что такое ingress egress
Istio ingress and egress gateways
In today’s blogpost we’re going to be discussing ingress and egress gateways. First, we’ll cover the basics, then we’ll go into detail and explore how they work through a series of practical examples. Ingress and egress gateways are load balancers that operate at the edges of any network receiving incoming or outgoing HTTP/TCP connections. Ingress gateways make it possible to define an entry points into an Istio mesh for all incoming traffic to flow through. Egress gateways are similar: they define exit points from the mesh, but also allow for the application of Istio features to the traffic exiting the mesh. Some examples of these features are monitoring, routing rules and retries.
The Gateway resource describes the port configuration of the gateway deployment that operates at the edge of the mesh and receives incoming or outgoing HTTP/TCP connections. The specification describes a set of ports that should be exposed, the type of protocol to use, TLS configuration – if any – of the exposed ports, and so on. For more information about Gateways, see the Istio documentation.
VirtualService defines a set of traffic routing rules to apply when a host is addressed. Each routing rule defines matching criteria for the traffic of a specific protocol. If the traffic matches a routing rule, then it is sent to a named destination service defined in the registry. For example, it can route requests to different versions of a service or to a completely different service than was requested. Requests can be routed based on the request source and destination, HTTP paths and header fields, and weights associated with individual service versions.
Istio Ingress and Egress Gateways, showtime 🔗︎
Our only prerequisite before exploring these concepts through examples is the creation of a Kubernetes cluster.
You can create a Kubernetes cluster on five different cloud providers, or on-premise via the free developer version of the Pipeline platform. But you can also bring your own cluster.
Install Istio using Backyards 🔗︎
The easiest way to install a production ready Istio and a demo application on a brand new cluster is to use the Backyards CLI.
Register for an evaluation version and run the following command to install the CLI tool ( KUBECONFIG must be set for your cluster):
As you might know, Cisco has recently acquired Banzai Cloud. Currently we are in a transitional period and are moving our infrastructure. Contact us so we can discuss your needs and requirements, and organize a live demo.
Evaluation downloads are temporarily suspended. Contact us to discuss your needs and requirements, and organize a live demo.
This command installs Istio with the Banzai Cloud open-source Istio operator, then installs Backyards itself, as well as an application for demonstration purposes. After the installation has finished, the Backyards UI will automatically open and send some traffic to the demo application. Issuing this one simple command causes Backyards to start a new Istio mesh in just a few minutes!
Using the main ingress gateway 🔗︎
Remember, as we talked about earlier in this post, ingress gateways enable us to expose services to the external world. Accordingly, an ingress gateway serves as the entry point for all services running within the mesh.
Determining the ingress IP 🔗︎
In order to expose a service, you must first know the external IP of the ingress gateway. Fortunately, the Banzai Cloud Istio operator helps us with this.
In general, you should manually set an external hostname that points to these addresses, but for demo purposes you can use xip.io, which is a domain name that provides wildcard DNS for any IP address.
Expose a service through the ingress gateway 🔗︎
The demo application that comes with Backyards contains several microservices. The frontpage service serves as the entry point of that application. Now, let’s create a Gateway and a VirtualService resource to expose the frontpage service.
Create Gateway resource 🔗︎
The following Gateway resource configures listening ports on the matching gateway deployment.
Create VirtualService resource 🔗︎
The following VirtualService resource configures routing for the external hosts within the mesh.
Access the service on the external address 🔗︎
Create and use multiple ingress gateways 🔗︎
Having one ingress and egress gateway to handle incoming and outgoing traffic from the mesh is part of a basic Istio installation and has been supported by the Banzai Cloud Istio operator from day one, but in large enterprise deployments our customers typically use Backyards with multiple ingress or egress gateways.
The Banzai Cloud Istio operator and multiple gateways 🔗︎
The Banzai Cloud Istio operator has an Istio custom resource that defines mesh configurations. The main ingress/egress gateways are part of the specifications of that resource.
One way to support multiple gateways would have been to add support for specifying them in the existing custom resource. But we chose a radically different approach for the following reasons:
Create a new service in the default namespace and expose it 🔗︎
To demonstrate how to create and use multiple ingress gateways, let’s add a simple service to the default namespace.
