reviews-v2 and reviews-v3 can reach v2 as peer-authentication only defines behavior of server side and auto-mTLS is on by default Access productpage 1) Apply peer-authentication to enable server side mTLS mTLS mTLS in Istio - PeerAuthenticati on mTLS http http http http mTLS http #IstioCon Auto-mTLS in Istio ● Decide what type of traffic the client sidecar to send automatically ○ If DestinationRule gateway using istio cert ● PASSTHROUGH: pass through the TLS traffic using SNI and virtual Service ● AUTO_PASSTHROUGH: pass through the TLS traffic purely using SNI without VS apiVersion: networking.istio

● Validation of the proxy’s status for VM-based workloads #IstioCon V1.8 VM Auto Registration ● Experimental ● Auto-scaling ● Automatically add a WorkloadEntry for a VM instance that connects with allocation where possible ○ Multicluster DNS lookup #IstioCon V1.9 VM Integration, Beta! ● DNS_AUTO_ALLOCATE ○ Decoupled from DNS_CAPTURE ● Documents available ○ Virtual Machine Installation to get

-o jsonpath='{.status.loadBalancer.ingress[0].ip}' 3. In a separate namespace, "test" with sidecar auto-injection enabled, use an administra- tive account to kubectl -n test apply -f the samples/bookinfo/platform/kube/b NCC-GOIST2005-014 on page 27, there are a number of ways to do this, including by disabling sidecar auto-injection. Recommendation To prevent sidecar emulation by a compromised workload container, consider

capabilities ○ WebAssembly (Wasm) support ● Secure by default ○ Secret Discovery Service (SDS) ○ Auto mTLS ● API and feature promotion ○ Networking/Security APIs ○ Virtual Machine expansion/Multi cluster

certificates ● Configure workload certificate TTLs ● Enable strict mutual TLS (mTLS) instead of auto ● Use dedicated egress gateways Tuning Istio to Meet 5G Security Requirements 12 ©2021 Aspen Mesh

#bugs-in-production, Reduced eng effort for testing, velocity) – Early testing of services components auto-generated from end-to-end tests – Significantly reduced time and cost for API testing for microservices