# External Service

This policy enables consuming services that are not part of the mesh from services running inside it. The default passthrough cluster will allow for accessing any non-mesh host by its domain name or IP address. As the name of the feature suggests, this pattern leaves the mesh administrator with no tools to aply any policies for such traffic. Therefore, ExternalService resource allows for declaring the desired external resource as a named service within the mesh and enabling the observability, security and traffic manipulation similar to any other service in the mesh.

# The ExternalService resource

A simple HTTP service can be defined as follows

    • tags the external service can include an arbitrary number of tags, where kuma.io/service is a mandatory one. The special kuma.io/protocol tag is also taken into account and supports the standard Kuma protocol values. It designates the specific protocol being used by that service.
    • networking describes the networking configuration of the external service
      • address is the address where the external service can be reached.
      • tls is the section to configure the TLS originator when consuming the external service
        • enabled turns on and off the TLS origination. Defaults to true
        • caCert the CA certificate for the external service TLS verification
        • clientCert the client certificate for mTLS
        • clientKey the client key for mTLS

    As with other services, avoid overlapping of service names under kuma.io/service with already existing ones. A good practice would be to derive the tag value from the domain name or IP of the actual external service.

    Last Updated: 4/21/2021, 8:30:00 PM