Zone Egress
ZoneEgress
proxy is used when it is required to isolate outgoing traffic (to services in other zones or external services in the local zone). and you want to achieve isolation of outgoing traffic (to services in other zones or external services in the local zone), you can use ZoneEgress
proxy.
Because ZoneEgress
uses Service Name Indication (SNI) to route traffic, mTLS is required.
This proxy is not attached to any particular workload. In multi-zone the proxy is bound to a specific zone. Zone Egress can proxy the traffic between all meshes, so we need only one deployment for every zone.
When Zone Egress is present:
- In multi-zone, all requests that are sent from local data plane proxies to other zones will be directed through the local Zone Egress instance, which then will direct the traffic to the proper instance of the Zone Ingress.
- All requests that are sent from local data plane proxies to external services available within the Zone will be directed through the local Zone Egress instance.
Currently ZoneEgress
is a purely optional component. In the future it will become compulsory for using external services.
The ZoneEgress
entity includes a few sections:
type
: must beZoneEgress
.name
: this is the name of theZoneEgress
instance, and it must be unique for any givenzone
.networking
: contains networking parameters of the Zone Egressaddress
: the address of the network interface Zone Egress is listening on.port
: is a port that Zone Egress is listening onadmin
: determines parameters related to Envoy Admin APIport
: the port that Envoy Admin API will listen to
zone
[auto-generated on Kuma CP] : zone where Zone Egress belongs to- Universal
To install ZoneEgress
in Kubernetes when doing kumactl install control-plane
use the --egress-enabled
. If using helm add egress.enabled: true
to your values.yaml
.
In Universal mode, the token is required to authenticate ZoneEgress
instance. Create the token by using kumactl
binary:
kumactl generate zone-token --valid-for 720h --scope egress > /path/to/token
Create a ZoneEgress
data plane proxy configuration to allow kuma-cp
services to be configured to proxy traffic to other zones or external services through ZoneEgress
:
type: ZoneEgress
name: zoneegress-1
networking:
address: 192.168.0.1
port: 10002
Apply the ZoneEgress
configuration, passing the IP address of the control plane and your instance should start.
kuma-dp run \
--proxy-type=egress \
--cp-address=https://<kuma-cp-address>:5678 \
--dataplane-token-file=/path/to/token \
--dataplane-file=/path/to/config
A ZoneEgress
deployment can be scaled horizontally.
In addition to MTLS, there’s a configuration in the Mesh
policy to route traffic through the ZoneEgress
echo "apiVersion: kuma.io/v1alpha1
kind: Mesh
metadata:
name: default
spec:
routing:
zoneEgress: true
mtls: # mTLS is required to use ZoneEgress
[...]" | kubectl apply -f -
cat <<EOF | kumactl apply -f -
type: Mesh
name: default
mtls: # mTLS is required to use ZoneEgress
[...]
routing:
zoneEgress: true
EOF
This configuration will force cross zone communication and external services to go through ZoneEgress
. If enabled but no ZoneEgress
is available the communication will fail.