# External Service
This policy enables consuming services that are not part of the mesh from services running inside it. The default passthrough cluster will allow for accessing any non-mesh host by its domain name or IP address. As the name of the feature suggests, this pattern leaves the mesh administrator with no tools to aply any policies for such traffic. Therefore, ExternalService resource allows for declaring the desired external resource as a named service within the mesh and enabling the observability, security and traffic manipulation similar to any other service in the mesh.
A simple HTTP service can be defined as follows
tagsthe external service can include an arbitrary number of tags, where
kuma.io/serviceis a mandatory one. The special
kuma.io/protocoltag is also taken into account and supports the standard Kuma protocol values. It designates the specific protocol being used by that service.
networkingdescribes the networking configuration of the external service
addressis the address where the external service can be reached.
tlsis the section to configure the TLS originator when consuming the external service
enabledturns on and off the TLS origination. Defaults to
caCertthe CA certificate for the external service TLS verification
clientCertthe client certificate for mTLS
clientKeythe client key for mTLS
As with other services, avoid overlapping of service names under
kuma.io/service with already existing ones. A good practice would be to derive the tag value from the domain name or IP of the actual external service.