External Service

1

New user to Istio and have some questions around access external services.

The default setup states:

… configures the Istio proxy to pass through, instead of block, calls to external services on any ports without an HTTP service or service entry within the mesh.

Need some clarification on what is meant by an “HTTP service”. Is that saying that if I don’t have a service object that defines port HTTP that traffic will be allowed (such as below)?

apiVersion: v1
kind: Service
metadata:
name: example
spec:
ports:

  • name: http-name
    port: 80
    protocol: TCP
    targetPort: http
    type: ClusterIP

Does this apply for all services, not just http. For instance if I had a service with a named port for https or mongo?

And what is the association between the port name and actual port? Using the above example if that was my only service I would be blocked to external service on port 80. But what about if I tried to hit an external service via http on port 8000?

2

You can check THIS link for all the service requirements.

3

That does not really answer my question. I was aware of that doc.

What I am trying to figure out is what is required for external access. The original doc I posted suggests that the default is everything is allowed except if there is an http service defined for a certain port mapping? Is that only for http meaning https is allowed? Even if there is a service mapping for https and the specified port.

I installed istio and noted that services that contacted AWS services began failing. But that is https so why would it have been blocked since according to the egress doc it is http.