stackoom
  简体   繁体   中英

Integrating Azure Application Gateway, AGIC and Istio

 原文  2022-04-11 16:56:42       azure-aks/ istio/ azure-application-gateway

Question

Was anyone able to integrate the three in the subject to achive end-2-end TLS? To clarify, I'm talking about TLS between Application Gateway and Istio ingress. There are some threads on StackOverflow and there is an old issue on AGIC Github repo but i was not able to find any evidence it's really working. If someone have it working, can you share the setup?

1 answers

solution1
 0  2022-04-20 13:13:29

• According to the Istio documentation, any request to the gateway will have two connections, viz., client downstream inbound connection to the gateway and client outbound connection to the destination as shown in the figure below: -

TLS 应用网关

Thus, in the above scenario, consider the gateway as the Azure application gateway and the Istio ingress as the destination, as a result both these connections are independent TLS connections.

For TLS connections, there are a few more options:

a) What protocol is encapsulated? If the connection is HTTPS , the server protocol should be configured as HTTPS. Otherwise, for a raw TCP connection encapsulated with TLS, the protocol should be set to TLS.

b) Is the TLS connection terminated or passed through? For passthrough traffic , configure the TLS mode field to PASSTHROUGH : -

  apiVersion: networking.istio.io/v1beta1
    kind: Gateway
           ...
       servers:
       - port:
         number: 443
           name: https
           protocol: HTTPS
         tls:
           mode: PASSTHROUGH

In this mode, Istio will route based on SNI information and forward the connection as-is to the destination. Mutual TLS can be configured through the TLS mode MUTUAL . When this is configured, a client certificate will be requested and verified against the configured caCertificates or credentialName : -

   apiVersion: networking.istio.io/v1beta1
     kind: Gateway
      ...
       servers:
       - port:
         number: 443
           name: https
         protocol: HTTPS
         tls:
          mode: MUTUAL
          caCertificates: ... ’

The only difference is that you should be careful to consider the Gateway settings when configuring this. For example, if the Gateway is configured with TLS PASSTHROUGH while the DestinationRule configures TLS origination, you will end up with double encryption . This works but is often not the desired behavior.

A VirtualService bound to the gateway needs care as well to ensure it is consistent with the Gateway definition. In this scenario, consider the gateway as an Azure application gateway in that sense the TLS settings are configured correctly. For more information, kindly refer to the Istio documentation below: -

https://istio.io/latest/docs/ops/configuration/traffic-management/tls-configuration/

https://istio.io/latest/docs/tasks/traffic-management/ingress/ingress-sni-passthrough/

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Istio 504 on ALB to EKS node other than Istio gateway is located Using Azure CLI Get the 'principalId' value of an Azure Application Gateway Azure Application Gateway is striping request body when it comes from APIGEE AKS with Application gateway ingress controller configuration Multiple web app static outbound IPs with one NAT Gateway(Azure) How to set the api version being called in API Gateway when integrating with AWS Service CloudWatch? Parameters for application load balancer gets added to gateway load balancer in terraform Laravel application getting 502 bad gateway error on EKS AWS beanstalk + Django: 502 Bad Gateway - ModuleNotFoundError: No module named 'application' IP allocation for a virtual network gateway in azure by using a dynamic block in terraform
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM