How Are Certificates Managed in Istio?

I mentioned in my last article on understanding mTLS traffic encryption in Istio that the key to traffic encryption is certificate management. We can use the built-in certificate authority (CA) in Istio or a custom CA to manage certificates within the mesh. This blog post will explain how Istio handles certificate management.

Read More

How Istio’s “Ambient Mode” Transparent Proxy—tproxy—Works Under the Hood

Istio’s new “ambient mode” is an experimental, “sidecar-less” deployment model for Istio. Instead of a sidecar proxy in front of every workload, ambient mode uses tproxy and HTTP Based Overlay Network Environment (HBONE) as key technologies for transparent traffic intercepting and routing that we covered in our recent article on transparent traffic intercepting and routing in the L4 network of Istio Ambient Mesh. In this article, we’ll take a closer look at tproxy and how it’s used.

Read More
How to Use SkyWalking for Distributed Tracing in Istio

How to Use SkyWalking for Distributed Tracing in Istio

In cloud native applications, a request often needs to be processed through a series of APIs or backend services, some of which are parallel and some serial and located on different platforms or nodes. How do we determine the service paths and nodes a call goes through to help us troubleshoot the problem? This is where distributed tracing comes into play.

This article covers:

  • How distributed tracing works
  • How to choose distributed tracing software
  • How to use distributed tracing in Istio
  • How to view distributed tracing data using Bookinfo and SkyWalking as examples
Read More
mTLS Traffic Encryption
Istio, mTLS, Service Mesh, Zero Trust

How Istio’s mTLS Traffic Encryption Works as Part of a Zero Trust Security Posture

The Istio service mesh offers cloud native deployments a standard way to implement automatic mutual transport layer security (mTLS). This reduces the attack surface of network communication by using strong identities to establish encrypted channels between workloads within the mesh that are both confidential and tamper-resistant. mTLS is a key component for building zero-trust application networks. To understand mTLS traffic encryption in Istio, this article will cover the following:

  • An overview of TLS, mTLS, and TLS termination
  • An introduction to howTLS encryption works in Istio
  • How to use Istio to implement mTLS in Kubernetes
  • A discussion of when you do and don’t need mTLS
Read More
L7 Traffic
Istio, Service Mesh

L7 Traffic Path in Ambient Mesh

In my last blog, I introduced transparent traffic intercepting and L4 routing in Ambient mode. In this blog, I will show you how L7 traffic is routed.

The figure below shows the L7 network traffic path in ambient mode.

Figure 1: L7 network traffic in ambient mesh
Note: The Waypoint proxy can be located on the same node as the application, and even all of the service and the Waypoint proxy can be on the same node. I draw them on three nodes for display purposes, but it has no significant impact on the actual traffic path, except that it is no longer sent to another node via eth0.

In the following section, we will explore the process in Figure 1 from a hands-on perspective.

Read More
Gateway API Is the Unified Future of Ingress
API Gateway, Istio, Kubernetes, Service Mesh

Why the Gateway API Is the Unified Future of Ingress for Kubernetes and Service Mesh

In this blog, you will learn about the Kubernetes Ingress Gateway, the Gateway API, and the emerging Gateway API trend, which enables the convergence of Kubernetes and service mesh.


  • Ingress, the original gateway for Kubernetes, has a resource model that is too simple to fit into today’s programmable networks.
  • The Gateway API, the latest addition to the Kubernetes portal gateway, separates concerns through role delineation and provides cross-namespace support to make it more adaptable to multi-cloud environments. Most API gateways already support it.
  • The Gateway API provides a new reference model for the convergence of ingress gateways (north-south) and service mesh (east-west, cross-cluster routing), where there is a partial functional overlap.
Read More
Istio Ambient Mesh
Istio, Service Mesh

Transparent Traffic Intercepting and Routing in the L4 Network of Istio Ambient Mesh

Ambient mesh is an experimental new deployment model recently introduced to Istio. It splits the duties currently performed by the Envoy sidecar into two separate components: a node-level component for encryption (called “ztunnel”) and an L7 Envoy instance deployed per service for all other processing (called “waypoint”). The ambient mesh model is an attempt to gain some efficiencies in potentially improved lifecycle and resource management. You can learn more about what ambient mesh is and how it differs from the Sidecar pattern here.

Read More
Future of Istio
Istio, Zero Trust

The Future of Istio: the Path to Zero Trust Security

In September 2022, Istio became a CNCF incubation project and launched the new Ambient Mesh. With CNCF’s strong community and marketing resources, and Ambient Mesh further lowering the barrier to trying Istio, the five year old open source project has been revitalized.

If you don’t know about service mesh and Istio, or are curious about the future of Istio, this eBook—The Current State and Future of the Istio Service Mesh will give you the answers. The following is an excerpt from the book. In my view, the future of Istio lies in being the infrastructure for zero-trust network and hybrid cloud.

Read More