How can I use istio mtls stric mode with aks application routing add-on

Question

How can I use istio mtls stric mode with aks application routing add-on

Teoman Sevinc 0

Hi,

I'm using "the application routing add-on" in my aks cluster and I installed istio add-on. I added sidecar injection to istio member pods. I want to use mtls mode in strict.

Could you please advice me the best way of using the mtls in strict mode and open the ingress for the applications ?

should I use istio ingress gateway ? or can I use aks managed ingress (the application routing add-on) ?

1 answer

Your answer

Answer 1

Nikhil Duserla 7,935 Microsoft External Staff Moderator

Hi @Teoman Sevinc,

Welcome to the Microsoft Q&A Platform! Thank you for asking your question here.

The Istio Ingress Gateway is the optimal solution for controlling ingress traffic while enforcing mTLS in strict mode. This configuration guarantees secure communication between your services and efficiently manages TLS certificates.

You can lock down workloads in all namespaces to only accept mutual TLS traffic by putting the policy in the system namespace of your Istio installation- https://istio.io/latest/docs/tasks/security/authentication/mtls-migration/

kubectl apply -n istio-system -f - <<EOF
apiVersion: security.istio.io/v1
kind: PeerAuthentication
metadata:
  name: default
spec:
  mtls:
    mode: STRICT
EOF

To set up mTLS in strict mode with Istio while enabling open ingress for applications in AKS, the Istio Ingress Gateway is the recommended approach. Configure the gateway to enforce mTLS, ensuring that both the gateway and backend services validate and present certificates.If you have any further queries, do let us know.

Teoman Sevinc 0 Reputation points

2025-02-20T10:36:06.3366667+00:00

Hi @Nikhil Duserla ,
Thank you for the swift response. We had used nginx-ingress in our clusters, after the "the application routing add-on" was released, we have started to use this add-on. we are able to use trusted certificate in our ingress and we can configure websocket communication and max file size limits in ingress objects.
I could find some documents regarding to istio ingress gateway but none of them is official microsoft documents.

Is the istio-ingress gateway as capable as the "the application routing add-on" ?
Nikhil Duserla 7,935 Reputation points Microsoft External Staff Moderator

2025-02-21T13:12:57.7033333+00:00

Hi @Teoman Sevinc,

Thank you for reaching out to us again.

The Istio Ingress Gateway and Azure Application Routing add-on serve similar purposes in managing ingress traffic to applications running in Kubernetes.

Istio Ingress Gateway is more advanced than Azure Application Routing add-on. Istio is a service mesh that provides advanced traffic management, security, and observability features. The Istio Ingress Gateway is a component of Istio that manages ingress traffic to the mesh. It offers more advanced capabilities, such as traffic splitting, retries, circuit breaking, and fine-grained access control. Provides advanced security features, including mutual TLS (mTLS) for service-to-service communication, fine-grained access control policies, and integration with external authentication providers.

Here is MS document for Azure Kubernetes Service (AKS) external or internal ingresses for Istio service mesh add-on deployment- https://learn.microsoft.com/en-us/azure/aks/istio-deploy-ingress?source=recommendations

If you have any further queries, do let us know.

Share via

How can I use istio mtls stric mode with aks application routing add-on

1 answer

Your answer