K
Q

Istio - Connect to an external ip

5/11/2019

I installed Istio with

gateways.istio-egressgateway.enabled = true

When I try to connect to external database I receive an error. I do not have a domain (only ip and port), so I define the following rules:

apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: external-db
spec:
  hosts:
  - external-db.tcp.svc
  addresses:
  - 190.64.31.232/32
  ports:
  - number: 3306
    name: tcp
    protocol: TCP
  location: MESH_EXTERNAL
  resolution: STATIC
  endpoints:
  - address: 190.64.31.232

then I open a Shell in my system (deployed in my service mesh) And it can't resolve the name

$ ping external-db.tcp.svc
ping: ceip-db.tcp.svc: Name or service not known

But i can connect using the ip address

$ ping 190.64.31.232
PING 190.64.31.232 (190.64.31.232) 56(84) bytes of data.
64 bytes from 190.64.31.232: icmp_seq=1 ttl=249 time=1.35 ms
64 bytes from 190.64.31.232: icmp_seq=2 ttl=249 time=1.42 ms

What is happening? Do I have to connect using the domain or the ip? Can I define a internal domain for my external ip?

-- user60108
istio
kubernetes

Similar Questions

Istio - GKE - gRPC config stream closed; upstream connect error or disconnect/reset before headers. reset reason: connection failure
Kubernetes internal CORS issues between services
Getting ErrImagePull when trying to use Local Docker Registry with Kubernetes
Why is my Kubernetes deployment registering as unavailable even though it runs in Docker?
Hashicorp Waypoint Getting Timedout in local K3S
Add roles to EKS nodes using Terraform and node groups
GitLab integration with Jaeger in Azure kubernetes service

2 Answers

5/14/2019

The problem is resolving the DNS which basically relates to the configuration of resolution in your ServiceEntry.

Based on istio's documentation:

Resolution determines how the proxy will resolve the IP addresses of the network endpoints associated with the service, so that it can route to one of them.

Since you have configured it as STATIC, you are telling istio-proxy/envoy to look for an Endpoint for resolving that DNS name; hence you need to define an Endpoint as Vasily suggested.

Another easy way, if that DNS name is defined outside of your mesh, is just changing the resolution to DNS which will force istio-proxy to query DNS server during request processing.

-- Rahman
Source: StackOverflow
5/12/2019

You can create headless service with hardcoded IP endpoint:

---
apiVersion: v1
kind: Service
metadata:
  name: external-db
spec:
  clusterIP: None
  ports:
  - protocol: TCP
    port: 3306
---
apiVersion: v1
kind: Endpoints
metadata:
  name: external-db
subsets:
  - addresses:
    - ip: 190.64.31.232
    ports:
    - port: 3306

And then you may add to your ServiceEntry a host external-db.default.svc.cluster.local

-- Vasily Angapov
Source: StackOverflow