Understanding how Service Entry, Virtual Service, Destination Rule works on outbound connections?

User898231 · December 19, 2020, 4:05am

I want to set up an outbound connection like below
The external service requires mTLS, but the client should not worry about it. I want the istio’s envoy proxy to take care of automatically upgrading the connection from HTTP to HTTPS.

client (http) -----> envoy proxy (sidecar upgrades to mTLS) -----> external service (outside mesh)

Documents suggest that first I have to create a Service Entry for the external service and then create Virtual Service, Destination rules. Unfortunately, I am not able to put everything together and have a few questions:

What the protocol of the service entry should be? Is it HTTP or HTTPS? The client is going to make an HTTP call, but the actual service itself is HTTPS and hence the confusion.
Client certs – can I mount it in the sidecar proxy container using Istio’s annotations or do I need to deploy an egress proxy container for this use case? Can it be achieved without an egress proxy container?
Will the outbound connections get double encrypted? since all the connections in the mesh are secured by Istio by default.
How does the Istio know where to look for the certs (I mean in which envoy proxy container) when the certs path are defined in the destination rule. Especially when the egress gateway also exists in the path.

Any clarification on these would be really helpful.

Thanks

jesse · December 23, 2020, 7:40am

I have a few of these set up for regular TLS origination, where the client connects over http on port 80 and the external service is running on port 443. I think you could set up mTLS just by changing the TLS section at the bottom.

 apiVersion: networking.istio.io/v1alpha3
 kind: ServiceEntry
 metadata:
   name: janrain
   namespace: prod
 spec:
   hosts:
   - www.janraincapture.com
   ports:
   - number: 80
     name: http-port
     protocol: HTTP
     targetPort: 443 
   - number: 443 
     name: https-port
     protocol: HTTPS
   resolution: DNS 
   location: MESH_EXTERNAL
 ---
 apiVersion: networking.istio.io/v1alpha3
 kind: DestinationRule
 metadata:
   name: janrain
   namespace: prod
spec:
  host: www.janraincapture.com
  trafficPolicy:
    portLevelSettings:
    - port:
        number: 80
      tls:
        mode: SIMPLE
        sni: www.janraincapture.com

Topic		Replies	Views
Sidecar configuration for mTLS for accessing external service Networking	1	1386	January 10, 2022
TLS origination from sidecar proxy instead of the Egress Gateway Security security	0	949	November 17, 2020
mTLS between istio side car and external service Security	1	910	July 18, 2022
How to originate TLS when forwarding to external ServiceEntry Networking	14	393	July 17, 2023
mTLS between ingress gateway and sidecars Networking	0	478	January 30, 2023

Understanding how Service Entry, Virtual Service, Destination Rule works on outbound connections?

Related Topics