It would be possible to expose this echo service through the existing ingress gateway, similar to the way we would for the frontpage service, but let’s assume we need to expose this service on port 8000, without modifying the existing ingress gateway.
Create a new ingress gateway using the MeshGateway resource 🔗︎
Apply the following resource and the operator will create a new ingress gateway deployment, and a corresponding service.
The MeshGateway resource automatically labels the created Service and Deployment resources with the gateway-name and gateway-type labels and their corresponding values.
Get the echo ingress gateway IP 🔗︎
Create Gateway and VirtualService resources 🔗︎
Just like in the first example, the following Gateway and VirtualService resources are necessary to configure listening ports on the matching gateway deployment.
Access the echo service on the external address 🔗︎
Our ability to easily create ingress gateways gives you fine-grained control over how services are exposed to the outside world. That way, teams can manage the exposure of their own services without running the risk of misconfiguring the services of other teams. Another way of tackling this potential issue is to have separate load balancer configurations with, for example, different port level settings.
Accessing External Services 🔗︎
Direct outbound traffic 🔗︎
Any traffic that’s outbound from a pod with an Istio sidecar will also pass through that sidecar’s container, or, more precisely, through Envoy. Therefore, the accessibility of external services depends on the configuration of that Envoy proxy. By default, Istio configures the Envoy proxy to passthrough requests for unknown services. Although this provides a convenient way of getting started with Istio, its generally a good idea to put stricter controls in place.
To read more about the Sidecar object configuration, check out this informative blog post:.
Check the default outbound traffic policy 🔗︎
This traffic policy should be set to ALLOW_ANY by default.
Make an HTTP request to httpbin.org from the echo service container in the default namespace 🔗︎
This should work fine, since, by default, every sidecar sends traffic towards unknown services through its passhtrough proxy.
Change the default outbound traffic policy to block unknown services 🔗︎
Now we’re going to demonstrate a more controlled way of enabling access to external services. Change the spec.outboundTrafficPolicy.mode option from the ALLOW_ANY mode to the REGISTRY_ONLY mode in the mesh Istio resource in the istio-system namespace.
Make another HTTP request to httpbin.org from the echo service container in the default namespace 🔗︎
Now we’re getting a 502 response code, since now the traffic towards external services is blocked and it is going through Envoy’s blackhole cluster.
Create a ServiceEntry to allow HTTP access to httpbin.org 🔗︎
ServiceEntry resources enable adding additional entries into Istio’s internal service registry, so that auto-discovered services in the mesh can access/route to these manually specified services. A service entry describes the properties of a service (DNS name, VIPs, ports, protocols, endpoints). These services could be external to the mesh (for example, web APIs) or mesh-internal services that are not part of the platform’s service registry. For more information about the ServiceEntry resource, see the Istio documentation.
Apply the following ServiceEntry to allow for HTTP access to httpbin.org
Make another HTTP request to httpbin.org from the echo service container in the default namespace 🔗︎
Outbound traffic through an egress gateway 🔗︎
As you probably recall from earlier in this blogpost, egress gateways are exit points from the mesh that allow us to apply Istio features. This includes applying features like monitoring and route rules to traffic that’s exiting the mesh.
Use cases 🔗︎
Let’s take a quick look at some use cases.
Consider an organization which requires some, or all, outbound traffic to go through dedicated nodes. These nodes could be separated from the rest of the nodes for the purposes of monitoring and policy enforcement.
Now imagine a cluster where the application nodes don’t have public IPs, so the in-mesh services that run on them cannot access the internet directly. Defining an egress gateway and routing egress traffic through it, then allocating public IPs to the gateway nodes would allow for controlled access to external services.
Create an egress gateway with the MeshGateway resource 🔗︎
Apply the following resource and the Istio operator will create a new egress gateway deployment and a corresponding service.
Create a Gateway resource for the egress gateway 🔗︎
Similar to the ingress gateway configuration, a Gateway resource must be created that will be a bridge between Istio configuration resources and the deployment of a matching gateway.
Apply the following Gateway resource to configure the outbound port, 80, on the egress gateway that was just defined in the previous step.
