Istio As An API Gateway Discussion Flow ● What is an API Gateway? ● What is a Service Mesh? ● Common Features ● API Gateway + Service Mesh together! ● Istio as the API Gateway ● Advantages ● ● Challenges ● Where It Isn’t a Good Fit? What is an API Gateway? What is a Service Mesh? Common Features Common Features ● Load Balancing ● Request Routing ● Service Discovery ● JWT Authentication Logging, Monitoring, Tracing API Gateway + Service Mesh together! Limitations of This Approach ● Maintaining Two Tools ● Maintaining Two Expert Pools Istio as the API Gateway Advantages Advantages ●

Creating API Tests Low Effort API Testing for Microservices | CONFIDENTIAL • What has changed? – Migration to microservices triggering need for extensive API tests • Problem: – Creating API tests • What is our solution? – Leverage Istio sidecar to listen to API traffic data and create tests from the data – 10x speed in creating API tests • Can also be sped up by just navigating the application Significantly reduced time and cost for API testing for microservices architectures with Istio – Fewer failures higher up the test pyramid as a result of improved API tests • Istio benefits – Venky / Prasad

26dacdde40968a37ba9eaa864d40e45051ec5448 Key Findings • There was a lack of validation on the VirtualService Gateway fields that could allow route hijacking • In testing, it did not appear to be possible to secure Security Related Documentation 016 High Lack of VirtualService Gateway Field Validation Enables Request Hijacking 017 High Ingress Gateway Configuration Generation Enables Route Hijacking 023 High Pilot Google Istio Security Assessment Google / NCC Group Confidential Finding Lack of VirtualService Gateway Field Validation Enables Request Hijacking Risk High Impact: High, Exploitability: Medium Identifier

(Service) POD Workload (Service) POD Workload (Service) VM Workload (Service) VM Workload (Service) VM API Gateway Ingress & Egress Mesh can include VMs ● Multi tenancy ● Traffic shaping and canary controls, & egress controls ● API GW is part of the mesh ● Workflows for collaborative agility More About Multi Cluster ● Multi tenancy ● Resource hierarchy ● NGAC Two-tier Gateway ● Tier-1 Gateways sit and route traffic to the mesh- managed services inside the cluster. Two-tier Gateway Traffic Flow Cloud Vendor Gateway Consolidation TSB allows service discovery and communication via the NodePort

#IstioCon eBay Applications eBay is powered by ● More than 5,000 Microservices ranging from ○ API services, Search Engine, etc. ○ Databases, Key-Value stores - Oracle, MySQL, etc. ○ Big data systems Capture Traffic Management & Routing intent as “Access Point” Specs ○ Leverage Istio object model: Gateway, VirtualService, DestinationRules, etc. apiVersion: apps.cloud.io/v1 kind: AccessPoint metadata: AvailabilityZone traffic: gateways: - apiVersion: networking.istio.io/v1beta1 kind: Gateway spec: ... virtualServices: - apiVersion: networking.istio.io/v1beta1

Istio control plane through a Gateway ○ WorkloadEntry created ■ VM sidecar is made aware of all services in the cluster ○ DNS name resolved ■ gets routed through the gateway to the service ● The data ■ Single network ● direct communication w/o requiring intermediate Gateway ■ Multiple networks ● all goes though the Gateway ● via L3 networking (if enhanced performance is desired) #IstioCon Demo for a bootstrap certificate, then place that bootstrap certificate on the VM ■ Dependency on K8s API server ■ Requires creating an RBAC impersonation rule for each user ■ Private key and CSR generation

repository Repository https://github.com/istio/istio Language Golang Istio API definitions Repository https://github.com/istio/api Language Golang Istio documentation Repository https://github.com/istio/istio Sidecar or Ingress Gateway Low to high Ingress traffic can have the lowest level of privilege. As it enters the mesh it crosses a trust boundary. Ingress Sidecar or Ingress Gateway Proxy Low to high high Traffic flowing from Ingress Sidecar or Ingress Gateway to a Proxy might be required to pass further security policies. Proxy Service Low to high Incoming traffic to proxy can be coming from outside

autoscaling Hub and Spoke API Gateway Book Info Payments Product Info ✓ Security ✓ Visibility ✓ Traffic Shaping ✘ Latency ✘ Single Point of Failure Service Mesh API Gateway Book Info Payments Management of Istio installation ● Self-service mesh enablement for service owners Demo Admiral API Gateway Payments Product Info Proxy Proxy Proxy Book Order Proxy + k8s

● A few hundred developers ● Multiple Kubernetes Clusters ● 250+ microservices ● 150M+ internal API calls ● 3000+ deployments every week ● REST as well as gRPC services ● Services written in Golang agent installed, this is also used by our partners as well. Ingress Mutual TLS ● Using Istio Gateway mechanism with mode MUTUAL ● Leverage subjectAltNames to verify client SAN ● Additional AuthorizationPolicy Works ● Migrating Egress TLS origination mechanism to using Egress Gateway, we block because we are using Istio 1.6 and Egress gateway not support adding certificate via SDS (Istio #14039). Thank You

Cluster 2 API server API server Ingress Ingress Service A Service B Service B Mirror Simplified Istio Multicluster Model #IstioCon Istiod Cluster API server Gateway Service A #IstioCon Istio Standardize APIs Adopt Kubernetes service API Protocol declaration in Kubernetes service descriptor Transform informal API to formal API External authz #IstioCon analyze describe bug-report