset-blog-2018-egress-mongo-1-1-panel id=tabset-blog-2018-egress-mongo-1-1-tab role=tab><span>mutual TLS disabled</span></button></div><div class=tab-content><div id=tabset-blog-2018-egress-mongo-1-0-panel role=tabpanel tabindex=0 aria-labelledby=tabset-blog-2018-egress-mongo-1-0-tab><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl apply -f - &lt;&lt;EOF
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: istio-egressgateway
spec:
selector:
istio: egressgateway
servers:
- port:
number: 443
name: tls
protocol: TLS
hosts:
- $MONGODB_HOST
tls:
mode: MUTUAL
serverCertificate: /etc/certs/cert-chain.pem
privateKey: /etc/certs/key.pem
caCertificates: /etc/certs/root-cert.pem
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: egressgateway-for-mongo
spec:
host: istio-egressgateway.istio-system.svc.cluster.local
subsets:
- name: mongo
trafficPolicy:
loadBalancer:
simple: ROUND_ROBIN
portLevelSettings:
- port:
number: 443
tls:
mode: ISTIO_MUTUAL
sni: $MONGODB_HOST
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: direct-mongo-through-egress-gateway
spec:
hosts:
- $MONGODB_HOST
gateways:
- mesh
- istio-egressgateway
tls:
- match:
- gateways:
- mesh
port: $MONGODB_PORT
sni_hosts:
- $MONGODB_HOST
route:
- destination:
host: istio-egressgateway.istio-system.svc.cluster.local
subset: mongo
port:
number: 443
tcp:
- match:
- gateways:
- istio-egressgateway
port: 443
route:
- destination:
host: $MONGODB_HOST
port:
number: $MONGODB_PORT
weight: 100
EOF
</code></pre></div><div hidden id=tabset-blog-2018-egress-mongo-1-1-panel role=tabpanel tabindex=0 aria-labelledby=tabset-blog-2018-egress-mongo-1-1-tab><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl apply -f - &lt;&lt;EOF
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: istio-egressgateway
spec:
selector:
istio: egressgateway
servers:
- port:
number: 443
name: tls
protocol: TLS
hosts:
- $MONGODB_HOST
tls:
mode: PASSTHROUGH
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: egressgateway-for-mongo
spec:
host: istio-egressgateway.istio-system.svc.cluster.local
subsets:
- name: mongo
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: direct-mongo-through-egress-gateway
spec:
hosts:
- $MONGODB_HOST
gateways:
- mesh
- istio-egressgateway
tls:
- match:
- gateways:
- mesh
port: $MONGODB_PORT
sni_hosts:
- $MONGODB_HOST
route:
- destination:
host: istio-egressgateway.istio-system.svc.cluster.local
subset: mongo
port:
number: 443
- match:
- gateways:
- istio-egressgateway
port: 443
sni_hosts:
- $MONGODB_HOST
route:
- destination:
host: $MONGODB_HOST
port:
number: $MONGODB_PORT
weight: 100
EOF
</code></pre></div></div></div></li><li><p><a href=#verify-that-egress-traffic-is-directed-through-the-egress-gateway>Verify that the traffic is directed though the egress gateway</a></p></li></ol><h4 id=cleanup-directing-tls-egress-traffic-through-an-egress-gateway>Cleanup directing TLS egress traffic through an egress gateway</h4><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl delete serviceentry mongo
$ kubectl delete gateway istio-egressgateway
$ kubectl delete virtualservice direct-mongo-through-egress-gateway
$ kubectl delete destinationrule egressgateway-for-mongo
</code></pre><h3 id=enable-mongodb-tls-egress-traffic-to-arbitrary-wildcarded-domains>Enable MongoDB TLS egress traffic to arbitrary wildcarded domains</h3><p>Sometimes you want to configure egress traffic to multiple hostnames from the same domain, for example traffic to all
MongoDB services from <code>*.&lt;your company domain>.com</code>. You do not want to create multiple configuration items, one for
each and every MongoDB service in your company. To configure access to all the external services from the same domain by
a single configuration, you use <em>wildcarded</em> hosts.</p><p>In this section you configure egress traffic for a wildcarded domain. I used a MongoDB instance at <code>composedb.com</code>
domain, so configuring egress traffic for <code>*.com</code> worked for me (I could have used <code>*.composedb.com</code> as well).
