Routing to external services

With Gloo Gateway, you can securely expose external endpoints, such as an on-prem database, within your cluster environment by using Gloo ExternalService and ExternalEndpoint custom resources. Similar to virtual destinations, you can choose to assign a unique internal hostname or IP address to your external endpoint that Gloo Gateway or services in the cluster environment can use to send requests to.

To learn how to set up routing to external services, see Route to external services.

Want to route to a serverless function? Try out the Gloo CloudProvider instead of an ExternalService custom resource. For more information, see AWS Lambda in the Gloo Gateway docs.

How does it work?

Because external endpoints cannot be automatically discovered by Gloo Gateway, you can use Gloo ExternalService and ExternalEndpoint custom resources to expose external endpoints in your cluster.

Depending on your use case, you can choose between the following options:

Let's consider an example where you want to connect to an on-prem database that is spread across multiple data centers. Each instance is assigned a static IP address or hostname that you can use to connect to the instance. You have the option to create a Gloo ExternalService resource and to include the IP addresses, CIDR range, or hostnames of the database instances. When requests for these external endpoints reach the gateway proxy, the gateway can use the external service resource to connect to forward the request.

Using ExternalService resources is a good approach, but how do you make sure that your gateway is aware of all the external endpoints that you have and that requests to these endpoints are load balanced accordingly? Maybe, you even want incoming requests to be routed to the closest external endpoint by default. You can solve these problems by using the ExternalService and ExternalEndpoint custom resources together.

In this approach, you create an ExternalEndpoint resource for each of your database instances. The resource specifies the IP address, port, hostname, and protocol that must be used to connect to the database instance. Then, you use the ExternalService resource to assign a unique internal hostname or static IP address to all of the external endpoints that you created. Creating an internal hostname acts similar to a CNAME, whereas specifying an IP address is similar to defining an A record in your DNS provider. To route to one of the database instances, the ingress gateway simply forwards the request to the internal hostname or IP. The external service resource automatically load balances the request between the external endpoints that you defined. When combined with an outlier detection policy, the external service applies locality-based routing rules to the external endpoints.

To allow routing to an endpoint that is located outside your cluster, make sure that you allow the IP addresses, CIDR ranges, and hostnames in your company's firewall and the cluster's networking policies.

Gloo Gateway uses plaintext to route the request to your external endpoint. To secure communications with mTLS instead, consider using Gloo Mesh Enterprise alongside Gloo Gateway. With Gloo Mesh, you can onboard external endpoints, such as VMs, to an Istio service mesh and secure connections via mTLS. Additionally, you can route to external services from other apps within your service mesh.

Routing to an IP or hostname directly

The following diagram shows how you can use an ExternalService custom resource to route traffic to an external endpoint by using the endpoint's IP address, CIDR range, or hostname.

Routing to external services based on locality

Routing to external endpoints based on locality

The following diagram shows how a client sends a request to one of the on-prem database instances by using an externally-accessible hostname, such as Gloo Gateway then routes the request to the database.external:80 address that was defined in the external service. You can configure the external service to consider the external endpoint's locality before deciding what database instance receives the request by applying an outlier detection policy to it. Because the cluster and the on-prem data center are both located in Dallas, the request is routed to the database B instance in Dallas.

Figure: Routing to external services based on locality.

Routing to external endpoints in a failover scenario

In this diagram, database instance B became unavailable and cannot respond to any requests. Because an outlier detection and a failover policy are applied to the external service resource, Gloo is aware that the database instance is unresponsive. The request is automatically routed to database instance A.

Figure: Routing to external services in a failover scenario.

Applying overlapping external service configuration

In some cases, you might have overlapping configuration across multiple external service resources. Gloo Gateway validates the addresses that you specify in each external service, and does not translate an external service that defines the same address as an external service that already exists in your Gloo Gateway environment. However, you can apply external services that define the same address in different workspaces, if the workspaces do not import or export the external service resources between them. For example, you might represent the same database with the same address by applying an external service in a staging workspace and by applying an external service in a prod workspace. Because you do not import or export the external service resources between these two workspaces, the external service resources can be safely applied.