Restricting Service Access with Mesh for Targeted Traffic¶

In certain business scenarios, it is necessary to restrict access to specific services only for other services. This can be achieved by leveraging the capabilities of Istio for centralized management.

In Istio, we can use Egress to control the outbound traffic from a service and Service Entry to control external services in the mesh. By combining these with an authorization policy, we can control the traffic and permissions for service access. This article explains how to use Egress and authorization policies to manage traffic and permissions for outbound service access.

Prerequisites¶

Firstly, ensure that your mesh is in a healthy state. If you haven't installed Istio yet, please refer to the Mesh Installation Guide.

Enabling Outbound Traffic Only¶

To configure the mesh for outbound traffic only, modify the governance information of the mesh as shown in the screenshots below. Please note that after making these changes, you will need to use Service Entry to allow access to services outside the cluster.

Creating an Egress Gateway¶

Setting up a Test Application¶

You can use any application for testing purposes. In the following steps, we will perform network access tests by entering the pod using kubectl exec pod . It is recommended to ensure that the application has the curl command available.

Here, we are using a simple example called bookinfo , but you can use any other application.

Additionally, ensure that the application's Pod has been successfully injected with a sidecar. You can check the status of the corresponding service in the mesh interface.