{"id":72882,"date":"2025-06-30T11:44:57","date_gmt":"2025-06-30T06:14:57","guid":{"rendered":"https:\/\/www.tothenew.com\/blog\/?p=72882"},"modified":"2025-07-09T11:14:13","modified_gmt":"2025-07-09T05:44:13","slug":"deploying-egress-gateway-in-kubernetes-istio","status":"publish","type":"post","link":"https:\/\/www.tothenew.com\/blog\/deploying-egress-gateway-in-kubernetes-istio\/","title":{"rendered":"Deploying Egress Gateway in Kubernetes : Istio"},"content":{"rendered":"<h1><span style=\"color: #000000;\">Introduction<\/span><\/h1>\n<p><span style=\"color: #000000;\">Nowadays, In\u00a0microservices architectures we have started using service mesh like <a href=\"https:\/\/istio.io\/latest\/docs\/overview\/what-is-istio\/\">Istio<\/a> for managing and securing the traffic flow inside Kubernetes cluster ,In <a href=\"https:\/\/istio.io\/latest\/docs\/overview\/what-is-istio\/\">Istio<\/a> service mesh we use Ingress and Egress gateways for routing the inbound and outbound traffic. In this blog we will be looking on how we can use Egress gateway to route external traffic leaving the mesh.<\/span><\/p>\n<h2><span style=\"color: #000000;\">Prerequisites<\/span><\/h2>\n<ul>\n<li><span style=\"color: #000000;\">Basic understanding of Kubernetes and Its networking.<\/span><\/li>\n<li><span style=\"color: #000000;\">Kubernetes cluster has already been setup with Istio installed.<\/span><\/li>\n<li><span style=\"color: #000000;\">Istioctl should be installed.<\/span><\/li>\n<\/ul>\n<p><span style=\"color: #000000;\">You can use below command to confirm that istio is installed in you Kubernetes cluster. The istio components will be shown like <strong>istiod<\/strong>.<\/span><\/p>\n<pre><span style=\"color: #000000;\">kubectl get pods -n istio-system<\/span><\/pre>\n<h2><span style=\"color: #000000;\">Step 1: Allowing the sidecar injection<\/span><\/h2>\n<p><span style=\"color: #000000;\">So, we need to add the labels to the namespace so that the sidecar can be able to inject. You can use below command for this &#8211;<\/span><\/p>\n<pre><span style=\"color: #000000;\">kubectl label namespace egress istio-injection=enabled\r\nkubectl label namespace default istio-injection=enabled\r\n<\/span><\/pre>\n<h2><span style=\"color: #000000;\">Step 2: Deploying a sample application.<\/span><\/h2>\n<pre><span style=\"color: #000000;\">kubectl apply -f https:\/\/raw.githubusercontent.com\/istio\/istio\/refs\/heads\/master\/samples\/sleep\/sleep.yaml<\/span><\/pre>\n<p><span style=\"color: #000000;\">we will be using this sample application to test the traffic if its going thorough the egress gateway.<\/span><\/p>\n<h2><span style=\"color: #000000;\">Step 3: Updating mesh configuration<\/span><\/h2>\n<p><span style=\"color: #000000;\">Istio by default allow unrestricted access traffic to external services lets restrict by updating the &#8220;outboundTrafficPolicy&#8220; to &#8220;REGISTRY_ONLY&#8220;<\/span><\/p>\n<pre><span style=\"color: #000000;\">kubectl -n istio-system get configmap<\/span><\/pre>\n<pre><span style=\"color: #000000;\">kubectl -n istio-system edit configmap istio<\/span><\/pre>\n<p><span style=\"color: #000000;\">It will look like below, you need to update the &#8220;outboundTrafficPolicy&#8220; like below &#8211;<\/span><\/p>\n<div id=\"attachment_73013\" style=\"width: 400px\" class=\"wp-caption