Aspen Mesh. All rights reserved. https://medium.com/5g-nr/5g-service-based-architecture-sba-47900b0ded0a 5G Architecture 4 ©2021 Aspen Mesh. All rights reserved. Key Platform Requirements Multi-Vendor Implementation 5G Architecture Looks a Lot Like a Mesh? 6 ©2021 Aspen Mesh. All rights reserved. https://medium.com/5g-nr/5g-service-based-architecture-sba-47900b0ded0a 5G Architecture with Istio 7 Management Powerful Layer 7 (HTTP/2) routing 8 ©2021 Aspen Mesh. All rights reserved. Architecture Options 9 ©2021 Aspen Mesh. All rights reserved. Namespace Level Tenancy Control Plane

Google’s Istio subject matter experts. Scope NCC Group’s evaluation of Istio included: • Istio Architecture: The overall design and archi- tecture of Istio as it is deployed within common environments such documentation and secu- rity guides hosted on istio.io. NCC Group started the assessment with an overall architecture review which extrapolated areas of focus for subsequent phases of the assessment. A test plan Assessment Google / NCC Group Confidential Dashboard Target Metadata Engagement Data Name Istio Type Architecture Review and Code-Assisted Security Assessment Type Kubernetes Service Mesh Method Code-assisted

Service mesh security architecture and implementation. 2. Service mesh security best practices. 3. Lifecycle of service mesh security and demo. Service mesh security architecture ● Attack vectors. ● ● Service mesh security architecture and implementation. 1 Attack Vectors and Surfaces Istio is both a collection of security controls and an attack target. Workload Cluster Edge Operations Workload Service Privilege Escalation Application Compromise Control Plane Service mesh security architecture Cluster Workload Edge Operations Ingress Policies Egress Policies WAF / IDS Firewall

etc. ● AZ Control Plane ○ Syncs specs to workload K8s clusters in the AZ ○ Shared-Nothing Architecture ■ Hosts services catering to the AZ, e.g., AZ IPAM, Network Load-balancers, etc. ■ Full Evolve into AZ based architecture ● Dial-tone security with Trust Domain ● L7 policy enforcement Step 1 Step 2 Step 3 Step 4 Declarative Intent Replace Hardware AZ Architecture Evolving Security Ingress Gateways One Istio Deployment per workload K8s cluster #IstioCon Step 3: Evolve into AZ architecture ● One Istio deployment per K8s cluster is simple, but traffic between clusters in same AZ

traffic ● Summary #IstioCon Istio Architecture Connect, secure, control, and observe services. #IstioCon Security Architecture #IstioCon Bookinfo architecture without service mesh ● Reviews-v1

available ○ Virtual Machine Installation to get started. ○ Virtual Machine Architecture to learn about the high level architecture of Istio’s virtual machine integration. ○ Debugging Virtual Machines to security model for end-to-end key protection #IstioCon Legacy VNF  CNF: Option 1 ● Recommended architecture ● But… not adorable for legacy service owners sometimes #IstioCon Legacy VNF  CNF: Option

Internet egress bandwidth over 100 TB/month ● Internal egress bandwidth ~2 PB/month #IstioCon Architecture Overview ● User traffic infrastructure - TW region, all 3 zones ● REST APIs for client traffic inter-service traffic ● Around 100+ microservices ● Majority of services written in Go #IstioCon Architecture Overview - Discovery and Routing ● Service Discovery and Configuration using Consul ● HTTP/TCP

service discovery and communication via the NodePort service type instead of a LoadBalancer Architecture ● Multi cluster ● Multi mesh ● Components ○ Management plane ○ Global control plane ○ Local k8s cluster in the DMZ zone ● Simpler and better VM onboarding expereince ● Better zero trust architecture DMZ F5 -> Two Tier Gateway • Istio Fundamentals (Free), En/中文 • Envoy Fundamentals (Free)

Acceleration(same host) Istio Meetup China ebpf Background Knowledge Loader & Verification Architecture https://ebpf.io/what-is-ebpf/ Istio Meetup China ebpf Background Knowledge map ● Share collected

responsible for applying user configuration to the proxies. The following diagram demonstrates the Istio architecture: 11 Istio Security Audit, 2023 Trust boundaries We identify the following trust boundaries: