Routing to external services
You can configure your gateway to route incoming requests from the gateway directly to a hostname or IP address that is located outside your cluster by using
ExternalService custom resources. For example, you might want your gateway to serve endpoints in both a Kubernetes or OpenShift cluster and in your on-prem data center. Because external endpoints cannot be automatically discovered by Gloo Gateway, you create an
ExternalService resources set up service entries that the gateway uses to determine the routing rules to the external endpoint.
The following diagram shows how you can use an
ExternalService custom resource to route traffic to an external endpoint by using the endpoint's IP address, CIDR range, or hostname.
To learn how to set up routing to external services, see Route to external services.
Keep the following considerations in mind when you use external service custom resource to route traffic to an external endpoint:
- Gloo Gateway uses plaintext to route the request to your external endpoint. To secure communications with mTLS instead, consider using Gloo Mesh Enterprise alongside Gloo Gateway. With Gloo Mesh, you can onboard external endpoints, such as VMs, to an Istio service mesh and secure connections via mTLS. Additionally, you can route to external services from other apps within your service mesh.]
- To allow routing to an endpoint that is located outside your cluster, make sure that you allow the IP addresses, CIDR ranges, and hostnames in your company's firewall and the cluster's networking policies.
- Want to route to a serverless function? Try out the Gloo
CloudProviderinstead of an
ExternalServicecustom resource. For more information, see AWS Lambda in the Gloo Gateway docs.
Applying overlapping external service configuration
In some cases, you might have overlapping configuration across multiple external service resources. Gloo Gateway validates the addresses that you specify in each external service, and does not translate an external service that defines the same address as an external service that already exists in your Gloo Gateway environment. However, you can apply external services that define the same address in different workspaces, if the workspaces do not import or export the external service resources between them. For example, you might represent the same database with the same address by applying an external service in a
staging workspace and by applying an external service in a
prod workspace. Because you do not import or export the external service resources between these two workspaces, the external service resources can be safely applied.