Route to external services

After you configure your route table, you can use it to forward requests to services or resources that are external to the service mesh.

In some cases, one of your Istio-managed apps might need to communicate with services that are external to the service mesh. For example, your app might need to contact a public API or an on-prem database. To route requests to services that are external to your service mesh, you assign a unique internal hostname to your external endpoint that your in-mesh services use to send requests to.

In this guide, you create Gloo Mesh ExternalEndpoint and ExternalService resources. Gloo Mesh translates these resources into an Istio ServiceEntry.

• Because external endpoints cannot be automatically discovered by Gloo Mesh, you create a Gloo Mesh ExternalEndpoint resource to specify the hostname or IP address, the port, and the protocol of the external endpoint that you want to reach.
• Then, you create a Gloo Mesh ExternalService resource to expose all of the external endpoints under a unique internal hostname.

For more information, see the following resources:

• Routing to external services concept doc
• Gloo Mesh API docs for ExternalEndpoint
• Gloo Mesh API docs for ExternalService

Before you begin

1. Complete the multicluster getting started guide to set up the following testing environment.
   • Three clusters along with environment variables for the clusters and their Kubernetes contexts.
   • The Gloo Platform CLI, meshctl, along with other CLI tools such as kubectl and istioctl.
   • The Gloo management server in the management cluster, and the Gloo agents in the workload clusters.
   • Istio installed in the workload clusters.
   • A simple Gloo workspace setup.
2. Install Bookinfo and other sample apps.
3. Follow the other guides in this routing section to plan your routing table setup. For example, you might check out the path matching guide to decide how to match the incoming requests to your service paths, the redirect guide to set up any path or host rewrites, or the sub-table delegation guide to nest and sort multiple route tables. Note: Be sure that each route for one host is unique, such as by using prefix matching to determine which requests to the host should be forwarded to which destinations.

Route to external services

1. Get the address and ports that your external resource listens on. For example, the address might be a static IP address or a registered URL.

2. Create an external endpoint for each address and an external service. The external endpoint represents the server or service outside of your service mesh that you want to reach. By using a Gloo Mesh external service, you can then assign a unique hostname to this external endpoint that services in your mesh can use to send requests. You can also use this service to route incoming requests from your ingress gateway directly to your external endpoint.

   • Static IP address
   • Registered hostname

   1. Use the address and ports to create an external endpoint resource. In these examples, two external endpoints are created for two static IP addresses that an on-prem database is exposed by.

      kubectl apply --context $REMOTE_CONTEXT1 -f- <<EOF
      apiVersion: networking.gloo.solo.io/v2
      kind: ExternalEndpoint
      metadata:
        name: db1-external-endpoint
        namespace: global
        labels:
          # Label that the external service will select
          external-endpoint: db
      spec:
        # Static IP address for on-prem service 1
        address: 123.45.67.8
        ports:
          - name: myport
            number: 9080
      EOF
       
      kubectl apply --context $REMOTE_CONTEXT1 -f- <<EOF
      apiVersion: networking.gloo.solo.io/v2
      kind: ExternalEndpoint
      metadata:
        name: db2-external-endpoint
        namespace: global
        labels:
          # Label that the external service will select
          external-endpoint: db
      spec:
        # Static IP address for on-prem service 2
        address: 123.45.67.9
        ports:
          - name: myport
            number: 9080
      EOF
      

   2. Create an external service resource to expose the external endpoint inside your mesh. In this example, you select all endpoints with the external-endpoint: db label. Note that the hosts field is not required to match the address that you specified in the external endpoint, because this host is an internal address that is used only by the gateways and services within your service mesh.

      kubectl apply --context $REMOTE_CONTEXT1 -f- <<EOF
      apiVersion: networking.gloo.solo.io/v2
      kind: ExternalService
      metadata:
        name: db-external-service
        namespace: global
      spec:
        hosts:
        # Arbitrary, internal-only hostname assigned to the endpoint
        - "my-remote-db.com"
        ports:
        - name: http
          number: 80
          protocol: HTTP
          targetPort:
            number: 9080
        selector:
          # Selects the endpoint label
          external-endpoint: db
       EOF
      

