Use same domain name internally and externally

Hi,

I’m trying to guess if it is possible to use the same domain name for accessing a service internally and externally.

For example, I have the https://app1.domain.com which if:

  • Accessed externally it is exposed in a L7 Load Balancer with WAF capabilities, dns resolves to a public IP address.
  • Accessed internally, for performance reasons traffic is routed within the cluster, no WAF and no extra hops.

I want to maintain the same configuration inside the cluster and outside the cluster, and therefor use the same URI for http requests.

The current configuration consists of:

Namespace A, here lives application exposed to the internet and internally to the cluster

  • Istio Gateway (mygateway)
  • Istio virtualservice
  • Kubernetes service
  • Kubernetes deployment

The Istio VirtualService is configured as follows:

apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  labels:
    app: app1
    namespace: app1
spec:
  gateways:
  - mesh
  - mygateway
  hosts:
  - app1.domain.com
  http:
    match:
    - uri:
        regex: ^\/v1(.*)
    route:
    - destination:
        host: app1.app1.svc.cluster.local
        port:
          number: 80
    timeout: 60s

I’ve added the mesh gateway to add the configuration also to the sidecars.

And then an other app2 in Namespace app2 with just a deployment that executes the following request:

curl https://app1.domain.com/v1/

It doesn’t work at all, since it is resolving DNS to a public IP.

I’ve also tried to add a ServiceEntry with no success, also if it worked, it applies to workloads and not to “VirtualService” configuration, so it does not make sense to me, since a VirtualService could aggregate different workloads.

apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: app1
  namespace: app1
spec:
  hosts:
  - app1.domain.com
  location: MESH_INTERNAL
  ports:
  - number: 80
    name: http
    protocol: HTTP
  - number: 443
    name: https
    protocol: HTTPS
  resolution: STATIC
  workloadSelector:
    labels:
      app: app1

Do you think this is something possible to configure?

I’ve seen this post where it is asked about something similar using Knative istio - What is the knative's "mesh" gateway - Stack Overflow

Before accessing the backend kubernetes services, are you able to access the public load balance interface ? does curl https://app1.domain.com:80 work ?