VirtualService route to a destination host declared in ServiceEntry not working

quentinlec · February 3, 2020, 9:58am

Hello,
I’m trying to write a VirtualService that shall direct traffic to a specific destination host following a regex. That specific destination is not a service inside the Mesh but a host that I declared with a ServiceEntry (MESH_EXTERNAL). The documentation clearly says that this should be possible :
“The name of a service from the service registry. Service names are looked up from the platform’s service registry (e.g., Kubernetes services, Consul services, etc.) and from the hosts declared by ServiceEntry . Traffic forwarded to destinations that are not found in either of the two, will be dropped.” (https://istio.io/docs/reference/config/networking/virtual-service/#Destination)

However I can not make it work. When choosing a service inside the mesh, the VirtualService correctly direct traffic to the pods, and when I try to put an host I only get 503 (UC).

My version of Istio is 1.4.3 and I configured it with REGISTRY_ONLY Outbound policy.

Here are the two files for VirtualService and ServiceEntry.

---
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: external-svc-https
  namespace: ns
spec:
  hosts:
  - myhost.com
  - www.myhost.com
  ports:
  - number: 443
    name: https
    protocol: TLS
  exportTo: 
  - "."
  resolution: DNS
  location: MESH_EXTERNAL

---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  labels:
    app: docs-app
  name: docs-app
  namespace: ns
spec:
  gateways:
  - istio-system/ingress-gateway
  hosts:
  - docs-app.com
  http:
  - match:
    - uri:
        regex: ^\/(downloads|releases)\/.*
    route:
    - destination:
        host: myhost.com
  - match:
    - uri:
        prefix: /
    route:
    - destination:
        host: docs-app.ns.svc.cluster.local
        port:
          number: 9090

Thanks for your answers.

willian.campos · May 14, 2020, 11:45pm

I had a similar issue.
I see you are restricting your ServiceEntry to a specific namespace. Is the gateway in the same namespace? I think you are using the one in istio’s namespace right?
Try changing the exportTo to “*” or removing it. That did the trick for me.
Apparently istio gateway won’t be able to route it if the ServiceEntry is restricted to a different namespace even though it works fine with the VirtualService not being in the same namespace.

Btw, my “internal host” (yours myhost.com) had to be changed to be “something.local” as “myhost.local” e.g.

quentinlec · May 15, 2020, 7:58am

Hello,
I thought i had tested with no restriction but I’ll test again and come back here, indeed I’m using a gateway in istio’s namespace!

However I don’t get what you mean by changing my “myhost.com” to “myhost.local” ? I want my apps to communicate with myhost.com, being the host that I register in my ServiceEntry.

Thanks for your answer!

Topic		Replies	Views
ServiceEntry not routing the traffic back to the cluster	0	410	July 18, 2021
Virtual service as a "router" for services in mesh. Can't seem to get this working Config	0	766	September 12, 2021
VirtualService in Service Registry OR VirtualService chaining to another VirtualService? Networking	4	3039	January 23, 2020
Can ServiceEntry be used to match by uri for external services? Networking	2	479	June 6, 2019
Internal traffic with VirtualService and DestinationRule Networking	2	3533	September 11, 2019

VirtualService route to a destination host declared in ServiceEntry not working

Related Topics