Istio mesh expansion to legacy network

Hi all,

I have a private cloud network (using k8s with istio) and i want to access legacy service on a legacy network.
I want to use mTLS to authentificate pod from k8s and allow it to access legacy service.
How can i do that ?
I thinking about creating a new k8s cluster on the legacy network with istio enabled and create an ingress gateway in it. The goal is that the pod on the cloud will talk to the istio ingress gateway in the legacy network (so we can authentificate and authorize the access to the service in legacy network).
What i don’t know is that: is the istio ingress gateway in the legacy network can forward the traffic to legacy services. And if yes how can i do it ?

An alternate approach to using another cluster or mesh expansion would be to deploy a proxy that can perform as a bridge between Istio and your legacy services. I wrote about this in the following blog post:

The example uses F5 BIG-IP (my employer), but it could work with any proxy capable of mTLS.

By legacy network, I assume you mean across different RFC1918 namespace, and does not have direct reachability between k8s pod and vm ips.

Current Istio mesh expansion assume direct IP reachability.

We have across network support for multi cluster, but haven’t done same thing for mesh expansion. We might add that later.

For priority purpose, do you mind commenting on the important of this use case for you?

@incfly no i have direct IP reachability between k8s nodes and the vip of the istio gateway on the “legacy” network (so pods can create mTLS connexion directly to the istio gateway on the “legacy” network).
What i need to know is how to route traffic from my k8s pod to servers on the “legacy” network using the istio gateway.

okay. i think i now understand your situation. the ingress gateway is on the legacy network. new network, k8s on cloud, is also already using istio.

I think in theory you are doing https://istio.io/docs/examples/multicluster/split-horizon-eds/ for mesh expansion. I figure this should work, but not well documented and combine multi cluster with mesh expansion.

I think, high level you basically can do a multi cluster, the cluster on the legacy network has its own mesh expansion vms, and then gateway forward the traffic from new network cluster pods to the vm via gateway.