GAP Documentation
GitHub Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage
  1. Let's get started!
  2. /
  3. Platform features
  4. /
  5. Service Mesh
  6. /
  7. Egress Gateway
Edit page

Egress Gateway

In this document various supported use cases of egress gateway usage shall be documented.

Wildcard hosts routed through whitelist-internal static IP gateway

This use case is about routing egress traffic via egress gateways which lie in whitelist-internal static IP nodes, which are indented e.g for internal (e.g suite) traffic requiring static IP communication from GAP.

The traffic has to be https from the pod.

The following resources are needed to be deployed within the gap folder. They can be put to gap/stage and/or gap/prod to deploy only for those specific envs as well.

Caution is advised when configuring these resources:

  • as the wildcard hosts (can be multiple in the list) should be exactly reflected in each section as noted with <host>.
  • and the <workload-source-label> should be the label which the target workload has, can be:
    • in case of targeting a single deployment for the routing: app: <deployment-name> (e.g <deployment-name> being contact-data-proxy)
    • when applying on an application level: applicationName: <app-name> (e.g <app-name> being contact-data)
# gap/gap-wildcard-<applicable-name>-virtual-service.yaml
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: direct-wildcard-<applicable-name>-through-egress-gateway
spec:
  exportTo:
  - .
  - istio-egress-gateway
  hosts:
    - <host> #e.g "*.emarsys.com"
  gateways:
  - mesh
  - istio-egress-gateway/wildcard-whitelist-internal-egress-gateway
  tls:
  - match:
    - gateways:
      - mesh
      port: 443
      sniHosts:
        - <host> #e.g "*.emarsys.com"
      sourceLabels:
        <workload-source-label> #app: contact-data-proxy
    route:
    - destination:
        host: wildcard-whitelist-internal-egress-gateway.istio-egress-gateway.svc.cluster.local
  tcp:
  - match:
    - gateways:
      - istio-egress-gateway/wildcard-whitelist-internal-egress-gateway
      port: 443
    route:
    - destination:
        host: "dummy.local"

# gap/gap-wildcard-<applicable-name>-service-entry.yaml
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: wildcard-<applicable-name>
spec:
  exportTo:
  - .
  hosts:
    - <host> #e.g "*.emarsys.com"
  ports:
  - number: 443
    name: tls
    protocol: TLS