Overview

In some cases, one of your Istio-managed apps might need to communicate with services that are external to the service mesh. For example, your app might need to contact a public API or an on-prem database. If you installed Istio with the REGISTRY_ONLY option, communication is allowed only between services in the mesh. Communication to services outside the mesh is prohibited.

To allow services in the mesh to talk to services outside the mesh, you can leverage Gloo ExternalService and ExternalEndpoint custom resources to securely expose external endpoints. Gloo Mesh Enterprise translates these resources into an Istio ServiceEntry. Similar to virtual destinations, you can choose to assign a unique internal hostname to your external endpoint that your services in the service mesh use to send requests to.

To learn how to set up routing to external services, see Route to external services.

For more information about external services and external endpoints, see the following resources:

About external services and external endpoints

ExternalService and ExternalEndpoint resources are used to make non-mesh or external services known to the services in the mesh. These external services can refer to a service outside the mesh but still within the cluster environment or to an external service that runs outside the cluster environment.

To understand when to use these ExternalService and ExternalEndpoint resources, let’s consider an example where a service in the mesh wants to connect to an external, on-prem database that is spread across multiple data centers. Each database instance is assigned a static IP address or hostname that you can use to connect to the instance. You have the option to create an ExternalService resource and include the IP addresses, CIDR range, or hostnames to reach the database instances. Services in the mesh can now route traffic to these database instances by using the IP or hostname of the database instances directly. You also have the option to apply traffic policies to the ExternalService resource to control and manipulate the traffic before it is forwarded to these endpoints.

Using ExternalService resources is a good approach, but how do you make sure that your services in your service mesh are aware of all the external endpoints that you created, and that requests to these endpoints are load balanced accordingly? Maybe, you even want requests from your service mesh to be routed to the closest external endpoint by default. You can solve these problems by using the ExternalService and ExternalEndpoint custom resources together.

An ExternalEndpoint creates an internal DNS entry or IP address that behaves similarly to setting a CNAME or A record in your DNS provider. Instead of updating the services in the mesh with all of the IP addresses or hostnames for each external endpoint, the services can use the internal hostname or IP address to communicate with these endpoints directly.

For more information, see the Routing examples for external services.

Allow or block all egress traffic

When you install Istio in your cluster, your service mesh is configured with the ALLOW_ANY outbound traffic policy by default. This option permits all egress traffic for all services in the service mesh so that services can communicate with services that are not in the mesh, including external endpoints.

If the outbound traffic policy is set to REGISTRY_ONLY, the Istio proxy blocks traffic to services that are not part of the mesh or are hosted outside the cluster, such as a public web server. To make non-mesh or external endpoints reachable by a service in the mesh, you set up ExternalService and ExternalEndpoint custom resources for these endpoints. Note that the REGISTRY_ONLY traffic policy blocks only traffic to hosts and can be bypassed if traffic is sent to an IP address instead.

To control egress traffic in your service mesh, it is recommended to set up an egress gateway that all egress traffic for an ExternalService is routed through. By also applying access policies to the ExternalService resource, you can ensure that only certain services in your mesh can send a request to the external endpoint.

Perform TLS origination with egress gateways

You can use an egress gateway to originate TLS connections and secure the connection to the external endpoint.

When a client request is sent to an external endpoint, the client’s sidecar proxy intercepts this request and securely connects to the egress gateway via mutual TLS. The egress gateway then terminates the incoming TLS connection. To protect the connection from the egress gateway to the external service, you can choose to originate a new TLS connection at the gateway and encrypt the client request before it is sent to the external endpoint.

For more information, see Route all egress traffic through an egress gateway.

Routing examples for external services

Review the following routing examples to learn more about how you can leverage ExternalService and ExternalEndpoint custom resources in your service mesh.

Route to an IP or hostname directly

The following diagram shows how you can use an external service resource to route traffic to an endpoint that is located outside your service mesh by using the endpoint’s IP address, CIDR range, or hostname. To communicate with the external endpoint, the service in the mesh must know the IP address or hostname of the external endpoint that it wants to reach. No load balancing between external endpoints is provided. If the IP address or hostname of a database instance changes, you must update these values in the external service custom resource.

Figure: Routing to external services based on locality

Route to an external endpoint by using the internal DNS name

The following diagram shows how you can leverage an external endpoint and external service resources together to set up an internal hostname for your database instances. If a service in the mesh wants to communicate with any of the database instances, a request is sent to the internal hostname. Services in the mesh do not need to be aware of the IP address or hostname of each individual instance. With this approach, traffic to the database instances is automatically load balanced.

Figure: Routing to external services with internal hostname

Route all egress traffic through an egress gateway

Instead of sending traffic from a service in the mesh to an external endpoint directly, you can route all egress traffic through an egress gateway as shown in the following diagram. Because the egress gateway is part of the service mesh, the request between the client and the egress gateway is secured via mTLS. You must make sure that your client app makes the request to the external service by using the HTTP protocol. Then, the client’s sidecar proxy encrypts the request via TLS and sends the request to the egress gateway. The egress gateway terminates the TLC connection and originates a new TLS connection with the target destination.

Figure: Routing to external services with an egress gateway
Figure: Routing to external services with an egress gateway

Apply overlapping external service configuration

In some cases, you might have overlapping configuration across multiple external service resources. Gloo Mesh Enterprise validates the addresses that you specify in each external service, and does not translate an external service that defines the same address as an external service that already exists in your Gloo environment. However, you can apply external services that define the same address in different workspaces, if the workspaces do not import or export the external service resources between them. For example, you might represent the same database with the same address by applying an external service in a staging workspace and by applying an external service in a prod workspace. Because you do not import or export the external service resources between these two workspaces, the external service resources can be safely applied.