You can pick a wildcarded domain according to your MongoDB host.</p><p>To configure egress gateway traffic for a wildcarded domain, you will first need to deploy a custom egress
gateway with
<a href=/v1.8/docs/tasks/traffic-management/egress/wildcard-egress-hosts/#wildcard-configuration-for-arbitrary-domains>an additional SNI proxy</a>.
This is needed due to current limitations of Envoy, the proxy used by the standard Istio egress gateway.</p><h4 id=prepare-a-new-egress-gateway-with-an-sni-proxy>Prepare a new egress gateway with an SNI proxy</h4><p>In this subsection you deploy an egress gateway with an SNI proxy, in addition to the standard Istio Envoy proxy. You
can use any SNI proxy that is capable of routing traffic according to arbitrary, not-preconfigured SNI values; we used
<a href=http://nginx.org>Nginx</a> to achieve this functionality.</p><ol><li><p>Create a configuration file for the Nginx SNI proxy. You may want to edit the file to specify additional Nginx
settings, if required.</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ cat &lt;&lt;EOF &gt; ./sni-proxy.conf
user www-data;
events {
}
stream {
log_format log_stream &#39;\$remote_addr [\$time_local] \$protocol [\$ssl_preread_server_name]&#39;
&#39;\$status \$bytes_sent \$bytes_received \$session_time&#39;;
access_log /var/log/nginx/access.log log_stream;
error_log /var/log/nginx/error.log;
# tcp forward proxy by SNI
server {
resolver 8.8.8.8 ipv6=off;
listen 127.0.0.1:$MONGODB_PORT;
proxy_pass \$ssl_preread_server_name:$MONGODB_PORT;
ssl_preread on;
}
}
EOF
</code></pre></li><li><p>Create a Kubernetes <a href=https://kubernetes.io/docs/tasks/configure-pod-container/configure-pod-configmap/>ConfigMap</a>
to hold the configuration of the Nginx SNI proxy:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl create configmap egress-sni-proxy-configmap -n istio-system --from-file=nginx.conf=./sni-proxy.conf
</code></pre></li><li><p>The following command will generate <code>istio-egressgateway-with-sni-proxy.yaml</code> to edit and deploy.</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ cat &lt;&lt;EOF | helm template install/kubernetes/helm/istio/ --name istio-egressgateway-with-sni-proxy --namespace istio-system -x charts/gateways/templates/deployment.yaml -x charts/gateways/templates/service.yaml -x charts/gateways/templates/serviceaccount.yaml -x charts/gateways/templates/autoscale.yaml -x charts/gateways/templates/role.yaml -x charts/gateways/templates/rolebindings.yaml --set global.mtls.enabled=true --set global.istioNamespace=istio-system -f - &gt; ./istio-egressgateway-with-sni-proxy.yaml
gateways:
enabled: true
istio-ingressgateway:
enabled: false
istio-egressgateway:
enabled: false
istio-egressgateway-with-sni-proxy:
enabled: true
labels:
app: istio-egressgateway-with-sni-proxy
istio: egressgateway-with-sni-proxy
replicaCount: 1
autoscaleMin: 1
autoscaleMax: 5
cpu:
targetAverageUtilization: 80
serviceAnnotations: {}
type: ClusterIP
ports:
- port: 443
name: https
secretVolumes:
- name: egressgateway-certs
secretName: istio-egressgateway-certs
mountPath: /etc/istio/egressgateway-certs
- name: egressgateway-ca-certs
secretName: istio-egressgateway-ca-certs
mountPath: /etc/istio/egressgateway-ca-certs
configVolumes:
- name: sni-proxy-config
configMapName: egress-sni-proxy-configmap
additionalContainers:
- name: sni-proxy
image: nginx
volumeMounts:
- name: sni-proxy-config
mountPath: /etc/nginx
readOnly: true
EOF
</code></pre></li><li><p>Deploy the new egress gateway:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl apply -f ./istio-egressgateway-with-sni-proxy.yaml
