istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
istio.io/archive/v1.9/blog/2019/egress-traffic-control-in-i.../index.html

110 lines
45 KiB
HTML
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<!doctype html><html lang=en itemscope itemtype=https://schema.org/WebPage><head><meta charset=utf-8><meta http-equiv=x-ua-compatible content="IE=edge"><meta name=viewport content="width=device-width,initial-scale=1,shrink-to-fit=no"><meta name=theme-color content="#466BB0"><meta name=title content="Secure Control of Egress Traffic in Istio, part 1"><meta name=description content="Attacks involving egress traffic and requirements for egress traffic control."><meta name=author content="Vadim Eisenberg (IBM)"><meta name=keywords content="microservices,services,mesh,traffic-management,egress,security"><meta property="og:title" content="Secure Control of Egress Traffic in Istio, part 1"><meta property="og:type" content="website"><meta property="og:description" content="Attacks involving egress traffic and requirements for egress traffic control."><meta property="og:url" content="/v1.9/blog/2019/egress-traffic-control-in-istio-part-1/"><meta property="og:image" content="/v1.9/img/istio-whitelogo-bluebackground-framed.svg"><meta property="og:image:alt" content="Istio Logo"><meta property="og:image:width" content="112"><meta property="og:image:height" content="150"><meta property="og:site_name" content="Istio"><meta name=twitter:card content="summary"><meta name=twitter:site content="@IstioMesh"><title>Istioldie 1.9 / Secure Control of Egress Traffic in Istio, part 1</title><script async src="https://www.googletagmanager.com/gtag/js?id=UA-98480406-2"></script><script>window.dataLayer=window.dataLayer||[];function gtag(){dataLayer.push(arguments);}
gtag('js',new Date());gtag('config','UA-98480406-2');</script><link rel=alternate type=application/rss+xml title="Istio Blog" href=/v1.9/blog/feed.xml><link rel=alternate type=application/rss+xml title="Istio News" href=/v1.9/news/feed.xml><link rel=alternate type=application/rss+xml title="Istio Blog and News" href=/v1.9/feed.xml><link rel="shortcut icon" href=/v1.9/favicons/favicon.ico><link rel=apple-touch-icon href=/v1.9/favicons/apple-touch-icon-180x180.png sizes=180x180><link rel=icon type=image/png href=/v1.9/favicons/favicon-16x16.png sizes=16x16><link rel=icon type=image/png href=/v1.9/favicons/favicon-32x32.png sizes=32x32><link rel=icon type=image/png href=/v1.9/favicons/android-36x36.png sizes=36x36><link rel=icon type=image/png href=/v1.9/favicons/android-48x48.png sizes=48x48><link rel=icon type=image/png href=/v1.9/favicons/android-72x72.png sizes=72x72><link rel=icon type=image/png href=/v1.9/favicons/android-96x96.png sizes=96xW96><link rel=icon type=image/png href=/v1.9/favicons/android-144x144.png sizes=144x144><link rel=icon type=image/png href=/v1.9/favicons/android-192x192.png sizes=192x192><link rel=manifest href=/v1.9/manifest.json><meta name=apple-mobile-web-app-title content="Istio"><meta name=application-name content="Istio"><link rel=stylesheet href="https://fonts.googleapis.com/css?family=Work+Sans:400|Chivo:400|Work+Sans:500,300,600,300italic,400italic,500italic,600italic|Chivo:500,300,600,300italic,400italic,500italic,600italic"><link rel=stylesheet href=/v1.9/css/all.css><script src=/v1.9/js/themes_init.min.js></script></head><body class="language-unknown archive-site"><script>const branchName="release-1.9";const docTitle="Secure Control of Egress Traffic in Istio, part 1";const iconFile="\/v1.9/img/icons.svg";const buttonCopy='Copy to clipboard';const buttonPrint='Print';const buttonDownload='Download';</script><script src="https://www.google.com/cse/brand?form=search-form" defer></script><script src=/v1.9/js/all.min.js data-manual defer></script><header><nav><a id=brand href=/v1.9/><span class=logo><svg viewBox="0 0 300 300"><circle cx="150" cy="150" r="146" stroke-width="2"/><polygon points="65 240 225 240 125 270"/><polygon points="65 230 125 220 125 110"/><polygon points="135 220 225 230 135 30"/></svg></span><span class=name>Istioldie 1.9</span></a><div id=hamburger><svg class="icon hamburger"><use xlink:href="/v1.9/img/icons.svg#hamburger"/></svg></div><div id=header-links><a title="Learn how to deploy, use, and operate Istio." href=/v1.9/docs/>Docs</a>
