Secure Control of Egress Traffic in Istio, part 3

Secure Control of Egress Traffic in Istio, part 3

  • August 4, 2019
Table of Contents

Secure Control of Egress Traffic in Istio, part 3

Welcome to part 3 in our series about secure control of egress traffic in Istio. In the first part in the series, I presented the attacks involving egress traffic and the requirements we collected for a secure control system for egress traffic. In the second part in the series, I presented the Istio way of securing egress traffic and showed how you can prevent the attacks using Istio.

In this installment, I compare secure control of egress traffic in Istio with alternative solutions such as using Kubernetes network policies and legacy egress proxies and firewalls. Finally, I describe the performance considerations regarding the secure control of egress traffic in Istio. First, let’s remember the requirements for egress traffic control we previously collected: Support of TLS with SNI or of TLS origination.

Monitor SNI and the source workload of every egress access. Define and enforce policies per cluster. Define and enforce policies per source, Kubernetes-aware.

Prevent tampering. Traffic control is transparent to the applications.

Source: istio.io

Tags :
Share :
comments powered by Disqus

Related Posts

Visualizing Istio external traffic with Kiali

Visualizing Istio external traffic with Kiali

Suppose that you have an application using several third party services to store files, send messages, write tweets, etc. It is useful to know how much traffic is going off your mesh to these services, for example, you might want to know how many requests are directed to twitter or how much data is being sent to Dropbox. Also knowing if these requests are successful or if they fail.

Read More
Secure Control of Egress Traffic in Istio, part 1

Secure Control of Egress Traffic in Istio, part 1

This is part 1 in a new series about secure control of egress traffic in Istio that I am going to publish. In this installment, I explain why you should apply egress traffic control to your cluster, the attacks involving egress traffic you want to prevent, and the requirements for your system to do so. Once you agree that you should control the egress traffic coming from your cluster, the following questions arise: What requirements does a system have for secure control of egress traffic?

Read More
Architecting Istio 1.1 for Performance

Architecting Istio 1.1 for Performance

Hyper-scale, microservice-based cloud environments have been exciting to build but challenging to manage. Along came Kubernetes (container orchestration) in 2014, followed by Istio (container service management) in 2017. Both open-source projects enable developers to scale container-based applications without spending too much time on administration tasks.

Read More