Istio As An API Gateway Discussion Flow ● What is an API Gateway? ● What is a Service Mesh? ● Common Features ● API Gateway + Service Mesh together! ● Istio as the API Gateway ● Advantages ● Challenges Challenges ● Where It Isn’t a Good Fit? What is an API Gateway? What is a Service Mesh? Common Features Common Features ● Load Balancing ● Request Routing ● Service Discovery ● JWT Authentication Logging, Monitoring, Tracing API Gateway + Service Mesh together! Limitations of This Approach ● Maintaining Two Tools ● Maintaining Two Expert Pools Istio as the API Gateway Advantages Advantages ● Same

26dacdde40968a37ba9eaa864d40e45051ec5448 Key Findings • There was a lack of validation on the VirtualService Gateway fields that could allow route hijacking • In testing, it did not appear to be possible to secure Security Related Documentation 016 High Lack of VirtualService Gateway Field Validation Enables Request Hijacking 017 High Ingress Gateway Configuration Generation Enables Route Hijacking 023 High Pilot Google Istio Security Assessment Google / NCC Group Confidential Finding Lack of VirtualService Gateway Field Validation Enables Request Hijacking Risk High Impact: High, Exploitability: Medium Identifier

services 1) Deploy bookinfo services with istio sidecar without reviews-v2 2) Deploy bookinfo gateway 3) Deploy reviews-v2 service without istio sidecar （ kubectl label namespace default istio-inj services 1) Deploy bookinfo services with istio sidecar without reviews-v2 2) Deploy bookinfo gateway 3) Deploy reviews-v2 service without istio sidecar （ kubectl label namespace default istio-inj ingress gateway: productpage-credential 3) Define a gateway which specifying above secret and define corresponding virtual service which configuring traffic routes Secure ingress gateway via TLS

POD Workload (Service) POD Workload (Service) VM Workload (Service) VM Workload (Service) VM API Gateway Ingress & Egress Mesh can include VMs ● Multi tenancy ● Traffic shaping and canary controls, across collaborative agility More About Multi Cluster ● Multi tenancy ● Resource hierarchy ● NGAC Two-tier Gateway ● Tier-1 Gateways sit at the application edge and are used in multi-cluster environments to route and route traffic to the mesh- managed services inside the cluster. Two-tier Gateway Traffic Flow Cloud Vendor Gateway Consolidation TSB allows service discovery and communication via the NodePort

leveraged in a Knative based platform - Istio as an Ingress Gateway • By default, Knative does not enable service mesh, it uses Istio as an Ingress Gateway. • Enable Secret Discovery Service (SDS) to monitor istio-system to ingress gateway which contains credentials for https support of multi tenants. • Knative has knative-ingress-gateway for external access and knative-local-gateway for cluster local access access. They use Istio gateway service istio-ingressgateway as its underlying service. Knative Activator or Application Front door design #IstioCon - Traffic Splitting, blue/green deployment How Istio

Istio control plane through a Gateway ○ WorkloadEntry created ■ VM sidecar is made aware of all services in the cluster ○ DNS name resolved ■ gets routed through the gateway to the service ● The data ■ Single network ● direct communication w/o requiring intermediate Gateway ■ Multiple networks ● all goes though the Gateway ● via L3 networking (if enhanced performance is desired) #IstioCon Demo packet inspection (DPI) ○ DDoS defense ○ Firewall ● Lack dedicated gateway support (architectural changes) ○ No separating out the gateway used for untrusted user traffic from the internal mesh traffic

ingress svcB envoy envoy Pod1：10.244.0.19 Pod2：10.244.0.25 Dest: 127.0.0.1 Src：127.0.0.1 Ingress gateway ELB ingress EIP: 192.168.1.100 #IstioCon What does envoy provide? - Original source filter svcB envoy envoy Pod1：10.244.0.19 Pod2：10.244.0.25 Dest: 127.0.0.1 Src：100.10.10.10 Ingress gateway ELB ingress EIP: 192.168.1.100 TOA or Proxy Protocol Dest: 192.168.1.10 Src：100.10.10.10 Proxy ① Ingress gateway only need enable Proxy Protocol Transport Socket. #IstioCon Preserve TCP Original Src Addr - ingress - If ingress traffic is using proxy protocol ① Ingress gateway should set “envoy

Capture Traffic Management & Routing intent as “Access Point” Specs ○ Leverage Istio object model: Gateway, VirtualService, DestinationRules, etc. apiVersion: apps.cloud.io/v1 kind: AccessPoint metadata: AvailabilityZone traffic: gateways: - apiVersion: networking.istio.io/v1beta1 kind: Gateway spec: ... virtualServices: - apiVersion: networking.istio.io/v1beta1 Controllers Istiod Network Load Balancer (NLB) Network Load Balancer (NLB) Ingress Gateway Ingress Gateway Pods Request Traffic Response Traffic Specs synced from Federated Access Point

概览 • 控制面下发流量规则： Pilot • 数据面标准协议：xDS • 集群内Pod流量出入： Sidecar Proxy • 集群外部流量入口：Ingress Gateway • 集群外部流量出口：Egress Gateway（可选,在一个集中点对外部访问进行控制） • Service discovery • Load balancing • Time out • Retries • Circuit Adapter https://github.com/istio-ecosystem/consul-mcp 欢迎大家试用、共建！ 4 Istio 流量管理 – 控制面 – 流量管理模型 Gateway Virtual Service Destination Rule 外部请求 内部客户端 Service2 Service1 网格内部 定义网格入口 • 服务端口 • Host • TLS 配置 Host 路由 • 根据 Header • 根据 URI 路由 目的地流量策略配置 • LB 策略 • 连接池配置 • 断路器配置 • TLS 配置 Gateway External Service 统一网格出口 • 出口地址（Gateway Workload） • 出口端口 Virtual Service CLB 对外请求 对外请求（Passthrough/ServiceEntry） 缺省路由

Sidecar or Ingress Gateway Low to high Ingress traffic can have the lowest level of privilege. As it enters the mesh it crosses a trust boundary. Ingress Sidecar or Ingress Gateway Proxy Low to high high Traffic flowing from Ingress Sidecar or Ingress Gateway to a Proxy might be required to pass further security policies. Proxy Service Low to high Incoming traffic to proxy can be coming from outside boundaries. Untrusted traffic enters the Istio service mesh as ingress traffic through an ingress Gateway. Attack surface enumeration Any elevation of privilege in Istio is considered a security issue