Review ServiceEntry YAML for AWS Services

We are using Istio inside a KOPS cluster running in AWS. Our k8s services would like to talk to AWS services. The Istio (v1.2.2) install is using --set global.outboundTrafficPolicy.mode=REGISTRY_ONLY since that seems like the most secure option. Below I have crafted some ServiceEntries and it would be helpful to get some feedback on the configuration.

First up is the metadata server. The service is accessed via IP address (so no host name) and it’s on port 80. This is what I have that seems to work:

apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: metadata
spec:
  hosts:
  - "metadata.amazon.internal"
  addresses:
  - 169.254.169.254
  ports:
  - number: 80
    name: http
    protocol: HTTP
  resolution: STATIC
  location: MESH_EXTERNAL
  endpoints:
    - address: 169.254.169.254

A few points on the above:

  • resolution: STATIC is used due to hardcoded IP address.
  • "metadata.amazon.internal" is 100% fake and hopefully doesn’t matter. Required though due to Istio validation.
  • endpoints: is used due to STATIC resolution, I think?

OK, next up, wildcard for AWS services:

apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: amazonaws
spec:
  hosts:
    - '*.amazonaws.com'
  ports:
  - number: 443
    name: https
    protocol: TLS
  location: MESH_EXTERNAL
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: amazonaws
spec:
  hosts:
    - '*.amazonaws.com'
  tls:
  - match:
    - port: 443
      sni_hosts:
        - '*.amazonaws.com'
    route:
    - destination:
        host: '*.amazonaws.com'
        port:
          number: 443

For the above, I pretty much followed this. Open questions I have on this:

  • A lot of ServiceEntry examples are missing resolution even though it’s documented as required. What is used when it isn’t specified?
  • Why is the VirstualService needed? The ServiceEntry appears to work even after deleting the VirtualService.

Lastly, not entirely sure if my team wants to allow wildcard to all AWS services. If we don’t do wildcard, my assumption is that this is all I need for each service (no VirtualService right?):

apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: dynamodb
spec:
  hosts:
  - dynamodb.us-east-1.amazonaws.com
  ports:
  - number: 443
    name: https
    protocol: TLS
  resolution: DNS
  location: MESH_EXTERNAL

Sorry for the wall of text, my biggest concern is just to get some feedback on this configuration and make sure I’m heading down the right path. Cheers and thanks!