istio.io: GCP services don't work with VirtualService

According to https://istio.io/docs/tasks/traffic-management/egress/ an external HTTPS service requires a ServiceEntry and VirtualService. I couldn’t get the GCP API to work with the configuration in that document.

I was able to fix it by creating an HTTPS ServiceEntry for *.googleapis.com on port 443, and removing all of the VirtualService entries.

About this issue

  • Original URL
  • State: closed
  • Created 6 years ago
  • Comments: 16 (9 by maintainers)

Most upvoted comments

Also, try defining another service entry for *.google.com on same port (say 443). You will see that traffic wont flow to either. When you have multiple service entries on same port with HTTPS/TLS, you need associated virtual service to route using SNI. If there is no virtual service, we will treat the port as a original destination port (443). This means, the application could access any arbitrary site (yahoo.com) over 443 and traffic will flow. If you specify a virtual service, then you can restrict the flow to those hosts defined inthe service entry. (also try using TLS instead of HTTPS)

+2
rshriram on Sep 26, 2018
Read more comments on GitHub
← istio: Investigate authorization policy blocking prometheus scraping metrics at port 15090
istio.io: Installation documentation refers to file which does not exist (crds.yaml) →