Outbound traffic to exernal service (SOLVED)

#1

Hi, I have Istio 1.1.2 deployed without egress gateway and allowed any traffic from a side car:
outboundTrafficPolicy:
mode: ALLOW_ANY

but without ServiceEntry I’m getting 404 from envoy proxy while trying to reach external http endpoint.

Is it mandatory to describe every single endpoint sidecar talks to by ServiceEntry
Or I simply miss some extra config?

Any ideas?

0 Likes

#2

Hello,

Without any knowledge of your services and ports in use, might you be trying to access a port on the external service that is being used by an internal service? There is a known issue in versions prior to Istio 1.1.3. There is a note describing this in the doc.: ALLOW_ANY only worked on ports with no HTTP services or service entries defined within the mesh. External hosts using the same port as any internal HTTP service fell back to a blocking-by-default behavior. Because some ports, such as port 80, have HTTP services inside Istio by default, prior to Istio 1.1.3 you couldn’t call external services on any of those ports either.

0 Likes

#3

Thanks for reply, yes I’ve seen that stanza and it got me even more confused. The port number I’m trying to access is 8080 pretty standard one, but I’m pretty sure I don’t have any sidecar with 8080 config.

Any further debug steps I can take?

0 Likes

#4

I’ve tried to run eureka externally on the other port and traffic allowed for e.g. 8761 port. I can only find a pilot itself run on 8080.

0 Likes

#5

It think you are saying you got things to work using a workaround of changing your Eureka to a port that wasn’t being used by a service. That is good. I am trying to verify that the issue you are seeing with a using a port that is already in use is fixed in 1.1.3.

0 Likes

#6

@ericvn Yeah, I just noticed a release, waiting on GH release to get images mirrored to a local registry

0 Likes

#7

@Dinar_Valeev So I tried 1.1.3, and initially it failed the same as 1.1.2. Looking at the doc and issues/PRs it looks like when you install 1.1.3, you also need to add –set pilot.env.PILOT_ENABLE_FALLTHROUGH_ROUTE=1. This is called out at the top of the Control Egress Traffic page. When I updated using the additional flag, my test worked.

1 Like

#8

@ericvn Thanks! I can confirm, pod can access external eureka on 8080
PILOT_ENABLE_FALLTHROUGH_ROUTE=1 is really required

0 Likes

#9

Good to hear @Dinar_Valeev. Sounds like you are past this problem.

1 Like

#10

FYI PILOT_ENABLE_FALLTHROUGH_ROUTE=1 is not intended to be a permanent flag, this will be the default behavior “soon”.

0 Likes

#11

Which file is updated with this value?

0 Likes

#12

Pass it to Helm

0 Likes