aligncenter\"><img aria-describedby=\"caption-attachment-73013\" decoding=\"async\" loading=\"lazy\" class=\" wp-image-73013\" src=\"https:\/\/www.tothenew.com\/blog\/wp-ttn-blog\/uploads\/2025\/07\/Screenshot-2025-07-01-at-6.03.44\u202fPM.png\" alt=\"configMap\" width=\"390\" height=\"264\" srcset=\"\/blog\/wp-ttn-blog\/uploads\/2025\/07\/Screenshot-2025-07-01-at-6.03.44\u202fPM.png 788w, \/blog\/wp-ttn-blog\/uploads\/2025\/07\/Screenshot-2025-07-01-at-6.03.44\u202fPM-300x203.png 300w, \/blog\/wp-ttn-blog\/uploads\/2025\/07\/Screenshot-2025-07-01-at-6.03.44\u202fPM-768x520.png 768w, \/blog\/wp-ttn-blog\/uploads\/2025\/07\/Screenshot-2025-07-01-at-6.03.44\u202fPM-624x423.png 624w\" sizes=\"(max-width: 390px) 100vw, 390px\" \/><p id=\"caption-attachment-73013\" class=\"wp-caption-text\">configMap<\/p><\/div>\n<p><span style=\"color: #000000;\">Restart the isito control plan so that the changes come into effect. It will block all the egress traffic except the external services defined in ServiceEntry would be allowed.<\/span><\/p>\n<p>&nbsp;<\/p>\n<div id=\"attachment_72930\" style=\"width: 1108px\" class=\"wp-caption aligncenter\"><img aria-describedby=\"caption-attachment-72930\" decoding=\"async\" loading=\"lazy\" class=\" wp-image-72930\" src=\"https:\/\/www.tothenew.com\/blog\/wp-ttn-blog\/uploads\/2025\/06\/egress.png\" alt=\"Traffic Flow\" width=\"1098\" height=\"190\" srcset=\"\/blog\/wp-ttn-blog\/uploads\/2025\/06\/egress.png 2714w, \/blog\/wp-ttn-blog\/uploads\/2025\/06\/egress-300x52.png 300w, \/blog\/wp-ttn-blog\/uploads\/2025\/06\/egress-1024x177.png 1024w, \/blog\/wp-ttn-blog\/uploads\/2025\/06\/egress-768x133.png 768w, \/blog\/wp-ttn-blog\/uploads\/2025\/06\/egress-1536x266.png 1536w, \/blog\/wp-ttn-blog\/uploads\/2025\/06\/egress-2048x355.png 2048w, \/blog\/wp-ttn-blog\/uploads\/2025\/06\/egress-624x108.png 624w\" sizes=\"(max-width: 1098px) 100vw, 1098px\" \/><p id=\"caption-attachment-72930\" class=\"wp-caption-text\">Traffic Flow<\/p><\/div>\n<h2><span style=\"color: #000000;\">Step 4: Creating Service Entry and ServiceAccount<\/span><\/h2>\n<p><span style=\"color: #000000;\">So, For enabling the egress traffic we need to define service entry for those hosts.<\/span><\/p>\n<div id=\"attachment_73015\" style=\"width: 460px\" class=\"wp-caption aligncenter\"><img aria-describedby=\"caption-attachment-73015\" decoding=\"async\" loading=\"lazy\" class=\" wp-image-73015\" src=\"https:\/\/www.tothenew.com\/blog\/wp-ttn-blog\/uploads\/2025\/07\/Screenshot-2025-07-01-at-6.06.22\u202fPM.png\" alt=\"ServiceEntry\" width=\"450\" height=\"656\" srcset=\"\/blog\/wp-ttn-blog\/uploads\/2025\/07\/Screenshot-2025-07-01-at-6.06.22\u202fPM.png 834w, \/blog\/wp-ttn-blog\/uploads\/2025\/07\/Screenshot-2025-07-01-at-6.06.22\u202fPM-206x300.png 206w, \/blog\/wp-ttn-blog\/uploads\/2025\/07\/Screenshot-2025-07-01-at-6.06.22\u202fPM-702x1024.png 702w, \/blog\/wp-ttn-blog\/uploads\/2025\/07\/Screenshot-2025-07-01-at-6.06.22\u202fPM-768x1120.png 768w, \/blog\/wp-ttn-blog\/uploads\/2025\/07\/Screenshot-2025-07-01-at-6.06.22\u202fPM-624x910.png 624w\" sizes=\"(max-width: 450px) 100vw, 450px\" \/><p id=\"caption-attachment-73015\" class=\"wp-caption-text\">ServiceEntry<\/p><\/div>\n<p><span style=\"color: #000000;\"><strong>Note: &#8220;exportTo&#8221; Defines the namespace. Right now, its set to exportTo: [&#8220;.