Let’s see an example of using egress route by deploying a recommendation:v3 version. Service Entries allow you to apply rules to allow internal services interact with external services.

In this case, we are going to configure Istio to access from the internal service (recommendation:v3).

Change to the blocking-by-default policy

By default, Istio configures the Envoy proxy to passthrough requests for unknown external services. Although this provides a convenient way to get started with Istio, configuring stricter control is usually preferable.

Run the following command to change the global.outboundTrafficPolicy.mode option from ALLOW_ANYto REGISTRY_ONLY:

kubectl get configmap istio -n istio-system -o yaml | sed 's/mode: ALLOW_ANY/mode: REGISTRY_ONLY/g' | kubectl replace -n istio-system -f -

Deploy recommendation v3 and Redirect all Users to it

kubectl apply -f manifests/kubernetes/recommendation-v3.yml
kubectl apply -f manifests/istio/egress/recommendation-destination-rule-v1-v2-v3.yml
kubectl apply -f manifests/istio/egress/recommendation-v3-virtual-service.yml

Then access to the service:

curl $GATEWAY_IP/customer
Since no Egress service entry has been registered to access an external site, the service will return a 500 error.

Let’s fix it by registering a service entry to allow access to worldclockapi.

Allow Access an external HTTP service

Create a ServiceEntry to allow access to an external HTTP service

kubectl apply -f manifests/istio/egress/service-entry-egress-worldclockapi.yml

kubectl get serviceentry

curl $customer

customer => preference => Mon, 16 Jul 2018 12:03:38 GMT recommendation v3 from '7b445dd469-j6rkg': 1

or shell into the pod and run curl command:

kubectl exec -it $(kubectl get pods -o jsonpath="{.items[*]}" -l app=recommendation,version=v3) -c recommendation -- curl

Clean up

kubectl delete ServiceEntry worldclockapi-egress-rule
kubectl delete DestinationRule recommendation
kubectl delete VirtualService recommendation