Use same domain name internally and externally

pmoncadaisla · May 30, 2022, 2:50pm

Hi,

I’m trying to guess if it is possible to use the same domain name for accessing a service internally and externally.

For example, I have the https://app1.domain.com which if:

Accessed externally it is exposed in a L7 Load Balancer with WAF capabilities, dns resolves to a public IP address.
Accessed internally, for performance reasons traffic is routed within the cluster, no WAF and no extra hops.

I want to maintain the same configuration inside the cluster and outside the cluster, and therefor use the same URI for http requests.

The current configuration consists of:

Namespace A, here lives application exposed to the internet and internally to the cluster

Istio Gateway (mygateway)
Istio virtualservice
Kubernetes service
Kubernetes deployment

The Istio VirtualService is configured as follows:

apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  labels:
    app: app1
    namespace: app1
spec:
  gateways:
  - mesh
  - mygateway
  hosts:
  - app1.domain.com
  http:
    match:
    - uri:
        regex: ^\/v1(.*)
    route:
    - destination:
        host: app1.app1.svc.cluster.local
        port:
          number: 80
    timeout: 60s

I’ve added the mesh gateway to add the configuration also to the sidecars.

And then an other app2 in Namespace app2 with just a deployment that executes the following request:

curl https://app1.domain.com/v1/

It doesn’t work at all, since it is resolving DNS to a public IP.

I’ve also tried to add a ServiceEntry with no success, also if it worked, it applies to workloads and not to “VirtualService” configuration, so it does not make sense to me, since a VirtualService could aggregate different workloads.

apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: app1
  namespace: app1
spec:
  hosts:
  - app1.domain.com
  location: MESH_INTERNAL
  ports:
  - number: 80
    name: http
    protocol: HTTP
  - number: 443
    name: https
    protocol: HTTPS
  resolution: STATIC
  workloadSelector:
    labels:
      app: app1

Do you think this is something possible to configure?

I’ve seen this post where it is asked about something similar using Knative istio - What is the knative's "mesh" gateway - Stack Overflow

CoderCooker · June 21, 2022, 11:51pm

Before accessing the backend kubernetes services, are you able to access the public load balance interface ? does curl https://app1.domain.com:80 work ?

pmoncadaisla · May 10, 2023, 11:54am

Yes @CoderCooker , accessing the public load balancer works

Topic		Replies	Views
Routing mesh traffic for application internally using public DNS Networking	1	520	January 2, 2023
Routing mesh traffic for application internally using public DNS Networking	1	469	June 20, 2023
Istio internal routing with global endpoints Networking	1	447	March 3, 2022
Best way to to route public service (DNS) internally?	13	3159	July 19, 2023
403 Forbidden incase differen domain names between ingress gateway and external Service	1	1389	October 21, 2022

Use same domain name internally and externally

Related topics