Outbound traffic to exernal service (SOLVED)

Dinar_Valeev · April 12, 2019, 3:48pm

Hi, I have Istio 1.1.2 deployed without egress gateway and allowed any traffic from a side car:
outboundTrafficPolicy:
mode: ALLOW_ANY

but without ServiceEntry I’m getting 404 from envoy proxy while trying to reach external http endpoint.

Is it mandatory to describe every single endpoint sidecar talks to by ServiceEntry
Or I simply miss some extra config?

Any ideas?

ericvn · April 12, 2019, 4:13pm

Hello,

Without any knowledge of your services and ports in use, might you be trying to access a port on the external service that is being used by an internal service? There is a known issue in versions prior to Istio 1.1.3. There is a note describing this in the doc.: ALLOW_ANY only worked on ports with no HTTP services or service entries defined within the mesh. External hosts using the same port as any internal HTTP service fell back to a blocking-by-default behavior. Because some ports, such as port 80, have HTTP services inside Istio by default, prior to Istio 1.1.3 you couldn’t call external services on any of those ports either.

Dinar_Valeev · April 12, 2019, 6:59pm

Thanks for reply, yes I’ve seen that stanza and it got me even more confused. The port number I’m trying to access is 8080 pretty standard one, but I’m pretty sure I don’t have any sidecar with 8080 config.

gist.github.com

https://gist.github.com/k0da/f0c2f2d93eee3d793df29b3951329764

gistfile1.txt

* About to connect() to stg3-eureka01.int.example.com port 8080 (#0)
*   Trying xxx.xx.xx.xx...
* Connected to stg3-eureka01.int.example.com (xxx.xx.xx.xx) port 8080 (#0)
> GET /eureka/apps HTTP/1.1
> User-Agent: curl/7.29.0
> Host: stg3-eureka01.int.example.com:8080
> Accept: */*
> 
< HTTP/1.1 404 Not Found
< date: Fri, 12 Apr 2019 18:56:21 GMT

This file has been truncated. show original

Any further debug steps I can take?

Dinar_Valeev · April 15, 2019, 2:15pm

I’ve tried to run eureka externally on the other port and traffic allowed for e.g. 8761 port. I can only find a pilot itself run on 8080.

ericvn · April 16, 2019, 12:54pm

It think you are saying you got things to work using a workaround of changing your Eureka to a port that wasn’t being used by a service. That is good. I am trying to verify that the issue you are seeing with a using a port that is already in use is fixed in 1.1.3.

Dinar_Valeev · April 16, 2019, 2:20pm

@ericvn Yeah, I just noticed a release, waiting on GH release to get images mirrored to a local registry

ericvn · April 16, 2019, 3:56pm

@Dinar_Valeev So I tried 1.1.3, and initially it failed the same as 1.1.2. Looking at the doc and issues/PRs it looks like when you install 1.1.3, you also need to add –set pilot.env.PILOT_ENABLE_FALLTHROUGH_ROUTE=1. This is called out at the top of the Control Egress Traffic page. When I updated using the additional flag, my test worked.

Dinar_Valeev · April 16, 2019, 8:55pm

@ericvn Thanks! I can confirm, pod can access external eureka on 8080
PILOT_ENABLE_FALLTHROUGH_ROUTE=1 is really required

ericvn · April 16, 2019, 9:17pm

Good to hear @Dinar_Valeev. Sounds like you are past this problem.

howardjohn · April 17, 2019, 12:28am

FYI PILOT_ENABLE_FALLTHROUGH_ROUTE=1 is not intended to be a permanent flag, this will be the default behavior “soon”.

Shawn_Stout · April 18, 2019, 10:21pm

Which file is updated with this value?

howardjohn · April 19, 2019, 3:50am

Pass it to Helm

Topic		Replies	Views
By default, all external access is allowed, but it shouldn't Networking	2	672	March 13, 2019
Can't hit anything external in 1.1.1	1	1116	March 30, 2019
External Service	2	490	March 22, 2019
Istio Sidecar crd outboundTrafficPolicy set to REGISTRY_ONLY. ServiceEntry not honored Networking	0	463	April 23, 2022
Redirect the outbound access through Virtual Service to external proxy Networking	0	341	August 4, 2021

Outbound traffic to exernal service (SOLVED)

Related Topics