Istio default external access limitations¶

By default, Istio-enabled services within a cluster are restricted from accessing services and URLs located outside of the cluster.^[external/README.md] This limitation exists because pods utilize iptables to transparently redirect all outbound traffic to the sidecar proxy, which is configured to handle only intra-cluster destinations.^[external/README.md]

If Istio is not explicitly configured to allow external access, pods attempting to reach external endpoints will encounter specific errors.^[external/README.md] These errors typically include HTTP 404 status codes, HTTPS connection issues, and generic TCP connection problems.^[external/README.md]

Configuration and Resolution¶

To mitigate these limitations, operators can configure external access using resources such as ServiceEntry objects.^[external/README.md] However, if these entries are misconfigured, pods may still experience failures related to server names.^[external/README.md]

It is also possible to enable communication with external services by default during installation, though this approach has its own constraints regarding specific ports like HTTP (port 80) or SSH (port 22).^[external/README.md]

Service mesh
[[Sidecar proxy]]
[[Network policies]]

Sources¶

^[external/README.md]

Istio default external access limitations¶

Configuration and Resolution¶

Related Concepts¶

Sources¶