In-mesh mTLS between frontend service and multiple backend services without load balancing

I’m trying to add istio to an existing Kubernetes application. The application consists of a frontend service, which in turn needs to talk to all pods from a set of backend services in order to gather some data and aggregate it. The frontend also sometimes talks to a specific backend, without any rerouting kicking in. In any case, the frontend talks to backends using HTTP and Websocket protocol.

I understand that this might not be the typical application for a service mesh. However, I want to get mTLS support, and I can accept to loose service subgroups for the moment. Also, I would like to configure istio to block other pods talking to the backends than the frondend service/pods … or do I mix up things like NetworkPolicies with istio?

The frontend monitors the set of backend service pods via the Kubernetes API, especially to learn the endpoint IPs for ready backend pods.

As a newcomer to istio and after spending some time with the examples and documentation I’m still lost as to if my goal is feasable?

If I don’t want to use routing, would then creating a VirtualService resource be sufficient for istio to use mTLS between frontend and backend?

If I don’t want to use routing, would then creating a VirtualService resource be sufficient for istio to use mTLS between frontend and backend?

For this, you need to create a destinationrule, please refer to the docs

Thanks! Am I understanding correctly that I would need to…?

1. create a K8s Service resource for the backend pods, which is necessary so istio picks up the service, but both istio and I otherwise ignore this Service resource,
2. create a VirtualService istio resource and set its load-balancer settings to (LoadBalancerSettings.SimpleLB) “PASSTHROUGH”.

Is this correct, so that traffic to any of the backend pod IP addresses gets passed on without rerouting, but with mTLS used and requests being traced by istio?