[MeshExternalService] Possibility to route traffic through specific zone

[lukidzi]

Description

Few of our cloud applications (mesh enabled) want to communicate with the apps running in Datacenter (non-mesh apps). Those DC apps are not exposed to the internet. So we installed ZoneCP in the DC. Now those DC applications can be resolved from the Kuma Egress running in the DC. In this case we can register the DC apps as external services with zone tag, same as the DC zone name. As per the point number 1, traffic originating from other zones will be routed to DC zone first. Once the traffic is inside DC, the egress can resolve the DC apps. This is just one possibility/example. We have few more scenarios as well

[andrey-dubnik]

We have an upcoming use case where our workloads would go under multiple private networks where within each network services could be both mesh-aware and external to the mesh. We plan registering the external to mesh services as external service with the zone binding as this way mesh knows exactly which zone egress can access the specific "private" service.

Ideally we would like to be able to bind external service to multiple zones as there can be a scenario where multiple mesh zones are placed within a network and only few can access specific endpoint, being able to reference multiple zones makes a better case for HA in case one zone goes dark.

If binding the external service to zone feature is removed from future release of Kuma we won't be able to use Kuma much longer when the described use case becomes a majority of our workload placement use cases.

[slonka]

triage: this would probably be done by defining MeshExternalService in that zone

[AyushSenapati]

@slonka Why are we willing to define resources at the zone level? We have GlobalCP. So, why can't we simply create the resource in the GlobalCP and let it decide the ZoneCPs it needs the resources to be forwarded?

[slonka]

@AyushSenapati - let's chat about the details in the MADR - is that ok?