&#8221; ] which means its applicable to current namespace. You can use &#8220;*&#8221; istead of &#8220;.&#8221; to be applicable to all namespace.<\/strong><\/span><\/p>\n<h2><span style=\"color: #000000;\">Step 5: Deploying Egress Gateway Deployment<\/span><\/h2>\n<div id=\"attachment_73016\" style=\"width: 494px\" class=\"wp-caption aligncenter\"><img aria-describedby=\"caption-attachment-73016\" decoding=\"async\" loading=\"lazy\" class=\" wp-image-73016\" src=\"https:\/\/www.tothenew.com\/blog\/wp-ttn-blog\/uploads\/2025\/07\/Screenshot-2025-07-01-at-6.08.44\u202fPM.png\" alt=\"Deployment\" width=\"484\" height=\"831\" srcset=\"\/blog\/wp-ttn-blog\/uploads\/2025\/07\/Screenshot-2025-07-01-at-6.08.44\u202fPM.png 852w, \/blog\/wp-ttn-blog\/uploads\/2025\/07\/Screenshot-2025-07-01-at-6.08.44\u202fPM-175x300.png 175w, \/blog\/wp-ttn-blog\/uploads\/2025\/07\/Screenshot-2025-07-01-at-6.08.44\u202fPM-597x1024.png 597w, \/blog\/wp-ttn-blog\/uploads\/2025\/07\/Screenshot-2025-07-01-at-6.08.44\u202fPM-768x1318.png 768w, \/blog\/wp-ttn-blog\/uploads\/2025\/07\/Screenshot-2025-07-01-at-6.08.44\u202fPM-624x1071.png 624w\" sizes=\"(max-width: 484px) 100vw, 484px\" \/><p id=\"caption-attachment-73016\" class=\"wp-caption-text\">Deployment<\/p><\/div>\n<h2><span style=\"color: #000000;\">Step 6 : Deploying Service\u00a0<\/span><\/h2>\n<div id=\"attachment_73017\" style=\"width: 480px\" class=\"wp-caption aligncenter\"><img aria-describedby=\"caption-attachment-73017\" decoding=\"async\" loading=\"lazy\" class=\" wp-image-73017\" src=\"https:\/\/www.tothenew.com\/blog\/wp-ttn-blog\/uploads\/2025\/07\/Screenshot-2025-07-01-at-6.11.35\u202fPM.png\" alt=\"Service\" width=\"470\" height=\"626\" srcset=\"\/blog\/wp-ttn-blog\/uploads\/2025\/07\/Screenshot-2025-07-01-at-6.11.35\u202fPM.png 844w, \/blog\/wp-ttn-blog\/uploads\/2025\/07\/Screenshot-2025-07-01-at-6.11.35\u202fPM-225x300.png 225w, \/blog\/wp-ttn-blog\/uploads\/2025\/07\/Screenshot-2025-07-01-at-6.11.35\u202fPM-769x1024.png 769w, \/blog\/wp-ttn-blog\/uploads\/2025\/07\/Screenshot-2025-07-01-at-6.11.35\u202fPM-768x1023.png 768w, \/blog\/wp-ttn-blog\/uploads\/2025\/07\/Screenshot-2025-07-01-at-6.11.35\u202fPM-624x831.png 624w\" sizes=\"(max-width: 470px) 100vw, 470px\" \/><p id=\"caption-attachment-73017\" class=\"wp-caption-text\">Service<\/p><\/div>\n<h2><span style=\"color: #000000;\">Step 7: Deploying the Gateway<\/span><\/h2>\n<p>Let&#8217;s deploy the egress gateway using below yaml as it would be the point of exit from the mesh.<\/p>\n<div id=\"attachment_73018\" style=\"width: 470px\" class=\"wp-caption aligncenter\"><img aria-describedby=\"caption-attachment-73018\" decoding=\"async\" loading=\"lazy\" class=\" wp-image-73018\" src=\"https:\/\/www.tothenew.com\/blog\/wp-ttn-blog\/uploads\/2025\/07\/Screenshot-2025-07-01-at-6.13.14\u202fPM.png\" alt=\"Gateway\" width=\"460\" height=\"613\" srcset=\"\/blog\/wp-ttn-blog\/uploads\/2025\/07\/Screenshot-2025-07-01-at-6.13.14\u202fPM.png 844w, \/blog\/wp-ttn-blog\/uploads\/2025\/07\/Screenshot-2025-07-01-at-6.13.14\u202fPM-225x300.png 225w, \/blog\/wp-ttn-blog\/uploads\/2025\/07\/Screenshot-2025-07-01-at-6.13.14\u202fPM-769x1024.png 769w, \/blog\/wp-ttn-blog\/uploads\/2025\/07\/Screenshot-2025-07-01-at-6.13.14\u202fPM-768x1023.png 768w, \/blog\/wp-ttn-blog\/uploads\/2025\/07\/Screenshot-2025-07-01-at-6.13.14\u202fPM-624x831.png 624w\" sizes=\"(max-width: 460px) 100vw, 460px\" \/><p id=\"caption-attachment-73018\" class=\"wp-caption-text\">Gateway<\/p><\/div>\n<h2><span style=\"color: #000000;\">Step 8 : Deploying DestinationRule\u00a0<\/span><\/h2>\n<p>Let&#8217;s create a DestinationRule as it would be defining the destination host and subset name that would be referenced by virtual service.