Block egress traffic with an egress gateway
Use an egress gateway to allow egress traffic to external endpoints for only certain services in the mesh.
Route all egress traffic for an external service through an egress gateway and ensure that only certain services in the mesh can send requests to the external endpoint that it serves. All other services in the mesh are blocked from sending requests to the external endpoint. You can also use the egress traffic to perform TLS origination and secure the connection to the external endpoint. For more information, see Perform TLS origination with egress gateways.
Blocking egress traffic with an egress gateway and access policies works only if clients send traffic to the egress gateway through the client’s sidecar proxy. If the sidecar proxy is bypassed, requests to an external endpoint might still be allowed, which can be a risk for malicious attacks. To make sure that no egress traffic is allowed, even if the client’s sidecar proxy is bypassed, create a network policy that blocks all egress traffic in addition to setting up an egress gateway. You can further reduce the surface for malicious attacks by deploying the egress gateway to a dedicated node. Also note that you cannot apply other policies, such as outlier detection or active healthchecks, to the egress gateway.
Before you begin
Set the names of your clusters from your infrastructure provider. If your clusters have different names, specify those names instead.
- Save the kubeconfig contexts for your clusters. Run
kubectl config get-contexts
, look for your cluster in theCLUSTER
column, and get the context name in theNAME
column. Note: Do not use context names with underscores. The generated certificate that connects workload clusters to the management cluster uses the context name as a SAN specification, and underscores in SAN are not FQDN compliant. You can rename a context by runningkubectl config rename-context "<oldcontext>" <newcontext>
. Decide on the outbound traffic policy for your service mesh. In minimal Istio installations, such as if you followed the steps to install Istio with the Gloo Operator, the outbound traffic policy for your service mesh is typically set to
ALLOW_ANY
by default and allows your services in the mesh to reach any external endpoint. You can change this setting and instead block all egress traffic to hosts that are not part of your service mesh by changing the outbound traffic policy toREGISTRY_ONLY
as shown in the following steps. Note that if you manually installed Istio, follow the steps in Upgrade Istio to update that setting.- Open the
gm-istiod-values.yaml
file that you used to create the istiod control plane. - Change the
outboundTrafficPolicy
field toREGISTRY_ONLY
. - Apply your changes by using the following command.
- Open the
Review Supported versions to choose the Solo distribution of Istio that you want to use, and save the version information in the following environment variables.
REPO
: The repo key for the Solo distribution of Istio that you can get by logging in to the Support Center and reviewing the Istio images built by Solo.io support article.ISTIO_IMAGE
: The version that you want to use with thesolo
tag, such as1.25.2-solo
. You can optionally append other tags of Solo distributions of Istio as needed.REVISION
: Take the Istio major and minor versions and replace the periods with hyphens, such as1-25
.
You can optionally deploy a revisionless installation. Revisionless installations permit in-place upgrades, which are quicker than the canary-based upgrades that revisioned installations require. To omit a revision, do not set a revision environment variable. Then in the following sections, you edit the sampleIstioLifecycleManager
andGatewayLifecycleManager
files that you download to remove therevision
andgatewayRevision
fields. Note that if you deploy multiple Istio installations in the same cluster, only one installation can be revisionless.
Istio 1.21: In Istio 1.21, the VERIFY_CERTIFICATE_AT_CLIENT
feature flag is set to true by default to automatically verify server certificates by using the OS CA certificates on the cluster node.
Block egress traffic with an egress gateway
Prepare a
GatewayLifecycleManager
to deploy an egress gateway.Download the
gm-egress-gateway.yaml
example file.Update the example file with the environment variables that you previously set, and optionally further edit the file to provide your own details. Save the updated file as
gm-egress-gateway-values.yaml
. For more information, see the API reference.- Tip: Instead of updating the file manually, try running a terminal command to substitute values, such as the following command.
- Tip: Instead of updating the file manually, try running a terminal command to substitute values, such as the following command.
Apply the
GatewayLifecycleManager
resource to your management cluster.Verify that the egress gateway is deployed in your workload clusters.
Log in to the reviews app and verify that you cannot reach
www.google.com
.Example output:
Create the
global
namespace in one of your workload clusters.Create a virtual gateway resource to configure your egress gateway going forward.
Setting Description spec.listeners.exposedExternalServices.host
Select the external services that you want to serve on this egress gateway. To select the external services, you define the hostname that must be configured in the external service. spec.listeners.port
Enter the port number that services in the mesh use in combination with the host
to send a request to the egress gateway.spec.listeners.tls
Select the TLS mode that you want to use to connect to the egress gateway from within the mesh. In this example, requests for the www.google.com
host are rerouted to the egress gateway first by using mutual TLS. The incoming TLS connection is terminated at the egress gateway.Create an external service for
www.google.com
.Setting Description spec.hosts
Enter the external hostname that you want to allow access to for services in the mesh. spec.ports.clientsideTls
Allow TLS origination to the www.google.com
endpoint.spec.ports.egressGatewayRoutes.virtualGatewayRefs
Enter the details for your egress gateway. Make sure to enter the egress gateway details for both of your workload clusters. spec.ports.egressGatewayRoutes.portMatch
Select the port that clients use when sending a request to the external endpoint. Note that this port does not represent the port that the client’s sidecar proxy uses to connect to the egress gateway. Instead, make sure to enter the source port that is used in the original client request. spec.ports.name
Enter the port number that you want to use to connect to the external endpoint. When a client request is sent to the gateway, the client’s sidecar proxy intercepts this traffic and securely connects to the egress gateway via mutual TLS. The egress gateway then terminates the incoming TLS connection. Because this example defines an HTTPS port, a new TLS connection is originated at the egress gateway to securely connect to the www.google.com
external endpoint.Verify that you can access
www.google.com
from the reviews app.Example output:
Verify that traffic was routed through the egress gateway by looking at the egress gateway logs.
Example output:
Get the virtual service that was created for your external service and make sure that it lists port 443 for the
www.google.com
destination. This setting ensures the egress gateway originates a new TLS connection before connecting towww.google.com
.Example output:
Create an access policy for your external service to allow only the product page app to access the
www.google.com
external endpoint.Send a request to
www.google.com
from the reviews app and verify that this request is denied with a 403 HTTP response code.Example output:
Send another request to
www.google.com
from the product page app and verify that this request is accepted.Example output: