Egress Blocking Based on IP Address

Question

We would like to use Istio for achieving blocking of egress access from applications and to have an allow-list/block-list of IP Addresses and CIDR blocks. Are there any solutions possible using Istio?

-Renjith

Answer 1

We would like to use Istio for achieving blocking of egress access from applications

I think you could use REGISTRY_ONLY outboundTrafficPolicy.mode for that.

Istio has an installation option, meshConfig.outboundTrafficPolicy.mode, that configures the sidecar handling of external services, that is, those services that are not defined in Istio’s internal service registry. If this option is set to ALLOW_ANY, the Istio proxy lets calls to unknown services pass through. If the option is set to REGISTRY_ONLY, then the Istio proxy blocks any host without an HTTP service or service entry defined within the mesh. ALLOW_ANY is the default value, allowing you to start evaluating Istio quickly, without controlling access to external services. You can then decide to configure access to external services later.

More about that here and here.

and to have an allow-list/block-list of IP Addresses and CIDR blocks.

AFAIK the only way to create an allow/block list in istio is with AuthorizationPolicy or EnvoyFilter.

I have found few examples where they used AuthorizationPolicy with egress gateway, for example here.

They just changed the AuthorizationPolicy label from app: istio-ingressgateway to app: istio-egressgateway.

spec:
  selector:
    matchLabels:
      app: istio-egressgateway

I was looking for any example with ip/cidr, but I couldn't find anything, so I'm not sure if that's gonna work with the egress gateway.

Additional resources:

• https://istio.io/latest/docs/tasks/security/authorization/authz-ingress/#ip-based-allow-list-and-deny-list
• Istio authorization policy not applying on child gateway
• https://istio.io/latest/docs/reference/config/security/authorization-policy/#Source
• https://github.com/salrashid123/istio_helloworld#egress-rules