Istio As An API Gateway Discussion Flow ● What is an API Gateway? ● What is a Service Mesh? ● Common Features ● API Gateway + Service Mesh together! ● Istio as the API Gateway ● Advantages ● ● Challenges ● Where It Isn’t a Good Fit? What is an API Gateway? What is a Service Mesh? Common Features Common Features ● Load Balancing ● Request Routing ● Service Discovery ● JWT Authentication Logging, Monitoring, Tracing API Gateway + Service Mesh together! Limitations of This Approach ● Maintaining Two Tools ● Maintaining Two Expert Pools Istio as the API Gateway Advantages Advantages

Creating API Tests Low Effort API Testing for Microservices | CONFIDENTIAL • What has changed? – Migration to microservices triggering need for extensive API tests • Problem: – Creating API tests • What is our solution? – Leverage Istio sidecar to listen to API traffic data and create tests from the data – 10x speed in creating API tests • Can also be sped up by just navigating the application Significantly reduced time and cost for API testing for microservices architectures with Istio – Fewer failures higher up the test pyramid as a result of improved API tests • Istio benefits – Venky / Prasad

repository Repository https://github.com/istio/istio Language Golang Istio API definitions Repository https://github.com/istio/api Language Golang Istio documentation Repository https://github.com/istio/istio High Yes 10 H2c handlers are uncapped High High Yes 11 STS server is susceptible to DoS if debug mode is enabled High Medium Yes 17 Istio Security Audit, 2023 1: Possible disk exhaustion when extracting code where a user has explicitly opted into insecure mode, InsecureSkipVerify mode is enabled. As stated by the crypto/tls documentation: “In this mode, TLS is susceptible to machine-in-the-middle attacks

Gateways. Note: The underlying implementation of the at-issue behavior appears to exist within the proxy mode of istio-agent. This may imply that any Istio sidecar — and, by extension, any Istio control plane Istio control plane along with a set of TCP services that it exposes. One of which is the “/debug” API hosted on 15014/TCP by default. This service exposes a web interface that is accessible without authentication into each workload. As discussed in finding NCC-GOIST2005-013 on page 18, by default, the “profiling” mode is also enabled which runs go trace profiling tools5 on the pilot binary itself which contains stack

(Service) POD Workload (Service) POD Workload (Service) VM Workload (Service) VM Workload (Service) VM API Gateway Ingress & Egress Mesh can include VMs ● Multi tenancy ● Traffic shaping and canary controls reporting ● Service discovery across multiple clusters ● Fine-grained ingress & egress controls ● API GW is part of the mesh ● Workflows for collaborative agility More About Multi Cluster ● Multi tenancy minimal declarative configuration describing where to onboard the workload to Bridged Mode vs Direct Mode ● Bridged: Indicates that the configurations to be added to the group will use macro APIs

● A few hundred developers ● Multiple Kubernetes Clusters ● 250+ microservices ● 150M+ internal API calls ● 3000+ deployments every week ● REST as well as gRPC services ● Services written in Golang is also used by our partners as well. Ingress Mutual TLS ● Using Istio Gateway mechanism with mode MUTUAL ● Leverage subjectAltNames to verify client SAN ● Additional AuthorizationPolicy to add

– reviews-v1 & v3 ○ Otherwise, send plain text – reviews-v2 ● Server side will be in PERMISSIVE mode by default #IstioCon mTLS in Istio - PeerAuthentication Defines what type of traffic the server "demo-peer-policy“ namespace: "default“ spec: selector: matchLabels: app: reviews mtls: mode: STRICT 1) Apply destination rule to enable client side mTLS mTLS in Istio - Destination rule Using can access reviews-v1, reviews-v3 can not access reviews-v2 since we have enabled ISTIO_MUTUAL mode on client side Access productpage 1) Apply destination rule enable client side mTLS mTLS in Istio

listeners configured in PLAINTEXT mode Security layer provided by Istio 8 Security layer provided by Istio 9 • Kafka does not process client certificate in PLAINTEXT mode • Envoy WASM filter extracts

control plane and related tooling ● Sidecar injection by namespace or on-demand ● Passthrough mode during rollout ● Service entry to connect internal proxy ● Kubernetes Cluster-IP services deployed improvements ● POCs for all known use-cases and features say mTLS, Outlier detection etc,. ● Passthrough mode downgrades gRPC/http2 protocol to Http/1.1 ● Tune connection and TCP settings ● Handle signals gracefully

Multiplayer Istio WASM 1:15 What’s New Since 2022 CNCF Graduation Ambient Mesh A new dataplane mode for Istio without sidecars. Graduated Announcing Istio's graduation within the CNCF Join CNCF