GKE Cloud Service Mesh: How to allow outbound traffic to a specific IP address?
Problem
Recently, I have been working on a project that requires a GKE service to communicate with external services to the cluster.
Following best practices, we have configured the outbound traffic policy mode to “REGISTRY_ONLY”. This mode allows outbound traffic only to external hosts configured by Service Entries.
Configuring Service entries for external domains was very simple. However, we encountered an issue where the GKE service was unable to communicate with specific IP addresses, instead of a domain names.
Solution
To allow outbound traffic to a specific IP address, you need to create a Service Entry with the IP address and port number of the external service.
Initially, we got this working in clusters with Istiod implementation.
Here is an example of a Service Entry that allows outbound traffic to a specific IP address, for Istiod implementation:
apiVersion: networking.istio.io/v1alpha3 kind: ServiceEntry metadata: name: allow-metadata-traffic namespace: gitlab-runner spec: hosts: - not.used addresses: - 169.254.169.254 ports: - number: 80 name: tcp protocol: tcp location: MESH_EXTERNAL resolution: STATIC endpoints: - address: 169.254.169.254
However, new GKE cluster by default use Traffic Director implementation instead of Istiod.
While the above Service Entry works for Istiod, it does not work for Traffic Director and, instead you need to change the resolution from STATIC to NONE.
Here is an example of a Service Entry that allows outbound traffic to a specific IP address, for Traffic Director implementation:
apiVersion: networking.istio.io/v1alpha3 kind: ServiceEntry metadata: name: google-metadata-server namespace: lucia spec: hosts: - not.used addresses: - 169.254.169.254 ports: - number: 80 name: http protocol: HTTP location: MESH_EXTERNAL resolution: NONE
Hope it helps!
Recent Comments