When mTLS is enabled, does TLS need to be setup within the App itself

So I have enabled mTLS in the root namespace (istio-system), which should enforce a Strict policy of mTLS between all pods via their istio-proxy. Really nice an easy to do.

Here is an example of what my config kind of looks like (mine is in the istio-system namespace): [Istio / Mutual TLS Migration](mTLS PeerAuthentication config example).

Do I need to worry about encrypting communication at the app level?
Say with my Spring Boot application, do I need to generate my own certificates and enable TLS within the app - or is my PeerAuthentication config mentioned above a enough from a security stand point?

Thanks in advance :slight_smile:

Hi Jim!

As for your applications that are inside the mesh Istio enabled at the namespace level provides you with the encryption at transit and certificates management necessary.

I’d suggest you to review the Security concepts page for more details and other important configurations.

Other point is if you storing persistent data Istio does not encrypt at rest. If that’s the case, you need to look for other alternatives.

Hope this can help!