GKE Cloud Service Mesh: How to allow outbound traffic to a specific IP address?

Problem

Recently, I have been working on a project that requires a GKE service to communicate with external services to the cluster.

Following best practices, we have configured the outbound traffic policy mode to “REGISTRY_ONLY”. This mode allows outbound traffic only to external hosts configured by Service Entries.

Configuring Service entries for external domains was very simple. However, we encountered an issue where the GKE service was unable to communicate with specific IP addresses, instead of a domain names.

Solution

To allow outbound traffic to a specific IP address, you need to create a Service Entry with the IP address and port number of the external service.

Initially, we got this working in clusters with Istiod implementation.

Here is an example of a Service Entry that allows outbound traffic to a specific IP address, for Istiod implementation:

apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: allow-metadata-traffic
  namespace: gitlab-runner
spec:
  hosts:
    - not.used
  addresses:
    - 169.254.169.254
  ports:
    - number: 80
      name: tcp
      protocol: tcp
  location: MESH_EXTERNAL
  resolution: STATIC
  endpoints:
    - address: 169.254.169.254

However, new GKE cluster by default use Traffic Director implementation instead of Istiod.

While the above Service Entry works for Istiod, it does not work for Traffic Director and, instead you need to change the resolution from STATIC to NONE.

Here is an example of a Service Entry that allows outbound traffic to a specific IP address, for Traffic Director implementation:

apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: google-metadata-server
  namespace: lucia
spec:
  hosts:
    - not.used
  addresses:
    - 169.254.169.254
  ports:
    - number: 80
      name: http
      protocol: HTTP
  location: MESH_EXTERNAL
  resolution: NONE

Hope it helps!