Zone Egress

ZoneEgress proxy is used when it is required to isolate outgoing traffic (to services in other zones or external services in the local zone). and you want to achieve isolation of outgoing traffic (to services in other zones or external services in the local zone), you can use ZoneEgress proxy.

Because ZoneEgress uses Service Name Indication (SNI) to route traffic, mTLS is required.

This proxy is not attached to any particular workload. In multi-zone the proxy is bound to a specific zone. Zone Egress can proxy the traffic between all meshes, so we need only one deployment for every zone.

When Zone Egress is present:

  • In multi-zone, all requests that are sent from local data plane proxies to other zones will be directed through the local Zone Egress instance, which then will direct the traffic to the proper instance of the Zone Ingress.
  • All requests that are sent from local data plane proxies to external services available within the Zone will be directed through the local Zone Egress instance.

Currently ZoneEgress is a purely optional component. In the future it will become compulsory for using external services.

The ZoneEgress entity includes a few sections:

  • type: must be ZoneEgress.
  • name: this is the name of the ZoneEgress instance, and it must be unique for any given zone.
  • networking: contains networking parameters of the Zone Egress
    • address: the address of the network interface Zone Egress is listening on.
    • port: is a port that Zone Egress is listening on
    • admin: determines parameters related to Envoy Admin API
      • port: the port that Envoy Admin API will listen to
  • zone [auto-generated on Kuma CP] : zone where Zone Egress belongs to

  • Kubernetes

  • Universal

To install ZoneEgress in Kubernetes when doing kumactl install control-plane use the --egress-enabled. If using helm add egress.enabled: true to your values.yaml.

In Universal mode, the token is required to authenticate ZoneEgress instance. Create the token by using kumactl binary:

  1. kumactl generate zone-token --valid-for 720h --scope egress > /path/to/token

Create a ZoneEgress data plane proxy configuration to allow kuma-cp services to be configured to proxy traffic to other zones or external services through ZoneEgress:

  1. type: ZoneEgress
  2. name: zoneegress-1
  3. networking:
  4. address: 192.168.0.1
  5. port: 10002

Apply the ZoneEgress configuration, passing the IP address of the control plane and your instance should start.

  1. kuma-dp run \
  2. --proxy-type=egress \
  3. --cp-address=https://<kuma-cp-address>:5678 \
  4. --dataplane-token-file=/path/to/token \
  5. --dataplane-file=/path/to/config

A ZoneEgress deployment can be scaled horizontally.

In addition to MTLS, there’s a configuration in the Mesh policy to route traffic through the ZoneEgress

  1. echo "apiVersion: kuma.io/v1alpha1
  2. kind: Mesh
  3. metadata:
  4. name: default
  5. spec:
  6. routing:
  7. zoneEgress: true
  8. mtls: # mTLS is required to use ZoneEgress
  9. [...]" | kubectl apply -f -
  1. cat <<EOF | kumactl apply -f -
  2. type: Mesh
  3. name: default
  4. mtls: # mTLS is required to use ZoneEgress
  5. [...]
  6. routing:
  7. zoneEgress: true
  8. EOF

This configuration will force cross zone communication and external services to go through ZoneEgress. If enabled but no ZoneEgress is available the communication will fail.