apiVersion: networking.istio.io/v1alpha3 kind: ServiceEntry metadata: name: yahoo spec: hosts: - developer.yahoo.com location: MESH_EXTERNAL ports: - number: 443 name: yahoo-tls protocol: TLS resolution: DNS --- apiVersion: networking.istio.io/v1alpha3 kind: Gateway metadata: name: istio-yahoo-egressgateway spec: selector: istio: egressgateway # use Istio default gateway implementation servers: - port: number: 443 name: https-port-for-tls-origination-yahoo protocol: TLS hosts: - developer.yahoo.com tls: mode: ISTIO_MUTUAL --- # Routes internal outbound traffic to the egress gateway using Istio's mTLS apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata: name: egressgateway-for-yahoo spec: host: istio-egressgateway.istio-system.svc.cluster.local subsets: - name: yahoo trafficPolicy: portLevelSettings: - port: number: 443 tls: mode: ISTIO_MUTUAL sni: developer.yahoo.com --- apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: direct-yahoo-through-egress-gateway spec: hosts: - developer.yahoo.com gateways: - istio-yahoo-egressgateway - mesh # route HTTP traffic to developers.google.com through the egress gateway for the entire mesh tls: - match: - gateways: - mesh # apply to sidecars in the mesh port: 443 sniHosts: - developer.yahoo.com route: - destination: host: istio-egressgateway.istio-system.svc.cluster.local subset: yahoo port: number: 443 weight: 100 # at the egress gateway, route developer.yahoo.com to the real destination outside the mesh tcp: - match: - gateways: - istio-yahoo-egressgateway port: 443 route: - destination: host: developer.yahoo.com port: number: 443 weight: 100 ---