Zone Egress

ZoneEgress proxy is used when it is required to isolate outgoing traffic (to services in other zones or external services in the local zone). and you want to achieve isolation of outgoing traffic (to services in other zones or external services in the local zone), you can use ZoneEgress proxy.

This proxy is not attached to any particular workload. In multi-zone the proxy is bound to a specific zone. Zone Egress can proxy the traffic between all meshes, so we need only one deployment for every zone.

When Zone Egress is present:

  • In multi-zone, all requests that are sent from local data plane proxies to other zones will be directed through the local Zone Egress instance, which then will direct the traffic to the proper instance of the Zone Ingress.
  • All requests that are sent from local data plane proxies to external services available within the Zone will be directed through the local Zone Egress instance.

Currently ZoneEgress is a purely optional component. In the future it will become compulsory for using external services.

The ZoneEgress entity includes a few sections:

  • type: must be ZoneEgress.
  • name: this is the name of the ZoneEgress instance, and it must be unique for any given zone.
  • networking: contains networking parameters of the Zone Egress
    • address: the address of the network interface Zone Egress is listening on.
    • port: is a port that Zone Egress is listening on
    • admin: determines parameters related to Envoy Admin API
      • port: the port that Envoy Admin API will listen to
  • zone [auto-generated on Kuma CP] : zone where Zone Egress belongs to

  • Kubernetes

  • Universal

The recommended way to deploy a ZoneEgress proxy in Kubernetes is to use kumactl, or the Helm charts as specified in multi-zone . It works as a separate deployment of a single-container pod.

Standalone:

  1. kumactl install control-plane \
  2. --egress-enabled \
  3. [...] | kubectl apply -f -

Multi-zone:

  1. kumactl install control-plane \
  2. --mode=zone \
  3. --zone=<my-zone> \
  4. --kds-global-address grpcs://`<global-kds-address>` \
  5. --egress-enabled \
  6. [...] | kubectl apply -f -

Standalone

In Universal mode, the token is required to authenticate ZoneEgress instance. Create the token by using kumactl binary:

  1. kumactl generate zone-token --valid-for 24h --scope egress > /path/to/token

Create a ZoneEgress data plane proxy configuration to allow kuma-cp services to be configured to proxy traffic to other zones or external services through zone egress:

  1. type: ZoneEgress
  2. name: zoneegress-1
  3. networking:
  4. address: 192.168.0.1
  5. port: 10002

Apply the egress configuration, passing the IP address of the control plane and your instance should start.

  1. kuma-dp run \
  2. --proxy-type=egress \
  3. --cp-address=https://<kuma-cp-address>:5678 \
  4. --dataplane-token-file=/path/to/token \
  5. --dataplane-file=/path/to/config

Multi-zone

Multi-zone deployment is similar and for deployment, you should follow multi-zone deployment instruction .

A ZoneEgress deployment can be scaled horizontally.

Configuration

mTLS is required to enable ZoneEgress. In addition, there’s a configuration in the Mesh policy to route traffic through the ZoneEgress

  1. echo "apiVersion: kuma.io/v1alpha1
  2. kind: Mesh
  3. metadata:
  4. name: default
  5. spec:
  6. routing:
  7. zoneEgress: true
  8. mtls: # mTLS is required to use ZoneEgress
  9. [...]" | kubectl apply -f -
  1. cat <<EOF | kumactl apply -f -
  2. type: Mesh
  3. name: default
  4. mtls: # mTLS is required to use ZoneEgress
  5. [...]
  6. routing:
  7. zoneEgress: true
  8. EOF

This configuration will force cross zone communication to go through ZoneEgress. If enabled but no ZoneEgress is available the communication will fail.