#IstioCon Apache APISIX from Gateway to Full Traffic Proxy with Istio Jintao Zhang API7.ai #IstioCon About Me ● Apache APISIX PMC ● Kubernetes Ingress NGINX maintainer ● Microsoft MVP ● zhangjintao@apache Scenarios for Apache APISIX #IstioCon Usage Scenarios for Apache APISIX ● L4/L7 Gateway（weibo、WPS） ● Microservices API Gateway（iQIYI） ● Kubernetes Ingress controller（UPYUN） ● https://github.com/apache/a protocol It’s public now!!! https://github.com/api7/amesh #IstioCon How to use it Change the injection-template: ● proxy_init ● proxy Ref: https://github.com/api7/amesh/blob/main/docs/en/demo.md #IstioCon

#IstioCon eBay Applications eBay is powered by ● More than 5,000 Microservices ranging from ○ API services, Search Engine, etc. ○ Databases, Key-Value stores - Oracle, MySQL, etc. ○ Big data systems Capture Traffic Management & Routing intent as “Access Point” Specs ○ Leverage Istio object model: Gateway, VirtualService, DestinationRules, etc. apiVersion: apps.cloud.io/v1 kind: AccessPoint metadata: AvailabilityZone traffic: gateways: - apiVersion: networking.istio.io/v1beta1 kind: Gateway spec: ... virtualServices: - apiVersion: networking.istio.io/v1beta1

Istio control plane through a Gateway ○ WorkloadEntry created ■ VM sidecar is made aware of all services in the cluster ○ DNS name resolved ■ gets routed through the gateway to the service ● The data ■ Single network ● direct communication w/o requiring intermediate Gateway ■ Multiple networks ● all goes though the Gateway ● via L3 networking (if enhanced performance is desired) #IstioCon Demo for a bootstrap certificate, then place that bootstrap certificate on the VM ■ Dependency on K8s API server ■ Requires creating an RBAC impersonation rule for each user ■ Private key and CSR generation

handle large workloads Does it support S3 API and Modern Architecture ? Can it Scale To 100’s PB, 1000’s of nodes and billions of objects Scale API Compatibility Performance / 51 6 Confidential—Restricted BIG DATA WORKLOADS Support access control policy, lineage and governance Support HDFS and S3 API based applications Application Security Encryption Is the data protected at rest and in-transit system 21 © 2022 Cloudera, Inc. All rights reserved. S3 GATEWAY Allows S3 clients to talk to Ozone • Stateless server • Translates S3 REST API calls to Ozone client RPC calls 22 © 2022 Cloudera, Inc

leveraged in a Knative based platform - Istio as an Ingress Gateway • By default, Knative does not enable service mesh, it uses Istio as an Ingress Gateway. • Enable Secret Discovery Service (SDS) to monitor istio-system to ingress gateway which contains credentials for https support of multi tenants. • Knative has knative-ingress-gateway for external access and knative-local-gateway for cluster local access access. They use Istio gateway service istio-ingressgateway as its underlying service. Knative Activator or Application Front door design #IstioCon - Traffic Splitting, blue/green deployment How Istio

of Jump servers, also known as Gateway hosts. This feature is essential when the direct access to a target machine is not possible from your local machine, and a gateway server is required for connection to specify 200.200.200.200 is able as a host in regular SSH configuration and as a host in a gateway 100.100.100.100 200.200.200.200 configuration to achieve such a "connection order": → → . conflicts with reserved SQL keywords Escape LIKE masks in search queries Use to access JDBC metadata API. Enabled by default but should be disabled for some (broken) drivers Parameter Description Drop

of Jump servers, also known as Gateway hosts. This feature is essential when the direct access to a target machine is not possible from your local machine, and a gateway server is required for connection to specify 200.200.200.200 is able as a host in regular SSH configuration and as a host in a gateway 100.100.100.100 200.200.200.200 configuration to achieve such a "connection order": → → . conflicts with reserved SQL keywords Escape LIKE masks in search queries Use to access JDBC metadata API. Enabled by default but should be disabled for some (broken) drivers Parameter Description Drop

of Jump servers, also known as Gateway hosts. This feature is essential when the direct access to a target machine is not possible from your local machine, and a gateway server is required for connection to specify 200.200.200.200 is able as a host in regular SSH configuration and as a host in a gateway 100.100.100.100 200.200.200.200 configuration to achieve such a "connection order": → → . conflicts with reserved SQL keywords Escape LIKE masks in search queries Use to access JDBC metadata API. Enabled by default but should be disabled for some (broken) drivers Parameter Description Drop

DB AMF App B AMF App A SMF Frontend SMF Ingress Gateway Redis DB SMF App X AMF Identity SMF Identity SMF Identity 10 ©2021 Aspen Mesh. All rights the Mesh UDM Virtual Machine Namespace SMF SMF Frontend UDM Egress Gateway Redis DB SMF App X Control Plane UDM Identity 11 ©2021 Aspen Mesh. All rights reserved Namespace SMF SQL DB AMF App B AMF App A SMF Frontend SMF Ingress Gateway Redis DB SMF App X https://aspenmesh.io/how-to-capture-packets-that-dont-exist/ Optical Tap

groups, which facilitates routing of data. d. Type the IP address of your ISP in the Gateway address box. Note: A gateway is a device that connects a user to the Internet. It is provided by the ISP. Using