How can communication to external services like AWS S3 be enabled when Istio setup is configured with outboundTrafficPolicy set to REGISTRY_ONLY?

Users who utilize their own Istio setup with the outboundTrafficPolicy set to REGISTRY_ONLY encounter challenges when attempting to access external services that are not part of the Automation Suite service mesh. For example, accessing AWS S3 services requires creating specific Service Entries to allow this communication. Without these entries, requests to services like S3 are blocked.

Resolution:

To enable communication with external services like AWS S3, apply the following Service Entry specifications:

AWS Metadata Server Service Entry:

---
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: aws-metadata-server
  namespace: istio-system
spec:
  hosts:
  - aws.metadata.internal
  addresses:
  - 169.254.169.254
  ports:
  - name: http
    number: 80
    protocol: HTTP
  - name: https
    number: 443
    protocol: HTTP
  resolution: STATIC
  location: MESH_EXTERNAL
  endpoints:
  - address: 169.254.169.254

S3 Service Entry:

---
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: s3-du
  namespace: uipath
spec:
  hosts:
  - s3.us-east-1.amazonaws.com
  - du-s3bucket.s3.amazonaws.com
  - aicenter-s3bucket.s3.amazonaws.com
  - orchestrator-s3bucket.s3.amazonaws.com
  location: MESH_EXTERNAL
  ports:
  - number: 443
    name: https
    protocol: HTTPS
  resolution: DNS

Note: Please make sure to replace the placeholder host values above with the actual hostnames of your respective buckets.

• Once these Service Entries have been applied, the services should be able to communicate with the specified AWS S3 buckets.

• For a comprehensive understanding of Istio's outbound traffic policy and configurations, please refer to the official Istio documentation linked here, particularly focusing on the section titled "Envoy passthrough to external services".