serviceaccount &#34;istio-egressgateway-with-sni-proxy-service-account&#34; created
role &#34;istio-egressgateway-with-sni-proxy-istio-system&#34; created
rolebinding &#34;istio-egressgateway-with-sni-proxy-istio-system&#34; created
service &#34;istio-egressgateway-with-sni-proxy&#34; created
deployment &#34;istio-egressgateway-with-sni-proxy&#34; created
horizontalpodautoscaler &#34;istio-egressgateway-with-sni-proxy&#34; created
</code></pre></li><li><p>Verify that the new egress gateway is running. Note that the pod has two containers (one is the Envoy proxy and the
second one is the SNI proxy).</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl get pod -l istio=egressgateway-with-sni-proxy -n istio-system
NAME READY STATUS RESTARTS AGE
istio-egressgateway-with-sni-proxy-79f6744569-pf9t2 2/2 Running 0 17s
</code></pre></li><li><p>Create a service entry with a static address equal to 127.0.0.1 (<code>localhost</code>), and disable mutual TLS on the traffic directed to the new
service entry:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl apply -f - &lt;&lt;EOF
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: sni-proxy
spec:
hosts:
- sni-proxy.local
location: MESH_EXTERNAL
ports:
- number: $MONGODB_PORT
name: tcp
protocol: TCP
resolution: STATIC
endpoints:
- address: 127.0.0.1
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: disable-mtls-for-sni-proxy
spec:
host: sni-proxy.local
trafficPolicy:
tls:
mode: DISABLE
EOF
</code></pre></li></ol><h4 id=configure-access-to-com-using-the-new-egress-gateway>Configure access to <code>*.com</code> using the new egress gateway</h4><ol><li><p>Define a <code>ServiceEntry</code> for <code>*.com</code>:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ cat &lt;&lt;EOF | kubectl create -f -
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: mongo
spec:
hosts:
- &#34;*.com&#34;
ports:
- number: 443
name: tls
protocol: TLS
- number: $MONGODB_PORT
name: tls-mongodb
protocol: TLS
location: MESH_EXTERNAL
EOF
</code></pre></li><li><p>Create an egress <code>Gateway</code> for <em>*.com</em>, port 443, protocol TLS, a destination rule to set the
<a href=https://en.wikipedia.org/wiki/Server_Name_Indication>SNI</a> for the gateway, and Envoy filters to prevent tampering
with SNI by a malicious application (the filters verify that the SNI issued by the application is the SNI reported
to Mixer).</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl apply -f - &lt;&lt;EOF
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: istio-egressgateway-with-sni-proxy
spec:
selector:
istio: egressgateway-with-sni-proxy
servers:
- port:
number: 443
name: tls
protocol: TLS
hosts:
- &#34;*.com&#34;
tls:
mode: MUTUAL
serverCertificate: /etc/certs/cert-chain.pem
privateKey: /etc/certs/key.pem
caCertificates: /etc/certs/root-cert.pem
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: mtls-for-egress-gateway
spec:
host: istio-egressgateway-with-sni-proxy.istio-system.svc.cluster.local
subsets:
- name: mongo
trafficPolicy:
loadBalancer:
simple: ROUND_ROBIN
portLevelSettings:
- port:
number: 443
tls:
mode: ISTIO_MUTUAL
---
# The following filter is used to forward the original SNI (sent by the application) as the SNI of the mutual TLS
# connection.
# The forwarded SNI will be reported to Mixer so that policies will be enforced based on the original SNI value.
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: forward-downstream-sni
spec:
filters:
- listenerMatch:
