Public facing endpoints - security recommendations


We have a k8s cluster (one node group) with Istio in private subnets (ingress controller and service entries configured for our apps). We have an nginx EC2 in a DMZ subnet, and a public LB to receive request from the Internet. [ requests → public LB → nginx → k8s/istio (apps) ]

We are in the process of moving nginx to k8s/istio. Is there any recommendation/article in terms of security and perf, on how to configure Istio for this “public facing endpoint” ?
[ requests → public LB → k8s/istio (nginx) → same k8s/istio (apps) ]

We are thinking about creating a new istio ingress controller just for this nginx (with k8s network policies + istio auth policies), and leave the other istio ingress controller we have for the rest of our apps.

Note: long term goal will be to remove that nginx functionality (we included some custom security configurations) and include them in Istio


For public facing endpoints I found maybe this to be useful: