I have already installed Istio Ingress Gateway in my AKS cluster using Helm (charts used istio/base, istio/istiod, istio/gateway from https://istio-release.storage.googleapis.com/charts).
Now I want to install also an Istio Egress Gateway, but I don't know if there is another Helm chart or if I have to install again the istio/gateway and configure it as Egress.
Can anyone help me with this because there is not a clear installation guide using Helm in istio documentation?
What should I install and configure to route all the cluster traffic through this Egress Gateway and restrict access to specific hosts for every workload. e.g.
apiVersion: networking.istio.io/v1
kind: ServiceEntry
metadata:
name: external-svc-https
namespace: testing
spec:
hosts:
- api.dropboxapi.com
- www.googleapis.com
- api.facebook.com
location: MESH_EXTERNAL
exportTo: "."
ports:
- number: 443
name: https
protocol: TLS
resolution: NONE
I already found a way to allow access only to specific hosts per namespace using ServiceEntry and changing the following configuration to istiod installation.
meshConfig:
outboundTrafficPolicy:
mode: REGISTRY_ONLY
I found a workaround for this. I followed this guide to route the traffic to an egress gateway. To restrict access to only go through this gateway Network Policies have to be applied.
NOTE: This guide explains how to install istio gateway using istioctl. You can install using the following commands.