portNumber: $MONGODB_PORT
listenerType: SIDECAR_OUTBOUND
filterName: forward_downstream_sni
filterType: NETWORK
filterConfig: {}
---
# The following filter verifies that the SNI of the mutual TLS connection (the SNI reported to Mixer) is
# identical to the original SNI issued by the application (the SNI used for routing by the SNI proxy).
# The filter prevents Mixer from being deceived by a malicious application: routing to one SNI while
# reporting some other value of SNI. If the original SNI does not match the SNI of the mutual TLS connection, the
# filter will block the connection to the external service.
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: egress-gateway-sni-verifier
spec:
workloadLabels:
app: istio-egressgateway-with-sni-proxy
filters:
- listenerMatch:
portNumber: 443
listenerType: GATEWAY
filterName: sni_verifier
filterType: NETWORK
filterConfig: {}
EOF
</code></pre></li><li><p>Route the traffic destined for <em>*.com</em> to the egress gateway and from the egress gateway to the SNI proxy.</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl apply -f - &lt;&lt;EOF
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: direct-mongo-through-egress-gateway
spec:
hosts:
- &#34;*.com&#34;
gateways:
- mesh
- istio-egressgateway-with-sni-proxy
tls:
- match:
- gateways:
- mesh
port: $MONGODB_PORT
sni_hosts:
- &#34;*.com&#34;
route:
- destination:
host: istio-egressgateway-with-sni-proxy.istio-system.svc.cluster.local
subset: mongo
port:
number: 443
weight: 100
tcp:
- match:
- gateways:
- istio-egressgateway-with-sni-proxy
port: 443
route:
- destination:
host: sni-proxy.local
port:
number: $MONGODB_PORT
weight: 100
EOF
</code></pre></li><li><p>Refresh the web page of the application again and verify that the ratings are still displayed correctly.</p></li><li><p><a href=/v1.8/docs/tasks/observability/logs/access-log/#enable-envoy-s-access-logging>Enable Envoys access logging</a></p></li><li><p>Check the log of the egress gateway&rsquo;s Envoy proxy. If Istio is deployed in the <code>istio-system</code> namespace, the command
to print the log is:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl logs -l istio=egressgateway-with-sni-proxy -c istio-proxy -n istio-system
</code></pre><p>You should see lines similar to the following:</p><pre><code class=language-plain data-expandlinks=true data-repo=istio>[2019-01-02T17:22:04.602Z] &#34;- - -&#34; 0 - 768 1863 88 - &#34;-&#34; &#34;-&#34; &#34;-&#34; &#34;-&#34; &#34;127.0.0.1:28543&#34; outbound|28543||sni-proxy.local 127.0.0.1:49976 172.30.146.115:443 172.30.146.118:58510 &lt;your MongoDB host&gt;
[2019-01-02T17:22:04.713Z] &#34;- - -&#34; 0 - 1534 2590 85 - &#34;-&#34; &#34;-&#34; &#34;-&#34; &#34;-&#34; &#34;127.0.0.1:28543&#34; outbound|28543||sni-proxy.local 127.0.0.1:49988 172.30.146.115:443 172.30.146.118:58522 &lt;your MongoDB host&gt;
</code></pre></li><li><p>Check the logs of the SNI proxy. If Istio is deployed in the <code>istio-system</code> namespace, the command to print the
log is:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl logs -l istio=egressgateway-with-sni-proxy -n istio-system -c sni-proxy
127.0.0.1 [23/Aug/2018:03:28:18 +0000] TCP [&lt;your MongoDB host&gt;]200 1863 482 0.089
127.0.0.1 [23/Aug/2018:03:28:18 +0000] TCP [&lt;your MongoDB host&gt;]200 2590 1248 0.095
</code></pre></li></ol><h4 id=understanding-what-happened>Understanding what happened</h4><p>In this section you configured egress traffic to your MongoDB host using a wildcarded domain. While for a single MongoDB
host there is no gain in using wildcarded domains (an exact hostname can be specified), it could be beneficial for
cases when the applications in the cluster access multiple MongoDB hosts that match some wildcarded domain. For example,
if the applications access <code>mongodb1.composedb.com</code>, <code>mongodb2.composedb.com</code> and <code>mongodb3.composedb.com</code>, the egress
traffic can be configured by a single configuration for the wildcarded domain <code>*.composedb.com</code>.</p><p>I will leave it as an exercise for the reader to verify that no additional Istio configuration is required when you
configure an app to use another instance of MongoDB with a hostname that matches the wildcarded domain used in this
section.</p><h4 id=cleanup-of-configuration-for-mongodb-tls-egress-traffic-to-arbitrary-wildcarded-domains>Cleanup of configuration for MongoDB TLS egress traffic to arbitrary wildcarded domains</h4><ol><li><p>Delete the configuration items for <em>*.com</em>:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl delete serviceentry mongo
