# External Service
This policy enables consuming services that are not part of the mesh from services running inside it. The default passthrough cluster will allow for accessing any non-mesh host by its domain name or IP address. As the name of the feature suggests, this pattern leaves the mesh administrator with no tools to aply any policies for such traffic. Therefore, ExternalService resource allows for declaring the desired external resource as a named service within the mesh and enabling the observability, security and traffic manipulation similar to any other service in the mesh.
# The ExternalService resource
A simple HTTP service can be defined as follows
tags
the external service can include an arbitrary number of tags, wherekuma.io/service
is a mandatory one. The specialkuma.io/protocol
tag is also taken into account and supports the standard Kuma protocol values. It designates the specific protocol being used by that service.networking
describes the networking configuration of the external serviceaddress
is the address where the external service can be reached.tls
is the section to configure the TLS originator when consuming the external serviceenabled
turns on and off the TLS origination. Defaults totrue
caCert
the CA certificate for the external service TLS verificationclientCert
the client certificate for mTLSclientKey
the client key for mTLS
As with other services, avoid overlapping of service names under kuma.io/service
with already existing ones. A good practice would be to derive the tag value from the domain name or IP of the actual external service.