Istio 101 : Allowing outbound traffic out of Istio's mesh
Istio allows all traffic going out of the service mesh.
All traffic goes through the envoy proxy - default service proxy for istio -.We could stop traffic leaving the istio mesh at the proxy level. To be able to do that we change istio's outgoing traffic settings from ALLOW_ANY to REGISTRY_ONLY, which only allows traffic that is allowed in the service registry:
We use an istio resource called a ServiceEntry to register services within istio.
The registry contains all the services that are available in the mesh.
For our services to be able to connect to other services outside istio's mesh, the service registry is used in this case.
The ServiceEntry resource is the way to register a service in the registry as we can see below:
The above Yaml file for our ServiceEntry "service1" tells istio to add the above service in the registry's list, so that client applications inside istio's mesh can connect to the host "service1.example.com".
Comments