$ kubectl delete gateway istio-egressgateway-with-sni-proxy
$ kubectl delete virtualservice direct-mongo-through-egress-gateway
$ kubectl delete destinationrule mtls-for-egress-gateway
$ kubectl delete envoyfilter forward-downstream-sni egress-gateway-sni-verifier
</code></pre></li><li><p>Delete the configuration items for the <code>egressgateway-with-sni-proxy</code> deployment:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl delete serviceentry sni-proxy
$ kubectl delete destinationrule disable-mtls-for-sni-proxy
$ kubectl delete -f ./istio-egressgateway-with-sni-proxy.yaml
$ kubectl delete configmap egress-sni-proxy-configmap -n istio-system
</code></pre></li><li><p>Remove the configuration files you created:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ rm ./istio-egressgateway-with-sni-proxy.yaml
$ rm ./nginx-sni-proxy.conf
</code></pre></li></ol><h2 id=cleanup>Cleanup</h2><ol><li><p>Drop the <code>bookinfo</code> user:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ cat &lt;&lt;EOF | mongo --ssl --sslAllowInvalidCertificates $MONGODB_HOST:$MONGODB_PORT -u admin -p $MONGO_ADMIN_PASSWORD --authenticationDatabase admin
use test
db.dropUser(&#34;bookinfo&#34;);
EOF
</code></pre></li><li><p>Drop the <em>ratings</em> collection:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ cat &lt;&lt;EOF | mongo --ssl --sslAllowInvalidCertificates $MONGODB_HOST:$MONGODB_PORT -u admin -p $MONGO_ADMIN_PASSWORD --authenticationDatabase admin
use test
db.ratings.drop();
EOF
</code></pre></li><li><p>Unset the environment variables you used:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ unset MONGO_ADMIN_PASSWORD BOOKINFO_PASSWORD MONGODB_HOST MONGODB_PORT MONGODB_IP
</code></pre></li><li><p>Remove the virtual services:</p><div><a data-skipendnotes=true style=display:none href=https://raw.githubusercontent.com/istio/istio/release-1.8/samples/bookinfo/networking/virtual-service-ratings-db.yaml>Zip</a><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl delete -f @samples/bookinfo/networking/virtual-service-ratings-db.yaml@
Deleted config: virtual-service/default/reviews
Deleted config: virtual-service/default/ratings
</code></pre></div></li><li><p>Undeploy <em>ratings v2-mongodb</em>:</p><div><a data-skipendnotes=true style=display:none href=https://raw.githubusercontent.com/istio/istio/release-1.8/samples/bookinfo/platform/kube/bookinfo-ratings-v2.yaml>Zip</a><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl delete -f @samples/bookinfo/platform/kube/bookinfo-ratings-v2.yaml@
deployment &#34;ratings-v2&#34; deleted
</code></pre></div></li></ol><h2 id=conclusion>Conclusion</h2><p>In this blog post I demonstrated various options for MongoDB egress traffic control. You can control the MongoDB egress
traffic on a TCP or TLS level where applicable. In both TCP and TLS cases, you can direct the traffic from the sidecar
proxies directly to the external MongoDB host, or direct the traffic through an egress gateway, according to your
organization&rsquo;s security requirements. In the latter case, you can also decide to apply or disable mutual TLS
authentication between the sidecar proxies and the egress gateway. If you want to control MongoDB egress traffic on the
TLS level by specifying wildcarded domains like <code>*.com</code> and you need to direct the traffic through the egress gateway,
you must deploy a custom egress gateway with an SNI proxy.</p><p>Note that the configuration and considerations described in this blog post for MongoDB are rather the same for other
non-HTTP protocols on top of TCP/TLS.</p><nav id=see-also><h2>See also</h2><div class=see-also><div class=entry><p class=link><a data-skipendnotes=true href=/v1.8/blog/2019/egress-performance/>Egress Gateway Performance Investigation</a></p><p class=desc>Verifies the performance impact of adding an egress gateway.</p></div><div class=entry><p class=link><a data-skipendnotes=true href=/v1.8/blog/2018/egress-tcp/>Consuming External TCP Services</a></p><p class=desc>Describes a simple scenario based on Istio's Bookinfo example.</p></div><div class=entry><p class=link><a data-skipendnotes=true href=/v1.8/blog/2019/egress-traffic-control-in-istio-part-3/>Secure Control of Egress Traffic in Istio, part 3</a></p><p class=desc>Comparison of alternative solutions to control egress traffic including performance considerations.</p></div><div class=entry><p class=link><a data-skipendnotes=true href=/v1.8/blog/2019/egress-traffic-control-in-istio-part-2/>Secure Control of Egress Traffic in Istio, part 2</a></p><p class=desc>Use Istio Egress Traffic Control to prevent attacks involving egress traffic.</p></div><div class=entry><p class=link><a data-skipendnotes=true href=/v1.8/blog/2019/egress-traffic-control-in-istio-part-1/>Secure Control of Egress Traffic in Istio, part 1</a></p><p class=desc>Attacks involving egress traffic and requirements for egress traffic control.</p></div><div class=entry><p class=link><a data-skipendnotes=true href=/v1.8/blog/2018/egress-monitoring-access-control/>Monitoring and Access Policies for HTTP Egress Traffic</a></p><p class=desc>Describes how to configure Istio for monitoring and access policies of HTTP egress traffic.</p></div></div></nav></article><nav class=pagenav><div class=left><a title="How to use Istio for traffic management without deploying sidecar proxies." href=/v1.8/blog/2018/incremental-traffic-management/><svg class="icon left-arrow"><use xlink:href="/v1.8/img/icons.svg#left-arrow"/></svg>Incremental Istio Part 1, Traffic Management</a></div><div class=right><a title="Istio hosting an all day Twitch stream to celebrate the 1.0 release." href=/v1.8/blog/2018/istio-twitch-stream/>All Day Istio Twitch Stream<svg class="icon right-arrow"><use xlink:href="/v1.8/img/icons.svg#right-arrow"/></svg></a></div></nav><div id=feedback><div id=feedback-initial>Was this information useful?<br><button class="btn feedback" onclick="sendFeedback('en',1)">Yes</button>
<button class="btn feedback" onclick="sendFeedback('en',0)">No</button></div><div id=feedback-comment>Do you have any suggestions for improvement?<br><br><input id=feedback-textbox type=text placeholder="Help us improve..." data-lang=en></div><div id=feedback-thankyou>Thanks for your feedback!</div></div><div id=endnotes-container aria-hidden=true><h2>Links</h2><ol id=endnotes></ol></div></div><div class=toc-container><nav class=toc aria-label="Table of Contents"><div id=toc><ol><li role=none aria-label="Bookinfo with external ratings database"><a href=#bookinfo-with-external-ratings-database>Bookinfo with external ratings database</a><ol><li role=none aria-label="Setting up the ratings database"><a href=#setting-up-the-ratings-database>Setting up the ratings database</a><li role=none aria-label="Initial setting of Bookinfo application"><a href=#initial-setting-of-bookinfo-application>Initial setting of Bookinfo application</a><li role=none aria-label="Use the external database in Bookinfo application"><a href=#use-the-external-database-in-bookinfo-application>Use the external database in Bookinfo application</a><li role=none aria-label="Access the webpage"><a href=#access-the-webpage>Access the webpage</a></ol></li><li role=none aria-label="Egress control for TCP"><a href=#egress-control-for-tcp>Egress control for TCP</a><ol><li role=none aria-label="Control TCP egress traffic without a gateway"><a href=#control-tcp-egress-traffic-without-a-gateway>Control TCP egress traffic without a gateway</a><li role=none aria-label="Direct TCP Egress traffic through an egress gateway"><a href=#direct-tcp-egress-traffic-through-an-egress-gateway>Direct TCP Egress traffic through an egress gateway</a><ol><li role=none aria-label="Configure TCP traffic from sidecars to the egress gateway"><a href=#configure-tcp-traffic-from-sidecars-to-the-egress-gateway>Configure TCP traffic from sidecars to the egress gateway</a><li role=none aria-label="Mutual TLS between the sidecar proxies and the egress gateway"><a href=#mutual-tls-between-the-sidecar-proxies-and-the-egress-gateway>Mutual TLS between the sidecar proxies and the egress gateway</a><li role=none aria-label="Verify that egress traffic is directed through the egress gateway"><a href=#verify-that-egress-traffic-is-directed-through-the-egress-gateway>Verify that egress traffic is directed through the egress gateway</a></ol></li><li role=none aria-label="Cleanup of TCP egress traffic control"><a href=#cleanup-of-tcp-egress-traffic-control>Cleanup of TCP egress traffic control</a></ol></li><li role=none aria-label="Egress control for TLS"><a href=#egress-control-for-tls>Egress control for TLS</a><ol><li role=none aria-label="Control TLS egress traffic without a gateway"><a href=#control-tls-egress-traffic-without-a-gateway>Control TLS egress traffic without a gateway</a><ol><li role=none aria-label="Cleanup of the egress configuration for TLS"><a href=#cleanup-of-the-egress-configuration-for-tls>Cleanup of the egress configuration for TLS</a></ol></li><li role=none aria-label="Direct TLS Egress traffic through an egress gateway"><a