12. 12
Create ServiceEntries for external services
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: httpbin-ext
spec:
hosts:
- httpbin.org
ports:
- number: 80
name: http
protocol: HTTP
resolution: DNS
location: MESH_EXTERNAL
$ istioctl proxy-config endpoints ratings-v1-fd78f799f-gj8td | grep httpbin
34.199.75.4:80 HEALTHY OK outbound|80||httpbin.org
34.231.30.52:80 HEALTHY OK outbound|80||httpbin.org
54.166.163.67:80 HEALTHY OK outbound|80||httpbin.org
54.91.118.50:80 HEALTHY OK outbound|80||httpbin.org
https://istio.io/latest/docs/reference/config/networking/service-entry/
13. 13
Block undefined external endpoints
myapp
envoy
Change outboundTrafficPolicy to REGISTRY_ONLY
NOTE: Traffic can be configured to bypass envoy using annotations:
traffic.sidecar.istio.io/excludeOutboundIPRanges
traffic.sidecar.istio.io/excludeOutboundPorts
spec:
meshConfig:
outboundTrafficPolicy:
mode: REGISTRY_ONLY
https://istio.io/latest/docs/tasks/traffic-management/egress/egress-control/
14. 14
Direct external traffic thru egress gateways
myapp
envoy
curl http://httpbin.org/headers
Egress GW
httpbin.org
âą Dedicated traffic exit points
âą Only Egress gateways can run on internet enabled nodes
âą Meet compliance requirements
âą Use Network Policies on workloads to prevent bypassing the egress gateway
https://istio.io/latest/blog/2019/egress-traffic-control-in-istio-part-1/
https://istio.io/latest/docs/tasks/traffic-management/egress/egress-gateway/
17. 17
Istio mutual TLS mode
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: default
namespace: istio-system # can be granular
spec:
mtls:
mode: PERMISSIVE # or STRICT
âą Change PERMISSIVE to STRICT
after onboarding all your
workloads to the mesh
âą Can be disabled at the port level
frontend backend
Another App
30. Istio - The Industryâs Leading Service Mesh
2017
Istio Launched
2022
Ambient Mesh
Launched
Data Plane
Enhancements
2019-20
7 New Community Releases
1000s Production Customers
~ 1000 Community Contributors
2022
CNCF
2019-2022
32. What is Istio Ambient Mesh?
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
Proxy
Istio Sidecar Data Plane
1 Pod/Container = 1 Proxy
Ambient Mesh Data Plane
1 Node = 1 Proxy
Move from Sidecar Proxy per-pod architecture
to a Proxy per-node architecture.
âMaking the Mesh
Transparent to Applicationsâ
â Reduced Compute Cost
â Improve Business Continuity
â Increase Business Flexibility
â Simplified Operations
â Reduced Maintenance
â Simplified Upgrades
â Easier to Add Applications
â Less Day-2-Day Complexity
â Adapt to Application Needs
â Offer SLAs for Applications
â Many Apps = 1 Platform
Application
Team
â Mesh is transparent to Apps
â Applications wonât break
â Flexible Performance Available
â Manage Security vs Performance
Business
Owner
Platform
Team
33. Istio enables Zero-Trust Security
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
L4 Proxy
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
Istio Security with Sidecar Proxy Istio Security with Ambient Mesh
L4 Proxy
L7 Proxy
â All traffic goes through Proxy
â Proxy manages mTLS, Identity
â Proxy manages L7 Application Filters | Policies
â All traffic goes through Proxy
â L4 Proxy manages mTLS, Identity
â L7 Proxy manages L7 Application Filters | Policies
34. Istio enables Service Mesh ïŹexibility
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
Proxy
Istio Sidecar Data Plane
1 Pod/Container = 1 Proxy
Ambient Mesh Data Plane
1 Node = 1 Proxy
Istio Control Plane
Cost Flexibility
Operational Flexibility
Performance Flexibility
37. HBONE - The protocol used to connect nodes
HTTP Based Overlay Network Encapsulation protocol
source: https://www.solo.io/blog/understanding-istio-ambient-ztunnel-and-secure-overlay/