ServiceEntry Best Practices?

adinunzio84 · March 21, 2019, 4:50pm

If we wish to use the block-by-default config for egress traffic, are there any best practices for how to use ServiceEntries?

In particular, we have multiple different teams making multiple different apps, each with their own set of external services that they need to access.

Where do you typically place ServiceEntry manifest files? In some global list of ServiceEntries shared by all apps across all teams?

I see a few possible issues

Two different apps from two different teams might reference the same external service, so if both teams need the same ServiceEntry, they need to add just one instance of it to a global list of ServiceEntries, since there can’t be duplicate ServiceEntries to the same host
The two apps might need different configurations of the ServiceEntry, in which case they would need to have the “global” one support both use cases (e.g. accessing it on different ports, or maybe one only needs access to a specific subdomain of the host)
If one app no longer needs to access the external service, it can’t remove it from the “global” list because there might be other apps that are now using it.

Any helpful tips or best practices are highly appreciated!

blaketastic2 · April 12, 2019, 12:00pm

@adinunzio84 Did you ever get anywhere with this? I think these questions are important concepts to be answered by the community.

adinunzio84 · April 18, 2019, 4:47pm

@blaketastic2 haven’t seen anything that could help with this yet, and since we aren’t blocking egress traffic by default anymore, we haven’t really put any extra effort into figuring this stuff out.

Hoping that there are some good answers to these eventually though, since I imagine we will ultimately end up with block-by-default egress traffic with ServiceEntries.

Reuven_Harrison · June 2, 2019, 2:28pm

Hi @adinunzio84,
We recently published an open source solution to automate the configuration of service entries in a cluster: https://github.com/istio-ecosystem/dns-discovery/blob/master/README.md

You can also see the blog about this here: https://medium.com/@tufin/locking-down-istio-egress-with-automatic-traffic-discovery-51f0d49879a3

Hope this helps,
Reuven (CTO and Co-Founder @ Tufin)

edit: updated github repo to its new home on istio-ecosystem

adinunzio84 · June 10, 2019, 6:53pm

Thanks @Reuven_Harrison!

Topic		Replies	Views
Egress traffic management: allow all egress traffic by default and still apply Istio features to it. Networking	4	912	May 8, 2019
ServiceEntry not routing the traffic back to the cluster	0	490	July 18, 2021
Egress Gateways - What's the Best Way to set up a "Core" Configuration, with Per Namespace Customisation? Networking	0	289	January 31, 2023
Question about egress traffic to same host configuration from different namespaces	0	494	December 12, 2019
ServiceEntry with multiple dns endpoints and HOST header	1	786	July 3, 2023

ServiceEntry Best Practices?

Related topics