href=#direct-tls-egress-traffic-through-an-egress-gateway>Direct TLS Egress traffic through an egress gateway</a><ol><li role=none aria-label="Cleanup directing TLS egress traffic through an egress gateway"><a href=#cleanup-directing-tls-egress-traffic-through-an-egress-gateway>Cleanup directing TLS egress traffic through an egress gateway</a></ol></li><li role=none aria-label="Enable MongoDB TLS egress traffic to arbitrary wildcarded domains"><a href=#enable-mongodb-tls-egress-traffic-to-arbitrary-wildcarded-domains>Enable MongoDB TLS egress traffic to arbitrary wildcarded domains</a><ol><li role=none aria-label="Prepare a new egress gateway with an SNI proxy"><a href=#prepare-a-new-egress-gateway-with-an-sni-proxy>Prepare a new egress gateway with an SNI proxy</a><li role=none aria-label="Configure access to *.com using the new egress gateway"><a href=#configure-access-to-com-using-the-new-egress-gateway>Configure access to <code>*.com</code> using the new egress gateway</a><li role=none aria-label="Understanding what happened"><a href=#understanding-what-happened>Understanding what happened</a><li role=none aria-label="Cleanup of configuration for MongoDB TLS egress traffic to arbitrary wildcarded domains"><a href=#cleanup-of-configuration-for-mongodb-tls-egress-traffic-to-arbitrary-wildcarded-domains>Cleanup of configuration for MongoDB TLS egress traffic to arbitrary wildcarded domains</a></ol></li></ol></li><li role=none aria-label=Cleanup><a href=#cleanup>Cleanup</a><li role=none aria-label=Conclusion><a href=#conclusion>Conclusion</a><li role=none aria-label="See also"><a href=#see-also>See also</a></li></ol></div></nav></div></main><footer><div class=user-links><a class=channel title="Go download Istio 1.8.3 now" href=/v1.8/docs/setup/getting-started/#download aria-label="Download Istio"><span>download</span><svg class="icon download"><use xlink:href="/v1.8/img/icons.svg#download"/></svg>
</a><a class=channel title="Join the Istio discussion board to participate in discussions and get help troubleshooting problems" href=https://discuss.istio.io aria-label="Istio discussion board"><span>discuss</span><svg class="icon discourse"><use xlink:href="/v1.8/img/icons.svg#discourse"/></svg></a>
<a class=channel title="Stack Overflow is where you can ask questions and find curated answers on deploying, configuring, and using Istio" href=https://stackoverflow.com/questions/tagged/istio aria-label="Stack Overflow"><span>stack overflow</span><svg class="icon stackoverflow"><use xlink:href="/v1.8/img/icons.svg#stackoverflow"/></svg></a>
<a class=channel title="Interactively discuss issues with the Istio community on Slack" href=https://slack.istio.io aria-label=slack><span>slack</span><svg class="icon slack"><use xlink:href="/v1.8/img/icons.svg#slack"/></svg></a>
<a class=channel title="Follow us on Twitter to get the latest news" href=https://twitter.com/IstioMesh aria-label=Twitter><span>twitter</span><svg class="icon twitter"><use xlink:href="/v1.8/img/icons.svg#twitter"/></svg></a><div class=tag>for everyone</div></div><div class=info><p class=copyright>Istio Archive
1.8.3<br>&copy; 2020 Istio Authors, <a href=https://policies.google.com/privacy>Privacy Policy</a><br>Archived on February 9, 2021</p></div><div class=dev-links><a class=channel title="GitHub is where development takes place on Istio code" href=https://github.com/istio/community aria-label=GitHub><span>github</span><svg class="icon github"><use xlink:href="/v1.8/img/icons.svg#github"/></svg></a>
<a class=channel title="Access our team drive if you'd like to take a look at the Istio technical design documents" href=https://groups.google.com/forum/#!forum/istio-team-drive-access aria-label="team drive"><span>drive</span><svg class="icon drive"><use xlink:href="/v1.8/img/icons.svg#drive"/></svg></a>
<a class=channel title="If you'd like to contribute to the Istio project, consider participating in our working groups" href=https://github.com/istio/community/blob/master/WORKING-GROUPS.md aria-label="working groups"><span>working groups</span><svg class="icon working-groups"><use xlink:href="/v1.8/img/icons.svg#working-groups"/></svg></a><div class=tag>for developers</div></div></footer><script src=https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.14.7/umd/popper.min.js defer></script><div id=scroll-to-top-container aria-hidden=true><button id=scroll-to-top title="Back to top"><svg class="icon top"><use xlink:href="/v1.8/img/icons.svg#top"/></svg></button></div></body></html>
Reference in New Issue View Git Blame Copy Permalink