Securing Virtual Machine with Istio

Hi all!
I’m studying how to integrate a VM inside my istio mesh. I don’t undestand if it will install an envoy proxy on the vm and how it protects the communication between pods and vm.

If I have a service inside the vm on the port 8080 I need to protect the VM with a firewall rule also? Are the pods only able to communicate with the service?
If I call the service from another VM I’m able to make requests against it?

@mcastro, I would like to chat to understand more.

@mcastro Istio currently supports VM security by installing an Envoy proxy and Istio agent on VM, and configuring that all traffic is intercepted by the Envoy proxy. Both VM-to-VM traffic and pod-to-VM traffic are supported. And you can apply any Istio policies on VMs, just as how it works for k8s pods.

@liminwang is there any documentation for configuring Istio policies on VMs? so far, I have not been able to find documentation on this other than Isito documentation for adding a vm to your service mesh. Thank you

There is no separate documentation for Istio policies for VMs. WorkloadEntry/WorkloadGroup is the equivalent to pod/deployment. All the existing policies work the same way for VMs as for k8s pods. For example, you can use label selector to select a group of VMs (WorkloadEntry) and apply policies to them.

check if the video helps you