Istio now supports wildcard ServiceEntry with DYNAMIC_DNS resolution, allowing sidecars to route traffic directly to wildcard HTTPS destinations while simplifying egress configuration.

Istio is an open-source service mesh platform that helps developers connect, secure, and manage microservices-based applications. With features such as traffic management, security policies, and observability tools, Istio simplifies the complexities of microservices architecture, enabling developers to build resilient and scalable applications. Through documentation, tutorials, and community support, Istio provides developers with the tools and resources needed to implement service mesh patterns and improve the reliability and performance of their distributed systems.

Istio

Istio now supports wildcard ServiceEntry with DYNAMIC_DNS resolution, enabling sidecar proxies to route HTTPS egress traffic to wildcard domains (e.g., *.wikipedia.org, *.amazonaws.com) without requiring a dedicated egress gateway. Previously, this required a complex setup involving an egress gateway acting as an SNI forward proxy, multiple custom resources including EnvoyFilter configurations, and an extra network hop. The new approach uses Envoy's dynamic forward proxy (DFP) cluster, which reads the SNI value from the TLS handshake and dynamically resolves the upstream hostname. This simplifies configuration, reduces latency by eliminating the intermediate gateway hop, and works in both sidecar and ambient mesh modes. The post also covers using this with waypoint proxies for ambient mode and for routing to unknown internal services.

Simplifying Egress Routing to Wildcard Destinations

Wildcard ServiceEntry with DYNAMIC_DNS resolution