Define a VirtualService resource to direct traffic from the sidecars to the egress gateway 🔗︎
Apply the following VirtualService to direct traffic from the sidecars to the egress gateway and also from the egress gateway to the external service.
Resend an HTTP request to httpbin.org from the echo service container in the default namespace 🔗︎
Output should be the same as earlier, but if we check the logs of the egress gateway, it shows that the request actually went through the egress gateway.
Takeaway 🔗︎
About Banzai Cloud Istio operator 🔗︎
Banzai Cloud Istio operator is a simple way to deploy, manage and maintain Istio service meshes, even in multi-cluster topologies.
About Backyards 🔗︎
Banzai Cloud’s Backyards is a multi and hybrid-cloud enabled service mesh platform for constructing modern applications. Built on Kubernetes, our Istio operator and the Banzai Cloud Pipeline platform gives you flexibility, portability, and consistency across on-premise datacenters and on five cloud environments. Use our simple, yet extremely powerful UI and CLI, and experience automated canary releases, traffic shifting, routing, secure service communication, in-depth observability and more, for yourself.
About Banzai Cloud 🔗︎
Banzai Cloud is changing how private clouds are built: simplifying the development, deployment, and scaling of complex applications, and putting the power of Kubernetes and Cloud Native technologies in the hands of developers and enterprises, everywhere.
Ingress Vs Egress – What’s The Difference
Ingress vs egress: there seems to be a never-ending debate about these terms. They’re kind of archaic and their meaning seems to be different in different situations.
Today, we’ll do our best to try to shed some light on this mystery. We don’t want to get into a philosophical debate, though. Our only goal is to do our best to explain these terms and how they are typically used in the context of networking. But even that, as you’re about to see, can tend to be rather confusing.
Ingress Vs Egress
Defining Ingress And Egress
Linguistically speaking, defining either of those words could hardly be easier (pun intended). Let’s see what the Merriam-Webster dictionary has to say about it.
Here again, a pretty simple definition. If you care to check other sources, you’ll find a definite consensus. Ingress is getting in while egress is getting out.
In The Context Of Network Traffic
But this blog post is not about linguistics, it’s about network administration. And this is were ingress and egress can get a bit more confusing. It’s still the same, though and it has to do with data entering and leaving a network, a device or an interface. So far, nothing complicated. Where it gets tricky, though, is when people don’t agree on what’s in and what’s out. You see, sometimes the ins of one are the outs of another.
It All Depends On Your Point Of View
Ingress or egress, when referring to network traffic, has to do with how you see things, it depends on your point of view. In most other situations, in is in and out is out; there’s nothing confusing about that. This is, however, not so much the case with networks. Let’s try to clarify that using a few concrete examples.
Our first example is that of an Internet gateway. It could be a router, a proxy server or a firewall, that doesn’t matter. It is the device that sits between your local network and the Internet. In this case, I think everyone would agree that the Internet is considered as being the outside and the local network, the inside.
So, traffic coming FROM the Internet TO the local network would be ingress traffic and traffic FROM the local network TO the Internet would be egress traffic. So far, it’s still simple.
But if you look at things from a network interface point of view, things get different. In the previous example, if you look at traffic on the LAN interface, traffic going towards the Internet is now ingress traffic as it is entering the gateway. Likewise, traffic going toward the local network is not egress traffic as it is exiting the gateway.
To summarize, differentiating ingress and egress traffic requires that we all agree on what we’re talking about.
As we saw, ingress traffic in one context can be egress traffic in a different one. Our best suggestion would be to either avoid using these terms altogether or to clearly state their utilization context every time you use them. That way, you’ll avoid any confusion.
Monitoring Egress And Ingress Traffic
Now that we’re familiar with the terminology, let’s have a look at monitoring ingress and egress traffic.
Typically, this is done using special software called network monitoring or bandwidth monitoring tools. These tools use the Simple Network Management Protocol (SNMP) to read interface counters from network-connected equipment. These counters simply tally the number of bytes in and out of each network interface.
Note that monitoring tools rarely use ingress and egress and usually refer to traffic in and out of an interface. It is up to you, if you so desire, to determine which is ingress and which is egress traffic, again depending on the specific context.