<a class=current title="Posts about using Istio." href=/v1.9/blog/2021/>Blog<i class=dot data-prefix=/blog></i></a>
<a title="Timely news about the Istio project." href=/v1.9/news/>News<i class=dot data-prefix=/news></i></a>
<a title="Frequently Asked Questions about Istio." href=/v1.9/faq/>FAQ</a>
<a title="Get a bit more in-depth info about the Istio project." href=/v1.9/about/>About</a><div class=menu><button id=gearDropdownButton class=menu-trigger title="Options and settings" aria-label="Options and Settings" aria-controls=gearDropdownContent><svg class="icon gear"><use xlink:href="/v1.9/img/icons.svg#gear"/></svg></button><div id=gearDropdownContent class=menu-content aria-labelledby=gearDropdownButton role=menu><a tabindex=-1 role=menuitem lang=en id=switch-lang-en class=active>English</a>
<a tabindex=-1 role=menuitem lang=zh id=switch-lang-zh>中文</a><div role=separator></div><a tabindex=-1 role=menuitem class=active id=light-theme-item>Light Theme</a>
<a tabindex=-1 role=menuitem id=dark-theme-item>Dark Theme</a><div role=separator></div><a tabindex=-1 role=menuitem id=syntax-coloring-item>Color Examples</a><div role=separator></div><h6>Other versions of this site</h6><a tabindex=-1 role=menuitem onclick="navigateToUrlOrRoot('https://istio.io/blog\/2019\/egress-traffic-control-in-istio-part-1\/');return false;">Current Release</a>
<a tabindex=-1 role=menuitem onclick="navigateToUrlOrRoot('https://preliminary.istio.io/blog\/2019\/egress-traffic-control-in-istio-part-1\/');return false;">Next Release</a>
<a tabindex=-1 role=menuitem href=https://istio.io/archive>Older Releases</a></div></div><button id=search-show title="Search this site" aria-label=Search><svg class="icon magnifier"><use xlink:href="/v1.9/img/icons.svg#magnifier"/></svg></button></div><form id=search-form name=cse role=search><input type=hidden name=cx value=002184991200833970123:iwwf17ikgf4>
<input type=hidden name=ie value=utf-8>
<input type=hidden name=hl value=en>
<input type=hidden id=search-page-url value=/v1.9/search>
<input id=search-textbox class=form-control name=q type=search aria-label="Search this site">
<button id=search-close title="Cancel search" type=reset aria-label="Cancel search"><svg class="icon cancel-x"><use xlink:href="/v1.9/img/icons.svg#cancel-x"/></svg></button></form></nav></header><div class=banner-container></div><main class=primary><div id=sidebar-container class="sidebar-container sidebar-offcanvas"><nav id=sidebar aria-label="Section Navigation"><div class=directory><div class=card><button class="header dynamic" id=card0 title="Blog posts for 2021." aria-controls=card0-body><svg class="icon blog"><use xlink:href="/v1.9/img/icons.svg#blog"/></svg>2021 Posts</button><div class=body aria-labelledby=card0 role=region id=card0-body><ul role=tree aria-expanded=true class=leaf-section aria-labelledby=card0><li role=none><a role=treeitem title="The Product Security working group announces Patch Tuesdays, how 0-days and embargoes are handled, updates to the security best practices page and the notification of the early disclosure list (May 11, 2021)" href=/v1.9/blog/2021/patch-tuesdays/>Updates to how Istio security releases are handled: Patch Tuesday, embargoes, and 0-days</a></li><li role=none><a role=treeitem title="Learn how to use discovery selectors and how they intersect with Sidecar resources (April 30, 2021)" href=/v1.9/blog/2021/discovery-selectors/>Use discovery selectors to configure namespaces for your Istio service mesh</a></li><li role=none><a role=treeitem title="Understanding the upcoming changes to Istio networking, how they may impact your cluster, and what action to take (April 15, 2021)" href=/v1.9/blog/2021/upcoming-networking-changes/>Upcoming networking changes in Istio 1.10</a></li><li role=none><a role=treeitem title="An update on Envoy and Istio's WebAssembly-based extensibility effort (March 5, 2021)" href=/v1.9/blog/2021/wasm-progress/>Istio and Envoy WebAssembly Extensibility, One Year On</a></li><li