<\/p>\n<div id=\"attachment_73019\" style=\"width: 479px\" class=\"wp-caption aligncenter\"><img aria-describedby=\"caption-attachment-73019\" decoding=\"async\" loading=\"lazy\" class=\" wp-image-73019\" src=\"https:\/\/www.tothenew.com\/blog\/wp-ttn-blog\/uploads\/2025\/07\/Screenshot-2025-07-01-at-6.14.19\u202fPM.png\" alt=\"DestinationRule\" width=\"469\" height=\"246\" srcset=\"\/blog\/wp-ttn-blog\/uploads\/2025\/07\/Screenshot-2025-07-01-at-6.14.19\u202fPM.png 892w, \/blog\/wp-ttn-blog\/uploads\/2025\/07\/Screenshot-2025-07-01-at-6.14.19\u202fPM-300x157.png 300w, \/blog\/wp-ttn-blog\/uploads\/2025\/07\/Screenshot-2025-07-01-at-6.14.19\u202fPM-768x403.png 768w, \/blog\/wp-ttn-blog\/uploads\/2025\/07\/Screenshot-2025-07-01-at-6.14.19\u202fPM-624x327.png 624w\" sizes=\"(max-width: 469px) 100vw, 469px\" \/><p id=\"caption-attachment-73019\" class=\"wp-caption-text\">DestinationRule<\/p><\/div>\n<h2><span style=\"color: #000000;\">Step 9 : Deploying NetworkPolicy\u00a0<\/span><\/h2>\n<p>Below network policy would make sure that our Egress gateway can receive traffic from Istio control plane and Sample App.<\/p>\n<div id=\"attachment_73020\" style=\"width: 546px\" class=\"wp-caption aligncenter\"><img aria-describedby=\"caption-attachment-73020\" decoding=\"async\" loading=\"lazy\" class=\" wp-image-73020\" src=\"https:\/\/www.tothenew.com\/blog\/wp-ttn-blog\/uploads\/2025\/07\/Screenshot-2025-07-01-at-6.15.52\u202fPM.png\" alt=\"NetworkPolicy\" width=\"536\" height=\"985\" srcset=\"\/blog\/wp-ttn-blog\/uploads\/2025\/07\/Screenshot-2025-07-01-at-6.15.52\u202fPM.png 782w, \/blog\/wp-ttn-blog\/uploads\/2025\/07\/Screenshot-2025-07-01-at-6.15.52\u202fPM-163x300.png 163w, \/blog\/wp-ttn-blog\/uploads\/2025\/07\/Screenshot-2025-07-01-at-6.15.52\u202fPM-558x1024.png 558w, \/blog\/wp-ttn-blog\/uploads\/2025\/07\/Screenshot-2025-07-01-at-6.15.52\u202fPM-768x1410.png 768w, \/blog\/wp-ttn-blog\/uploads\/2025\/07\/Screenshot-2025-07-01-at-6.15.52\u202fPM-624x1146.png 624w\" sizes=\"(max-width: 536px) 100vw, 536px\" \/><p id=\"caption-attachment-73020\" class=\"wp-caption-text\">NetworkPolicy<\/p><\/div>\n<h2><span style=\"color: #000000;\">Step 10 : Deploying VirtualService\u00a0<\/span><\/h2>\n<p><span style=\"color: #000000;\">So, this virtual service will redirect the traffic originating from the mesh (sidecar-proxy) port 80 or 443 to Egress gateway and then to external host.<\/span><\/p>\n<div id=\"attachment_73021\" style=\"width: 625px\" class=\"wp-caption aligncenter\"><img aria-describedby=\"caption-attachment-73021\" decoding=\"async\" loading=\"lazy\" class=\" wp-image-73021\" src=\"https:\/\/www.tothenew.com\/blog\/wp-ttn-blog\/uploads\/2025\/07\/Screenshot-2025-07-01-at-6.18.15\u202fPM.png\" alt=\"VirtualService\" width=\"615\" height=\"1315\" srcset=\"\/blog\/wp-ttn-blog\/uploads\/2025\/07\/Screenshot-2025-07-01-at-6.18.15\u202fPM.png 786w, \/blog\/wp-ttn-blog\/uploads\/2025\/07\/Screenshot-2025-07-01-at-6.18.15\u202fPM-140x300.png 