   1. Use the address and ports to create an external endpoint resource. In this example, the external endpoint can be reached by using the httpbin.org address, and the ports 80 and 443.

      kubectl apply --context $REMOTE_CONTEXT1 -f- <<EOF
      apiVersion: networking.gloo.solo.io/v2
      kind: ExternalEndpoint
      metadata:
        name: httpbin-external-endpoint
        namespace: global
        labels:
          # Label that the external service will select
          external-endpoint: httpbin
      spec:
        # Registered URL for external service
        address: httpbin.org
        ports:
          - name: http
            number: 80
          - name: https
            number: 443
      EOF
      

   2. Create an external service resource to expose the external endpoint inside your mesh. In this example, you select all external endpoints with the external-endpoint: httpbin label. Note that the hosts field is not required to match the address that you specified in the external endpoint, because this host is an internal address that is used only by the gateways and services within your service mesh.

      kubectl apply --context $REMOTE_CONTEXT1 -f- <<EOF
      apiVersion: networking.gloo.solo.io/v2
      kind: ExternalService
      metadata:
        name: httpbin-external-service
        namespace: global
      spec:
        hosts:
        # Arbitrary, internal-only hostname assigned to the endpoint
        - "my-remote-svc.com"
        ports:
        - name: http
          number: 80
          protocol: HTTP
        selector:
          # Selects the endpoint label
          external-endpoint: httpbin
       EOF
      

3. Create a route table to route requests to the external service.

   • Static IP address
   • Registered hostname

   In this example route table, all requests to the /db/ path are routed to the endpoints that back the db-external-service.

   kubectl apply --context $REMOTE_CONTEXT1 -n global -f- <<EOF
   apiVersion: networking.gloo.solo.io/v2
   kind: RouteTable
   metadata:
     name: db-routes
     namespace: global
   spec:
     # Applies to the external service hostname
     hosts:
       - my-remote-db.com
     http:
       # Route for the db-external-service
       - name: db-app
         # Prefix matching
         matchers:
         - uri:
             prefix: /db/
         # Forwarding directive
         forwardTo:
           destinations:
           # Reference to the external service exposing your external endpoints
           - ref:
               name: db-external-service
             kind: EXTERNAL_SERVICE
           pathRewrite: /
   EOF
   

   In this example route table, all requests to the /httpbin/ path are routed to the endpoints that back the httpbin-external-service.

   kubectl apply --context $REMOTE_CONTEXT1 -n global -f- <<EOF
   apiVersion: networking.gloo.solo.io/v2
   kind: RouteTable
   metadata:
     name: httpbin-routes
     namespace: global
   spec:
     # Applies to the external service hostname
     hosts:
       - my-remote-svc.com
     http:
       # Route for the httpbin-external-service
       - name: httpbin-app
         # Prefix matching
         matchers:
         - uri:
             prefix: /httpbin/
         # Forwarding directive
         forwardTo:
           destinations:
           # Reference to the external service exposing your external endpoints
           - ref:
               name: httpbin-external-service
             kind: EXTERNAL_SERVICE
           pathRewrite: /
   EOF
   

4. Test the route to your external resource from one of the apps in your service mesh. For example, log in to an initiator app in your mesh and run nslookup my-remote-db.com/db or nslookup my-remote-svc.com/httpbin to verify that the external resource is reachable through the external service hostname. Or, if you can access an app in your service mesh externally, you can curl the ingress gateway address and the path for your initiator app, and verify that information from the external resource is being successfully returned.

Next steps

• If you haven't already, follow the other guides in the routing section to plan your routing table setup. For example, you might check out the prefix matching guide to decide how to match the incoming requests to your service paths, the redirect guide to set up any path or prefix rewrites, or the sub-table delegation guide to nest and sort multiple route tables.
• Configure additional route settings, such as weighted routing to version subsets or adding and removing headers.
• Apply a policy to your service or route. For example, you might set a connection policy to keep alive connections that the load balancer in your infrastructure provider might otherwise periodically close.