role=none><a role=treeitem title="A tutorial to help customers migrate from the deprecated v1alpha1 security policy to the supported v1beta1 version (March 3, 2021)" href=/v1.9/blog/2021/migrate-alpha-policy/>Migrate pre-Istio 1.4 Alpha security policy to the current APIs</a></li><li role=none><a role=treeitem title="Understanding the benefits Istio brings, even when no configuration is used (February 25, 2021)" href=/v1.9/blog/2021/zero-config-istio/>Zero Configuration Istio</a></li><li role=none><a role=treeitem title="Learn about sessions, panels, workshops and more on the IstioCon website (February 16, 2021)" href=/v1.9/blog/2021/istiocon-2021-program/>IstioCon 2021: Schedule Is Live!</a></li><li role=none><a role=treeitem title="AuthorizationPolicy now supports CUSTOM action to delegate the authorization to external system (February 9, 2021)" href=/v1.9/blog/2021/better-external-authz/>Better External Authorization</a></li></ul></div></div><div class=card><button class="header dynamic" id=card1 title="Blog posts for 2020." aria-controls=card1-body><svg class="icon blog"><use xlink:href="/v1.9/img/icons.svg#blog"/></svg>2020 Posts</button><div class=body aria-labelledby=card1 role=region id=card1-body><ul role=tree aria-expanded=true class=leaf-section aria-labelledby=card1><li role=none><a role=treeitem title="Deploy multiple Istio egress gateways independently to have fine-grained control of egress communication from the mesh (December 16, 2020)" href=/v1.9/blog/2020/proxying-legacy-services-using-egress-gateways/>Proxying legacy services using Istio egress gateways</a></li><li role=none><a role=treeitem title="How to enable proxy protocol on AWS NLB and Istio ingress gateway (December 11, 2020)" href=/v1.9/blog/2020/show-source-ip/>Proxy protocol on AWS NLB and Istio ingress gateway</a></li><li role=none><a role=treeitem title="The inaugural conference for Istio will take place at the end of February (December 8, 2020)" href=/v1.9/blog/2020/istiocon-2021/>Join us for the first IstioCon in 2021!</a></li><li role=none><a role=treeitem title="How to ensure your clusters are not impacted by Docker Hub rate limiting (December 7, 2020)" href=/v1.9/blog/2020/docker-rate-limit/>Handling Docker Hub rate limiting</a></li><li role=none><a role=treeitem title="Workload Local DNS resolution to simplify VM integration, multicluster, and more (November 12, 2020)" href=/v1.9/blog/2020/dns-proxy/>Expanding into New Frontiers - Smart DNS Proxying in Istio</a></li><li role=none><a role=treeitem title="Announcing the four newest Istio Steering Committee members (September 29, 2020)" href=/v1.9/blog/2020/steering-election-results/>2020 Steering Committee Election Results</a></li><li role=none><a role=treeitem title="The effect of security policies on latency of requests (September 15, 2020)" href=/v1.9/blog/2020/large-scale-security-policy-performance-tests/>Large Scale Security Policy Performance Tests</a></li><li role=none><a role=treeitem title="A new deployment model for Istio (August 27, 2020)" href=/v1.9/blog/2020/new-deployment-model/>Deploying Istio Control Planes Outside the Mesh</a></li><li role=none><a role=treeitem title="The Istio Steering Committee is now in part proportionally allocated to companies based on contribution, and in part elected by community members (August 24, 2020)" href=/v1.9/blog/2020/steering-changes/>Introducing the new Istio steering committee</a></li><li role=none><a role=treeitem title="An alternative sidecar proxy for Istio (July 28, 2020)" href=/v1.9/blog/2020/mosn-proxy/>Using MOSN with Istio: an alternative data plane</a></li><li role=none><a role=treeitem title="An update on trademarks and project governance (July 8, 2020)" href=/v1.9/blog/2020/open-usage/>Open and neutral: transferring our trademarks to the Open Usage Commons</a></li><li role=none><a role=treeitem title="A new way to manage installation of telemetry addons (June 4, 2020)" href=/v1.9/blog/2020/addon-rework/>Reworking our Addon Integrations</a></li><li role=none><a role=treeitem title="Describing the new functionality of Workload Entries (May 21, 2020)" href=/v1.9/blog/2020/workload-entry/>Introducing