140w, \/blog\/wp-ttn-blog\/uploads\/2025\/07\/Screenshot-2025-07-01-at-6.18.15\u202fPM-479x1024.png 479w, \/blog\/wp-ttn-blog\/uploads\/2025\/07\/Screenshot-2025-07-01-at-6.18.15\u202fPM-768x1642.png 768w, \/blog\/wp-ttn-blog\/uploads\/2025\/07\/Screenshot-2025-07-01-at-6.18.15\u202fPM-719x1536.png 719w, \/blog\/wp-ttn-blog\/uploads\/2025\/07\/Screenshot-2025-07-01-at-6.18.15\u202fPM-624x1334.png 624w\" sizes=\"(max-width: 615px) 100vw, 615px\" \/><p id=\"caption-attachment-73021\" class=\"wp-caption-text\">VirtualService<\/p><\/div>\n<h2><span style=\"color: #000000;\">Lets test the traffic now, to make sure it&#8217;s going through our Egress gateway &#8211;<\/span><\/h2>\n<pre><span style=\"color: #000000;\">kubectl exec -it deployment sleep -c sleep -- curl -I https:\/\/edition.cnn.com<\/span><\/pre>\n<p><span style=\"color: #000000;\">Then we can look into the logs to confirm if the traffic is going through our egress gateway.<\/span><\/p>\n<pre><span style=\"color: #000000;\">kubectl logs &lt;Pod-name&gt;\u00a0 -c istio-proxy<\/span><\/pre>\n<p><span style=\"color: #000000;\">Below is the example of how logs will look like-<\/span><\/p>\n<pre><span style=\"color: #000000;\">[2025-06-25T23:32:42.892Z] \"- - -\" 0 - - - \"-\" 304 6087 101 - \"-\" \"-\" \"-\" \"-\" \"52.7.212.xx:xxx\" outbound|443||edition.cnn.co 10.23.43.x:xxxxx 10.23.43.x:xxx 10.23.20.xx:xxxxx edition.cnn.com -<\/span><\/pre>\n<h2><span style=\"color: #000000;\">Conclusion<\/span><\/h2>\n<p>Now, you have configured a secure way to send your outbound traffic from the Kubernetes cluster using Istio&#8217;s Egress Gateway. It also adds a layer of security which also aligns the best practices that should be followed in mesh architectures for outbound traffic.<\/p>\n<p>You can also refer the Official Documentation of Istio Egress Gateway &#8211; <a href=\"https:\/\/istio.io\/latest\/docs\/tasks\/traffic-management\/egress\/egress-gateway\">https:\/\/istio.io\/latest\/docs\/tasks\/traffic-management\/egress\/egress-gateway<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Introduction Nowadays, In\u00a0microservices architectures we have started using service mesh like Istio for managing and securing the traffic flow inside Kubernetes cluster ,In Istio service mesh we use Ingress and Egress gateways for routing the inbound and outbound traffic. In this blog we will be looking on how we can use Egress gateway to route [&hellip;]<\/p>\n","protected":false},"author":1834,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"iawp_total_views":153},"categories":[5877],"tags":[7533,7547,5403],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/posts\/72882"}],"collection":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/users\/1834"}],"replies":[{"embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/comments?post=72882"}],"version-history":[{"count":21,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/posts\/72882\/revisions"}],"predecessor-version":[{"id":73138,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/posts\/72882\/revisions\/73138"}],"wp:attachment":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/media?parent=72882"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/categories?post=72882"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/tags?post=72882"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}