Istio As An API Gateway Discussion Flow ● What is an API Gateway? ● What is a Service Mesh? ● Common Features ● API Gateway + Service Mesh together! ● Istio as the API Gateway ● Advantages ● ● Challenges ● Where It Isn’t a Good Fit? What is an API Gateway? What is a Service Mesh? Common Features Common Features ● Load Balancing ● Request Routing ● Service Discovery ● JWT Authentication Logging, Monitoring, Tracing API Gateway + Service Mesh together! Limitations of This Approach ● Maintaining Two Tools ● Maintaining Two Expert Pools Istio as the API Gateway Advantages Advantages

Creating API Tests Low Effort API Testing for Microservices | CONFIDENTIAL • What has changed? – Migration to microservices triggering need for extensive API tests • Problem: – Creating API tests • What is our solution? – Leverage Istio sidecar to listen to API traffic data and create tests from the data – 10x speed in creating API tests • Can also be sped up by just navigating the application Significantly reduced time and cost for API testing for microservices architectures with Istio – Fewer failures higher up the test pyramid as a result of improved API tests • Istio benefits – Venky / Prasad

focus testing efforts. Istio does not currently have a reference design for what an ideal Kubernetes cluster with Istio running within it. Instead, NCC Group used various hosting options (i.e. Minikube, GKE controlPlaneSecuri ty configuration directive or other means. This left all default services exposed within the cluster. • The default istio profile that is labeled for produc- tion lacks many hardening controls and Pilot admin interface exposes unnecessary ser- vices and is accessible to anyone within a default cluster. • The Envoy Proxy admin port is exposed via the Istio sidecar and would allow a malicious workload

#IstioCon eBay Applications eBay is powered by ● More than 5,000 Microservices ranging from ○ API services, Search Engine, etc. ○ Databases, Key-Value stores - Oracle, MySQL, etc. ○ Big data systems Deployment: Cloud Layout ● Multiple K8s Clusters in an AZ ○ Each K8s cluster ~ 200 - 5,000 nodes ○ Upto 100,000 Pods in a cluster ○ 10,000+ K8s services - including prod, pre-prod, staging, etc. scenario Region R1 AZ 1 AZ 2 AZ n Data Center DC1 K8s Cluster K8s Cluster K8s Cluster K8s Cluster K8s Cluster K8s Cluster Region Rn #IstioCon Application Specs Region R1 Application

Tetrate’s product build on top of the upstream Istio ● Why not Istio OSS? ● Problems unsolved ○ Multi-cluster and VM (lower onboarding cost) ○ Enterprise team structure gap (Workspace, Tenants, etc) ○ UI&UX (Service) POD Workload (Service) POD Workload (Service) VM Workload (Service) VM Workload (Service) VM API Gateway Ingress & Egress Mesh can include VMs ● Multi tenancy ● Traffic shaping and canary controls Cross cluster security policies & access control ● Unified telemetry and availability reporting ● Service discovery across multiple clusters ● Fine-grained ingress & egress controls ● API GW is part

are in core cluster Projects shared solution cluster • Different namespace • Project runs as tenant, need control rights Solution cluster connect core cluster with Istio multi-cluster - Replicated Replicated control planes Some standalone cluster without Istio can access core cluster also, as tenant. HP Horizon Platform Connect With Istio #IstioCon Secure Platform • JWT Verify • Mutual TLS • Authorization : Istio Mixer authz adapt Implement role-based authorization – whether this user can access this api based on its role => Version 2: Envoyfilter ext_authz #IstioCon Wise Platform #IstioCon Wise

Single Cluster Simplified #IstioCon Service Proxy Authentication Authorization Telemetry Extensibility New Extension Model Mixer #IstioCon Istiod Cluster 1 Istiod Cluster 2 API server server API server Ingress Ingress Service A Service B Service B Mirror Simplified Istio Multicluster Model #IstioCon Istiod Cluster API server Gateway Service A VM Service VM Service #IstioCon Istio Standardize APIs Adopt Kubernetes service API Protocol declaration in Kubernetes service descriptor Transform informal API to formal API External authz #IstioCon analyze describe bug-report

阿里云服务网格ASM 2 Envoy’s Filter Chain Listener Downstre am Filter Filter Filter Cluster Upstrea m Filter Chain 扩展自定义Filter, 并通过xDS API动态配置 L4 Network Filters L7 Http Filters 3 Listener & Filters before outbound outbound services Listener Downst ream Filter Filter Filter Cluster Upstrea m Filter Chain Listener Downst ream Filter Filter Filter Cluster Upstrea m Filter Chain 4 实际示例中用到的Envoy Filters 端口9080 监听 监听 envoy.filte rs.network .metadata _exchange envoy.http _connectio n_manage r Cluster Productp age服务 Filter Chain envoy.filters.ht tp.wasm/envo y.wasm.metad ata_exchange Istio_authn kubectl exec

repository Repository https://github.com/istio/istio Language Golang Istio API definitions Repository https://github.com/istio/api Language Golang Istio documentation Repository https://github.com/istio/istio boundaries We identify the following trust boundaries: From Into Trust flow Description Outside of cluster Ingress Sidecar or Ingress Gateway Low to high Ingress traffic can have the lowest level of privilege security policies. Proxy Service Low to high Incoming traffic to proxy can be coming from outside the cluster and is validated against the specified policies before it reaches the service. The traffic crosses

Internal Load Balancers (ILBs) for Kube DNS, Pilot, Mixer and CA ○ Generate configs for VMs, incl. `cluster.env`, DNS config, Istio authN secrets etc. ○ Setup dnsmasq, Istio components in the VM and verify 1. Dnsmasq accepts DNS queries 2. Access the built-in Kube DNS (exposed by ILB) 3. Obtain the Cluster IP resolved 4. Traffic intercepted by the sidecar proxy 5. xDS ■ Traffic forwarded to ingress DNS query httpbin.ns1.svc.cluster.local 2. DNS response – 10.4.4.4 http req to 10.4.4.4 GET /status/200 http req to 172.16.1.3 GET /status/200 httpbin.ns1.svc.cluster.local SVC IP: 10.4.4.4 #IstioCon