Istio As An API Gateway Discussion Flow ● What is an API Gateway? ● What is a Service Mesh? ● Common Features ● API Gateway + Service Mesh together! ● Istio as the API Gateway ● Advantages ● ● Challenges ● Where It Isn’t a Good Fit? What is an API Gateway? What is a Service Mesh? Common Features Common Features ● Load Balancing ● Request Routing ● Service Discovery ● JWT Authentication Logging, Monitoring, Tracing API Gateway + Service Mesh together! Limitations of This Approach ● Maintaining Two Tools ● Maintaining Two Expert Pools Istio as the API Gateway Advantages Advantages

Creating API Tests Low Effort API Testing for Microservices | CONFIDENTIAL • What has changed? – Migration to microservices triggering need for extensive API tests • Problem: – Creating API tests • What is our solution? – Leverage Istio sidecar to listen to API traffic data and create tests from the data – 10x speed in creating API tests • Can also be sped up by just navigating the application Significantly reduced time and cost for API testing for microservices architectures with Istio – Fewer failures higher up the test pyramid as a result of improved API tests • Istio benefits – Venky / Prasad

practices. Description Istio’s documentation is rather large but also has some gaps related to recent changes. Some blog posts describe security features that are now deprecated and some security features are Istio control plane along with a set of TCP services that it exposes. One of which is the “/debug” API hosted on 15014/TCP by default. This service exposes a web interface that is accessible without authentication remote: multi-cluster remote control plane setup • default: default settings of the IstioOperator API • demo: enables a variety of extra features • empty: provides a template • minimal: minimal config

WebAssembly (Wasm) support ● Secure by default ○ Secret Discovery Service (SDS) ○ Auto mTLS ● API and feature promotion ○ Networking/Security APIs ○ Virtual Machine expansion/Multi cluster mesh io/latest/blog/2020/tradewinds-2020/ #IstioCon Operational Excellence ● Detecting backwards incompatible changes ● Measuring developer efficiency ○ Test flakes ○ Feature and code coverage ● Feature promotion https://istio.io/latest/blog/2020/tradewinds-2020/ #IstioCon Other improvement areas ● Native Kubernetes API integration ○ Kubernetes Service APIs ○ Kubernetes Multi-cluster APIs ● Adopt & drive innovation

for a bootstrap certificate, then place that bootstrap certificate on the VM ■ Dependency on K8s API server ■ Requires creating an RBAC impersonation rule for each user ■ Private key and CSR generation packet inspection (DPI) ○ DDoS defense ○ Firewall ● Lack dedicated gateway support (architectural changes) ○ No separating out the gateway used for untrusted user traffic from the internal mesh traffic

AwesomeRPC Traffic in Istio? Pilot Envoy Code changes at the Pilot side: ● Add AwesomeRPC support in VirtualService API ● Generate LDS/RDS for Envoy Filter AwesomeRPC Filter ● Decoding/Encoding

Redesign Proposal #IstioCon #IstioCon “First and foremost: as a potential contributor, your changes and ideas are welcome at any hour of the day or night, weekdays, weekends, and holidays. Please ● Viewing changes as if they were live ● Linter is pretty specific ● Don't forget to update/create a test if the page changed is tested! #IstioCon Run make lint locally to verify changes and check

without context. GitHub asks developers and maintainers whether a pull request has user facing changes. ● If it does, the developer can easily add a release note. ● If it doesn’t, then the developer Notes #IstioCon Release Notes: As a result... ● Release notes are thought of up-front as part of changes, with context by the people who know the most about what’s being changed. ● Release notes and

Istio to Meet 5G Requirements 13 ©2021 Aspen Mesh. All rights reserved. ● Istio architectural changes ● SPIFFE only certificates ● Configuring workload certificate TTLs ● RSA to ECC migration ●

1 Istiod Cluster 2 API server API server Ingress Ingress Service A Service B Service B Mirror Simplified Istio Multicluster Model #IstioCon Istiod Cluster API server Gateway Service #IstioCon Istio Standardize APIs Adopt Kubernetes service API Protocol declaration in Kubernetes service descriptor Transform informal API to formal API External authz #IstioCon analyze describe bug-report