I have been playing a lot with Istio and recently tested mTLS encryption. The test, which I describe in this post, really materialized the OSI layer in front of my eyes. which is always
The entire concept of service mesh and Istio is exciting and revolutionary in my view… but just like any new groundbreaking tech, it takes a few cycles to realize how it manifests beyond the papers, blogs
Istio is a service mesh open source project from Google providing a control plane on top of Envoy proxies. As I wrote in a previous post it provides an abstraction layer for micro-services, abstracting operations that are not part the
Being a layer 7 service mean that it is operating within the boundaries of the protocols it understands which are
Lately, I have been giving Istio’s mTLS encryption a lot of thought. “If I can encrypt ALL of my traffic, how does that affect micro-segmentation?” since mTLS will encrypt the traffic between all micro-services does that mean that all communications will pass over 443 now, disabling the ability to set FW policies effectively? (if everything is the same port I cannot differentiate traffic)
How very wrong. It’s like I overlooked every basic networking training I’ve had in my life, but I guess sometimes one needs to test something to really understand it, and that’s what I did.
I setup Kubernetes with NSX-T as the networking layer and Istio installed on top injecting the Envoy sidecar to each deployed pod and deployed the
I then started clicking through the
You can see from the log that the services talk with each other all on port 9080. Cool. now to enable mTLS encryption in Istio:
First I configured a “mesh policy” that forces all proxies to accept only mTLS encrypted communications like this:
That made my app work again, so now its time to look at the wire with vRLI
What do you know, all the services still communicate on the same port! And that my friends, is when I realized what I missed big time. Its not the communications that’s is encrypted, ports etc is layer 4 stuff. What is encrypted is the data, the payload, the important stuff. And it has nothing to do with L4 ports or the l4 firewall being affected.
I felt a bit silly, but I had to test it to see it and it gave me a new found respect for
Feel the same? feel free to comment or tweet at me, would love to get your perspective on things.
[…] Istio’s service to service communication all flow through the envoy proxies. The Envoys can create mTLS tunnels between them where each service will have its certificate (identity) received from the Citadel component (the root CA of the mesh). The encryption is all happening on L7 meaning what gets encrypted is the payload, not the traffic. (See my earlier post about mTLS and the OSI layer here: http://cloud-abstract.com/istio-mtls-and-the-osi-layer/) […]