Alauda Service Mesh v2 Docs
  • English

    • Directing outbound traffic through a gateway

    You can configure gateway proxies installed via gateway injection to manage traffic leaving the mesh and direct it toward external services.

    TOC

    Egress gatewayConfigure egress trafficEgress routing in ambient modeReference

    Egress gateway

    An egress gateway serves as a dedicated exit point for outbound traffic leaving the service mesh. It operates as a forward proxy, handling requests from mesh workloads that target services outside the mesh boundary. Deploying an egress gateway addresses two common security scenarios:

    • Traffic restrictions: In environments where security policies require all outbound traffic to pass through a controlled set of nodes, an egress gateway centralizes this traffic flow through designated egress nodes.
    • Network policy enforcement: When network policies prevent application pods from reaching external services directly, the egress gateway handles the external connectivity on their behalf.

    In both cases, gateway proxies run on dedicated egress nodes that have the necessary permissions to access external services. These nodes can be monitored more closely or subjected to stricter network policies to strengthen overall security.

    Configure egress traffic

    You can configure a gateway installed through gateway injection to direct egress traffic by combining the following Istio resources:

    • Use the ServiceEntry resource to define the properties of an external service. Once defined, the external service is registered in the Istio service registry, enabling you to apply Istio features such as monitoring and routing rules to outbound traffic destined for that service.
    • Use the Gateway, VirtualService, and DestinationRule resources to establish routing rules that direct traffic from mesh workloads to the external service through the gateway proxy.

    Egress routing in ambient mode

    If your deployment uses ambient mode, egress routing must be configured using the Kubernetes Gateway API rather than Istio Gateway and VirtualService resources. The Gateway API offers a standardized, Kubernetes-native approach for defining how traffic exits the mesh and reaches external destinations.

    You can use Gateway and HTTPRoute (or GRPCRoute) resources to control how mesh traffic is routed to destinations outside the cluster. The Gateway API is fully supported in ambient mode and can also be used with sidecar-based deployments, providing a consistent configuration model for both ingress and egress routing.

    Reference