I see that there are options (e.g. the traffic.sidecar.istio.io/excludeOutboundIPRanges annotation) that allow bypassing Envoy proxy by excluding a range of IP addresses.
In some cases, we need direct access to external services that have a hostname but do not have a fixed IP address/range.
Is there any possibility to configure such direct access by an external service hostname?
I played with the iptables a bit. It is possible to edit rules by adding similar to the following inside a container with NET_ADMIN security capability:
-A ISTIO_OUTPUT -d external-svc.staging.example.com -j RETURN
-A ISTIO_OUTPUT -j ISTIO_REDIRECT
As a result, the following rules were added
-A ISTIO_OUTPUT -d 10.10.10.2/32 -j RETURN -A ISTIO_OUTPUT -d 10.10.9.2/32 -j RETURN
It made sending direct requests possible. However, these IP addresses were resolved in DNS by iptables tools. It means that if we change DNS then we need to change iptables rules again.
Maybe I missed something, and there is a more elegant/simple way to set such direct access?