Skip to content
Kong Logo | Kong Docs Logo
search
  • We're Hiring!
  • Docs
    • Kong Gateway
    • Kong Konnect
    • Kong Mesh
    • Plugin Hub
    • decK
    • Kubernetes Ingress Controller
    • Insomnia
    • Kuma

    • Docs contribution guidelines
  • Plugin Hub
  • Support
  • Community
  • Kong Academy
Get a Demo Start Free Trial
  • Kong Gateway
  • Kong Konnect
  • Kong Mesh
  • Plugin Hub
  • decK
  • Kubernetes Ingress Controller
  • Insomnia
  • Kuma

  • Docs contribution guidelines
  • 2.2.x (latest)
  • 2.1.x
  • 2.0.x
  • 1.9.x
  • 1.8.x
  • 1.7.x
  • 1.6.x
  • 1.5.x
  • 1.4.x
  • 1.3.x
  • 1.2.x

github-edit-pageEdit this page

report-issueReport an issue

enterprise-switcher-iconSwitch to OSS

On this pageOn this page
  • Incoming
  • Outgoing
    • Policies don’t apply to non-mesh traffic
Kong Mesh
2.1.x
  • Home
  • Kong Mesh
  • Networking
  • Non-mesh traffic
You are browsing documentation for an outdated version. See the latest documentation here.

Non-mesh traffic

Incoming

When mTLS is enabled, clients from outside the mesh can’t reach the applications inside the mesh. If you want to allow external clients to consume mesh services see the Permissive mTLS mode.

Without Transparent Proxying

TLS check on Envoy can be bypassed. You should take action to secure the application ports.

Outgoing

In its default setup, Kong Mesh allows any non-mesh traffic to pass Envoy without applying any policy. For instance if a service needs to send a request to http://example.com, all requests won’t be logged even if a traffic logging is enabled in the mesh where the service is deployed. The passthrough mode is enabled by default on all the dataplane proxies in transparent mode in a Mesh. This behavior can be changed by setting the networking.outbound.passthrough in the Mesh resource. Example:

Kubernetes
Universal
apiVersion: kuma.io/v1alpha1
kind: Mesh
metadata:
  name: default
spec:
  networking:
    outbound:
      passthrough: false
type: Mesh
name: default
networking:
  outbound:
    passthrough: false

When networking.outbound.passthrough is false, no traffic to any non-mesh resource can leave the Mesh.

Before setting networking.outbound.passthrough to false, double-check Envoy stats that no traffic is flowing through pass_through cluster. Otherwise, you will block the traffic which may cause the instability of the system.

Policies don’t apply to non-mesh traffic

If you need to change configuration for non-mesh traffic you can use a ProxyTemplate.

Circuit Breaker

Default values:

maxConnections: 1024
maxPendingRequests: 1024
maxRequests: 1024
maxRetries: 3

Proxy Template to change the defaults:

Kubernetes
Universal
apiVersion: kuma.io/v1alpha1
kind: ProxyTemplate
mesh: default
metadata:
  name: custom-template-1
spec:
  selectors:
    - match:
        kuma.io/service: "*"
  conf:
    imports:
      - default-proxy
    modifications:
      - cluster:
          operation: patch
          match:
            name: "outbound:passthrough:ipv4"
          value: |
            circuit_breakers: {
              thresholds: [
                {
                  max_connections: 2048,
                  max_pending_requests: 2048,
                  max_requests: 2048,
                  max_retries: 4
                }
              ]
            }
type: ProxyTemplate
mesh: default
name: custom-template-1
selectors:
    - match:
        kuma.io/service: "*"
conf:
  imports:
    - default-proxy
  modifications:
    - cluster:
        operation: patch
        match:
          name: "outbound:passthrough:ipv4"
        value: |
          circuit_breakers: {
            thresholds: [
              {
                max_connections: 2048,
                max_pending_requests: 2048,
                max_requests: 2048,
                max_retries: 4
              }
            ]
          }

Timeouts

Default values:

connectTimeout: 10s
tcp:
  idleTimeout: 1h

Proxy Template to change the defaults:

Kubernetes
Universal
apiVersion: kuma.io/v1alpha1
kind: ProxyTemplate
mesh: default
metadata:
  name: custom-template-1
spec:
  selectors:
    - match:
        kuma.io/service: "*"
  conf:
    imports:
      - default-proxy
    modifications:
      - cluster:
          operation: patch
          match:
            name: "outbound:passthrough:ipv4"
          value: |
            connect_timeout: "99s"
      - networkFilter:
          operation: patch
          match:
            name: "envoy.filters.network.tcp_proxy"
            listenerName: "outbound:passthrough:ipv4"
          value: |
            name: envoy.filters.network.tcp_proxy
            typedConfig:
              '@type': type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy
              idleTimeout: "3h"
type: ProxyTemplate
mesh: default
name: custom-template-1
selectors:
    - match:
        kuma.io/service: "*"
conf:
  imports:
    - default-proxy
  modifications:
    - cluster:
        operation: patch
        match:
          name: "outbound:passthrough:ipv4"
        value: |
          connect_timeout: "99s"
    - networkFilter:
        operation: patch
        match:
          name: "envoy.filters.network.tcp_proxy"
          listenerName: "outbound:passthrough:ipv4"
        value: |
          name: envoy.filters.network.tcp_proxy
          typedConfig:
            '@type': type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy
            idleTimeout: "3h"
Thank you for your feedback.
Was this page useful?
  • Kong
    THE CLOUD CONNECTIVITY COMPANY

    Kong powers reliable digital connections across APIs, hybrid and multi-cloud environments.

    • Company
    • Customers
    • Events
    • Investors
    • Careers Hiring!
    • Partners
    • Press
    • Contact
  • Products
    • Kong Konnect
    • Kong Gateway
    • Kong Mesh
    • Get Started
    • Pricing
  • Resources
    • eBooks
    • Webinars
    • Briefs
    • Blog
    • API Gateway
    • Microservices
  • Open Source
    • Install Kong Gateway
    • Kong Community
    • Kubernetes Ingress
    • Kuma
    • Insomnia
  • Solutions
    • Decentralize
    • Secure & Govern
    • Create a Dev Platform
    • API Gateway
    • Kubernetes
    • Service Mesh
Star
  • Terms•Privacy
© Kong Inc. 2023