Simplifying Egress Routing to Wildcard Destinations

Controlling outbound traffic has long been a cornerstone of service‑mesh security, but traditional Istio configurations required each external host to be listed explicitly. When applications need to reach a large, mutable set of subdomains—such as multilingual Wikipedia sites or cloud provider endpoints—maintaining a static ServiceEntry quickly becomes untenable. The prior workaround involved an egress gateway acting as an SNI forward proxy, which added an extra hop, required multiple custom resources, and increased operational overhead.

The latest Istio release streamlines this workflow by introducing wildcard hostnames combined with the DYNAMIC_DNS resolution mode. When a ServiceEntry declares a pattern like "*.wikipedia.org", Istio automatically creates a dynamic forward‑proxy cluster that reads the SNI value from the client’s TLS ClientHello. The sidecar then resolves the actual hostname on‑the‑fly, forwarding the encrypted traffic directly to the external service. This approach preserves end‑to‑end TLS, leverages Envoy’s built‑in SNI inspector, and eliminates the need for a dedicated egress gateway, resulting in lower latency and a simpler deployment footprint.

Beyond external web services, the capability extends to internal mesh traffic, enabling wildcard internal domains (e.g., "*.svc.cluster.local") and supporting Ambient mesh scenarios where traffic can be routed through waypoints for consistent policy enforcement. Enterprises can now adopt a more agile egress strategy, reduce configuration sprawl, and maintain full observability and mTLS guarantees across dynamic destinations, accelerating cloud‑native adoption and operational efficiency.