Communication between Ingress gateway and microservices

Hi All, We are using istio in EKS. We have enabled mesh level mTLS. When we try to access an application from Load balancer, we crated a gateway TLS mode simple, so from Load Balancer to Ingress gateway the connection will be HTTPS, but in ingress gateway the TLS will get terminated, so the connection between ingress gateway to the micro services will be HTTP or since we enabled mTLS will it be mTLS.

  1. Connection from Load balancer to Ingress gateway --> TLS
  2. Connection from Ingress gateway to Sidecar of a micro service ? HTTP or mTLS?
  3. Connection from sidecar to microservice. HTTP?

@Dinesh3467 The connection from Ingress gateway to Sidecar of a microservice ? will be mTLS If you installed/configured Istio with mutual TLS authentication enabled otherwise plain HTTP requests.
and the same is true for Connection from sidecar to microservice.

1 Like

Thanks Mudit singh for your response.
We have enabled mTLS at mesh level, so based on your comment we take that the connection between ingress gateway to sidecar is mTLS. But could you please confirm how the connection between the sidecar to microservice will be mTLS. AS the mTLS initiated by the sidecar using the certificates generated by citadel will not be able to trust the microservice.

Found this Sidecar to Service communication as it was discussed earlier sidecar to service communication is not mTLS due to complications.
Maybe in future they will make it more secure.

Thanks Mudit for this response. So now I can confirm the below things based on your comment :slight_smile:

  1. TLS termination happens at ingress gateway
  2. Communication between ingress to sidecar is mTLS if mTLS is enabled.
  3. Communication between sidecar to microservice is now only HTTP.

Only way is to use PASSTHROUGH mode.

So in passthrough mode, the connection will be transparent passthrough in both ingress gateway and sidecar

:+1:
cleared my doubts also thanks

Hi Mudit, I have requirement to create a gateway with both TLS mode simple and passthrough enabled. Both will be using different host, can I create something like this.

kubectl apply -f - <<EOF
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: mygateway
spec:
selector:
istio: ingressgateway # use istio default ingress gateway
servers:

  • port:
    number: 443
    name: https-httpbin
    protocol: HTTPS
    tls:
    mode: SIMPLE
    serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
    privateKey: /etc/istio/ingressgateway-certs/tls.key
    hosts:
  • port:
    number: 443
    name: https-bookinfo
    protocol: HTTPS
    tls:
    mode: PASSTHROUGH
    hosts:

I believe you can use it, but have to use different configuration for separate virtual services.