Understanding Istio ServiceEntry: How to Extend Your Service Mesh to External Endpoints
What Is An Istio ServiceEntry?
Istio ServiceEntry is the way to define an endpoint that doesn’t belong to the Istio Service Registry. Once the ServiceEntry is part of the registry, it can define rules and enforce policies as if they belong to the mesh.
Istio Service Entry answers the question you probably have done several times when using a Service Mesh. How can I do the same magic with external endpoints that I can do when everything is under my service mesh scope? And Istio Service Entry objects provide precisely that:
A way to have an extended mesh managing another kind of workload or, even better, in Istio’s own words:
ServiceEntry enables adding additional entries into Istio’s internal service registry so that auto-discovered services in the mesh can access/route to these manually specified services.
These services could be external to the mesh (e.g., web APIs) or mesh-internal services that are not part of the platform’s service registry (e.g., a set of VMs talking to services in Kubernetes).
What are the main capabilities of Istio ServiceEntry?
Here you can see a sample of the YAML definition of a Service Entry:
- number: 443
In this case, we have an
external-svc-redirectServiceEntry object that is handling all calls going to the wikipedia.org, and we define the port and protocol to be used (TLS - 443) and classify this service as external to the mesh (MESH_EXTERNAL) as this is an external Web page.
You can also specify more details inside the ServiceEntry configuration, so you can, for example, define a hostname or IP and translate that to a different hostname and port because you can also specify the resolution mode you want to use for this specific Service Entry. If you see the snippet above, you will find a
resolution field with NONE value that…