A Few Tools We’d Recommend
There are many bandwidth or network monitoring tools available. Probably too many and picking the best one—or even just a good one—can be a challenge. We’ve tried many of the available tools and came up with this list of a few of the very best bandwidth monitoring tools you can find.
1. SolarWinds Network Performance Monitor (FREE TRIAL)
SolarWinds is one of the very best makers of network administration tools. The company’s flagship product is called the SolarWinds Network Performance Monitor, or NPM. It is a very complete network monitoring solution that features a user-friendly graphical user interface that administrators can use to monitor devices and to configure the tool.
The system uses SNMP to query devices and display their interfaces’ utilization as well as other useful metrics on a graphical dashboard.
In addition to this dashboard, various built-in reports can be generated either on-demand or based on a scheduled execution. And if the built-in reports don’t give you the information you need, they can be customized at will.
The package also includes a few useful tools such as the ability to display a visual rendition of the critical patch between any two points of the network. This tool is highly scalable and it will suit any network from the smallest to large networks with thousands of devices spread over multiple sites.
The SolarWinds Network Performance Monitor‘s alerting system is another place where the product shines. As its reports, it is customizable if needed but it can also be used out-of-the-box with minimal configuration. The alerting engine is smart enough not to send notifications for “unimportant” events in the middle of the night or to send hundreds of notifications for as many unresponsive devices when the main issue is a down router or network switch upstream.
The pricing structure is actually rather complex and you should contact the SolarWinds sales team for a detailed quote.
If you prefer to try the product before purchasing it, a free 30-day trial version is available for download from the SolarWinds website.
2. ManageEngine OpManager
ManageEngine is another well-known publisher of network management tools.
The ManageEngine OpManager is a complete management solution that will handle pretty much any monitoring task you can throw at it.
The tool runs on either Windows or Linux and is loaded with great features. Among others, there is an auto-discovery feature that can map your network, giving you a uniquely customized dashboard.
The ManageEngine OpManager‘s dashboard is super easy to use and navigate, thanks to its drill-down functionality. And if you are into mobile apps, there are apps for tablets and smartphones allowing you to access the tool from anywhere. This is an overall very polished and professional product.
Alerting is just as good in OpManager as are all its other components. There is a full complement of threshold-based alerts that will help detect, identify, and troubleshoot network issues. Multiple thresholds with different notifications can be set for all network performance metrics.
If you want to try the product before buying, a free version is available. Although it is a truly free version rather than a time-limited trial, it has some limitations such as letting you monitor no more than ten devices.
This is insufficient for all but the smallest of networks. For larger networks, you can choose between the Essential or the Enterprise plans. The first will let you monitor up to 1,000 nodes while the other goes up to 10,000.
3. PRTG Network Monitor
The PRTG Network Monitor, which we’ll simply refer to as PRTG, is another great monitoring system. Its publisher claims that this tool can monitor all systems, devices, traffic, and applications of your IT infrastructure. It is an all-inclusive package that does not rely on external modules or add-ons that need to be downloaded and installed. Because of its integrated nature, it is quicker and easier to install than most other network monitoring tools. You can choose between a few different user interfaces such as a Windows enterprise console, an Ajax-based web interface, and mobile apps for Android and iOS.
The PRTG Network Monitor is different from most other monitoring tools in that it is sensor-based. Various monitoring features can be added to the tool simply by configuring extra sensors. They are like plugins except that they are not external modules but are, instead, included with the product. PRTG includes over 200 such sensors that cover different monitoring needs. For network performance metrics, the QoS sensor and the Advanced PING Sensor allow you to monitor latency and jitter while the standard SNMP sensor will let you monitor throughput.
Egress In The Context Of Security
There is another use for the term egress among network and system administrators that is specific to the context of data security. It refers to data leaving an organization’s local network. Outbound email messages, cloud uploads, or files being moved to external storage are simple examples of data egress. It is a normal part of network activity, but it can pose a threat to organizations when sensitive data is leaked to unauthorized recipients, either unknowingly or maliciously.
Threats Involving Data Egress
Sensitive, proprietary, or easily monetizable information is often targeted by cybercriminals of all kinds. The release of sensitive or proprietary information to the public or to competing organizations is a real concern for enterprises, governments, and organizations of all kinds. Threat actors may try to steal sensitive data through the same methods many employees use every day, such as email, USB, or cloud uploads.
