Istio intercept particular traffic

Sometimes intercept external access traffic in mesh to internal service is needed

Http to Internal service when access external domain in mesh network

when access http://edition.cnn.com in mesh network then should redirect to hello.test-ns.svc.cluster.local internal service.

  • Create a ServiceEntry resource to defination the external domain entry
 1apiVersion: networking.istio.io/v1alpha3
 2kind: ServiceEntry
 3metadata:
 4  name: redirect-cnn-to-internal
 5  namespace: test-ns
 6spec:
 7  hosts:
 8  - edition.cnn.com
 9  ports:
10  - number: 80
11    name: http
12    protocol: HTTP
13  - number: 443
14    name: https
15    protocol: HTTPS
16  resolution: NONE
  • Create a VirtualService to serve target traffic
 1apiVersion: networking.istio.io/v1alpha3
 2kind: VirtualService
 3metadata:
 4  name: redirect-cnn-to-internal
 5  namespace: test-ns
 6spec:
 7  gateways:
 8    - mesh
 9  hosts:
10    - edition.cnn.com
11  http:
12    - name: all-traffic-to-internal-hello
13      route:
14        - destination:
15            host: >-
16                            hello.test-ns.svc.cluster.local
17            port:
18              number: 80

You can also set the destination rule for timeout

 1apiVersion: networking.istio.io/v1alpha3
 2kind: DestinationRule
 3metadata:
 4  name: hello-test-ns-dr
 5spec:
 6  host: hello.test-ns.svc.cluster.local
 7  trafficPolicy:
 8    connectionPool:
 9      tcp:
10        connectTimeout: 1s

You can Injection the fault

5 second delay for 1 out of every 1000 requests

 1apiVersion: networking.istio.io/v1alpha3
 2kind: VirtualService
 3metadata:
 4  name: hello-test-inject-fault
 5spec:
 6  gateways:
 7  - mesh
 8  hosts:
 9  - edition.cnn.com
10  http:
11  - fault:
12      delay:
13        percentage:
14          value: 0.1
15        fixedDelay: 5s
16    route:
17    - destination:
18        host: >-
19                        hello.test-ns.svc.cluster.local

Also redirect to external services immediate

define the external service entry

 1apiVersion: networking.istio.io/v1beta1
 2kind: ServiceEntry
 3metadata:
 4  name: google
 5  namespace: istio-system
 6spec:
 7  hosts:
 8    - google.com
 9  location: MESH_EXTERNAL
10  ports:
11    - number: 443
12      name: https
13      protocol: TLS
14  resolution: DNS

and define the destination rule

 1apiVersion: networking.istio.io/v1beta1
 2kind: DestinationRule
 3metadata:
 4  name: google
 5  namespace: istio-system
 6spec:
 7  host: "google.com"
 8  trafficPolicy:
 9    tls:
10      mode: SIMPLE

connect to gateway and ingress traffic

1route:
2- destination:
3    host: google.com
4    port:
5      number: 443

Repaired the aws MetaDataV2 403 failed in EKS pods

 1---
 2apiVersion: networking.istio.io/v1beta1
 3kind: ServiceEntry
 4metadata:
 5  name: aws-metadata
 6  namespace: istio-system
 7spec:
 8  hosts:
 9  - aws.metadata.internal
10  location: MESH_EXTERNAL
11  addresses:
12  - 169.254.169.254
13  ports:
14  - number: 80
15    name: tcp-80
16    protocol: tcp
17  - number: 443
18    name: tcp-443
19    protocol: tcp
20
21  resolution: STATIC
22  endpoints:
23  - address: 169.254.169.254