Jason Webb Vrushali Joshi Istio Service Mesh at Enterprise Scale Feb, 2021 Who are we? Founded 5,000 Developers 50M Customers 1993 IPO $6.8B FY19 Revenue 20 Locations 1983 Why Service

OSS to Enterprise Service Mesh 宋净超（Jimmy Song） September 24, 2022 Shanghai, China Cloud Native Application Networking Secure, Observe and manage microservices Outline ● Background ● Enterprise Service Istio ● Why not Istio OSS? ● Problems unsolved ○ Multi-cluster and VM (lower onboarding cost) ○ Enterprise team structure gap (Workspace, Tenants, etc) ○ UI&UX Background ● Leads to complexity and lack service discovery and communication via the NodePort service type instead of a LoadBalancer Architecture ● Multi cluster ● Multi mesh ● Components ○ Management plane ○ Global control plane ○ Local

Legacy Scenarios ● Stateful applications ○ Data store ● Legacy software ○ Financial services ○ Enterprise/Workshop applications ○ Hard to lift and shift ● Packaged software ○ Non-Linux ○ unikernels available ○ Virtual Machine Installation to get started. ○ Virtual Machine Architecture to learn about the high level architecture of Istio’s virtual machine integration. ○ Debugging Virtual Machines to security model for end-to-end key protection #IstioCon Legacy VNF  CNF: Option 1 ● Recommended architecture ● But… not adorable for legacy service owners sometimes #IstioCon Legacy VNF  CNF: Option

build the next generation 5G platform I want to sketch a mesh for you Istio service mesh at enterprise scale Improving security with Istio What Envoy hears when Istio speaks Company presenting

Aspen Mesh. All rights reserved. https://medium.com/5g-nr/5g-service-based-architecture-sba-47900b0ded0a 5G Architecture 4 ©2021 Aspen Mesh. All rights reserved. Key Platform Requirements Multi-Vendor Implementation 5G Architecture Looks a Lot Like a Mesh? 6 ©2021 Aspen Mesh. All rights reserved. https://medium.com/5g-nr/5g-service-based-architecture-sba-47900b0ded0a 5G Architecture with Istio 7 Management Powerful Layer 7 (HTTP/2) routing 8 ©2021 Aspen Mesh. All rights reserved. Architecture Options 9 ©2021 Aspen Mesh. All rights reserved. Namespace Level Tenancy Control Plane

Google’s Istio subject matter experts. Scope NCC Group’s evaluation of Istio included: • Istio Architecture: The overall design and archi- tecture of Istio as it is deployed within common environments such documentation and secu- rity guides hosted on istio.io. NCC Group started the assessment with an overall architecture review which extrapolated areas of focus for subsequent phases of the assessment. A test plan Assessment Google / NCC Group Confidential Dashboard Target Metadata Engagement Data Name Istio Type Architecture Review and Code-Assisted Security Assessment Type Kubernetes Service Mesh Method Code-assisted

Service mesh security architecture and implementation. 2. Service mesh security best practices. 3. Lifecycle of service mesh security and demo. Service mesh security architecture ● Attack vectors. ● ● Service mesh security architecture and implementation. 1 Attack Vectors and Surfaces Istio is both a collection of security controls and an attack target. Workload Cluster Edge Operations Workload Service Privilege Escalation Application Compromise Control Plane Service mesh security architecture Cluster Workload Edge Operations Ingress Policies Egress Policies WAF / IDS Firewall

etc. ● AZ Control Plane ○ Syncs specs to workload K8s clusters in the AZ ○ Shared-Nothing Architecture ■ Hosts services catering to the AZ, e.g., AZ IPAM, Network Load-balancers, etc. ■ Full Evolve into AZ based architecture ● Dial-tone security with Trust Domain ● L7 policy enforcement Step 1 Step 2 Step 3 Step 4 Declarative Intent Replace Hardware AZ Architecture Evolving Security Ingress Gateways One Istio Deployment per workload K8s cluster #IstioCon Step 3: Evolve into AZ architecture ● One Istio deployment per K8s cluster is simple, but traffic between clusters in same AZ

traffic ● Summary #IstioCon Istio Architecture Connect, secure, control, and observe services. #IstioCon Security Architecture #IstioCon Bookinfo architecture without service mesh ● Reviews-v1

Internet egress bandwidth over 100 TB/month ● Internal egress bandwidth ~2 PB/month #IstioCon Architecture Overview ● User traffic infrastructure - TW region, all 3 zones ● REST APIs for client traffic inter-service traffic ● Around 100+ microservices ● Majority of services written in Go #IstioCon Architecture Overview - Discovery and Routing ● Service Discovery and Configuration using Consul ● HTTP/TCP