Best Practices For Preventing Unwanted Data Egress
There’s a lot you can do to protect your organization against unauthorized data egress but a few of them are particularly important. Let’s have a look at two of the bare essentials that you must do.
Create an acceptable use and data egress traffic enforcement policy
Include stakeholders to define your acceptable use policy. The policy should be very thorough and protect your company’s resources. It could, for instance, include a list of approved Internet-accessible services and guidelines for accessing and handling sensitive data. And don’t forget that it is one thing to create such policies but you also need to communicate them to users and make sure they understand them.
Implement firewall rules to block egress to malicious or unauthorized destinations
A network firewall is only one of several lines of defense against threats. It is a good starting point where you can ensure that data egress does not occur without explicit permission.
SIEM – To Help Prevent Data Egress
No matter what you do, monitoring remains one of the best ways to protect against data egress. Whenever data leakage happens, you want to know about it right away so you can act upon it. This is where Security Information and Event Management (SIEM) tools can help.
Concretely, a SIEM system does not provide any hard protection. Its primary purpose is to make the life of network and security administrators like you easier. What a typical SIEM system really does is collect information from various protection and detection systems, correlate all this information assembling related events, and react to meaningful events in various ways. Most of the time, SIEM tools also include some form of reporting and/or dashboards.
Some Of The Top SIEM Tools
To give you an idea of what’s available and to help you pick the right SIEM tool for your needs, we’ve assembled this list of some of the best SIEM tools.
1. SolarWinds Security Event Manager (FREE TRIAL)
The same SolarWinds that brought us the Network Monitor reviewed above also has an offering for Security Information and Event Management. In fact, it is one of the very best SIEM tools available. It might not be as full-featured as some other tools but what it does, it does very well and it has all the required functionality. The tool is called the SolarWinds Security Event Manager (SEM). It is best described as an entry-level SIEM system but it’s likely one of the most competitive entry-level systems on the market. The SolarWinds SEM has everything you can expect from a SIEM system, including excellent log management and correlation features that can help detect unauthorized data egress and an impressive reporting engine.
2. Splunk Enterprise Security
Possibly one of the most popular SIEM system, Splunk Enterprise Security–or simply Splunk ES, as it is often called–is famous for its analytic capabilities. Splunk ES monitors your system’s data in real time, looking for vulnerabilities and signs of abnormal activity. The system uses Splunk’s own Adaptive Response Framework (ARF) which integrates with equipment from more than 55 security vendors. The ARF performs automated response, letting you quickly gain the upper hand. Add to that a simple and uncluttered user interface and you have a winning solution. Other interesting features include the “Notables” function which shows user-customizable alerts and the “Asset Investigator” for flagging malicious activities and preventing further problems.
Splunk ES is an enterprise-grade product and, as such, it comes with an enterprise-sized price tag. You can’t, unfortunately, get much pricing information from Splunk’s website and you’ll need to contact the sales department to get a quote. Despite its price, this is a great product and you might want to contact Splunk to take advantage of an available free trial.
3. NetWitness
For the past few years, NetWitness has focused on products supporting “deep, real-time network situational awareness and agile network response”. After being purchased by EMC which then merged with Dell, the Netwitness business is now part of the RSA branch of the corporation. And this is good news as RSA has an excellent reputation in security.
NetWitness is ideal for organizations seeking a complete network analytics solution. The tool incorporates information about your business which helps prioritize alerts. According to RSA, the system “collects data across more capture points, computing platforms, and threat intelligence sources than other SIEM solutions”. There’s also advanced threat detection which combines behavioural analysis, data science techniques, and threat intelligence. And finally, the advanced response system boasts orchestration and automation capabilities to help eradicate threats before they impact your business.
One of the main drawbacks of NetWitness is that it’s not the easiest to set up and use. However, there is ample documentation available which can help you with setting up and using the product. This is another enterprise-grade product and, as it is often the case with such products, you’ll need to contact sales to get pricing information.
Leave a Reply Cancel reply
This site uses Akismet to reduce spam. Learn how your comment data is processed.