Workload Entries</a></li><li role=none><a role=treeitem title="Simplifying Istio upgrades by offering safe canary deployments of the control plane (May 19, 2020)" href=/v1.9/blog/2020/multiple-control-planes/>Safely Upgrade Istio using a Canary Control Plane Deployment</a></li><li role=none><a role=treeitem title="Configure the IBM Cloud Kubernetes Service Application Load Balancer to direct traffic to the Istio Ingress gateway with mutual TLS (May 15, 2020)" href=/v1.9/blog/2020/alb-ingress-gateway-iks/>Direct encrypted traffic from IBM Cloud Kubernetes Service Ingress to Istio Ingress Gateway</a></li><li role=none><a role=treeitem title="Community partner tooling of Wasm for Istio by Solo.io (March 25, 2020)" href=/v1.9/blog/2020/wasmhub-istio/>Extended and Improved WebAssemblyHub to Bring the Power of WebAssembly to Envoy and Istio</a></li><li role=none><a role=treeitem title="A mechanism to acquire and share an application certificate and key through mounted files (March 25, 2020)" href=/v1.9/blog/2020/proxy-cert/>Provision a certificate and key for an application without sidecars</a></li><li role=none><a role=treeitem title="Istiod consolidates the Istio control plane components into a single binary (March 19, 2020)" href=/v1.9/blog/2020/istiod/>Introducing istiod: simplifying the control plane</a></li><li role=none><a role=treeitem title="Configuring Wasm extensions for Envoy and Istio declaratively (March 16, 2020)" href=/v1.9/blog/2020/deploy-wasm-declarative/>Declarative WebAssembly deployment for Istio</a></li><li role=none><a role=treeitem title="The future of Istio extensibility using WASM (March 5, 2020)" href=/v1.9/blog/2020/wasm-announce/>Redefining extensibility in proxies - introducing WebAssembly to Envoy and Istio</a></li><li role=none><a role=treeitem title="A vision statement and roadmap for Istio in 2020 (March 3, 2020)" href=/v1.9/blog/2020/tradewinds-2020/>Istio in 2020 - Following the Trade Winds</a></li><li role=none><a role=treeitem title="A more secure way to manage secrets (February 20, 2020)" href=/v1.9/blog/2020/istio-agent/>Remove cross-pod unix domain sockets</a></li><li role=none><a role=treeitem title="Automating Istio configuration for Istio deployments (clusters) that work as a single mesh (January 5, 2020)" href=/v1.9/blog/2020/multi-cluster-mesh-automation/>Multicluster Istio configuration and service discovery using Admiral</a></li></ul></div></div><div class=card><button class="header dynamic" id=card2 title="Blog posts for 2019." aria-controls=card2-body><svg class="icon blog"><use xlink:href="/v1.9/img/icons.svg#blog"/></svg>2019 Posts</button><div class="body default" aria-labelledby=card2 role=region id=card2-body><ul role=tree aria-expanded=true class=leaf-section aria-labelledby=card2><li role=none><a role=treeitem title="Provision and manage DNS certificates in Istio (November 14, 2019)" href=/v1.9/blog/2019/dns-cert/>DNS Certificate Management</a></li><li role=none><a role=treeitem title="Analyze your Istio configuration to detect potential issues and get general insights (November 14, 2019)" href=/v1.9/blog/2019/introducing-istioctl-analyze/>Introducing istioctl analyze</a></li><li role=none><a role=treeitem title="Introduction to Istio's new operator-based installation and control plane management feature (November 14, 2019)" href=/v1.9/blog/2019/introducing-istio-operator/>Introducing the Istio Operator</a></li><li role=none><a role=treeitem title="Introduction, motivation and design principles for the Istio v1beta1 Authorization Policy (November 14, 2019)" href=/v1.9/blog/2019/v1beta1-authorization-policy/>Introducing the Istio v1beta1 Authorization Policy</a></li><li role=none><a role=treeitem title="Getting programmatic access to Istio resources (November 14, 2019)" href=/v1.9/blog/2019/announcing-istio-client-go/>Announcing Istio client-go</a></li><li role=none><a role=treeitem title="A more secure way to manage Istio webhooks (November 14, 2019)" href=/v1.9/blog/2019/webhook/>Secure Webhook Management</a></li><li role=none><a role=treeitem title="Configure Istio ingress gateway to act as a proxy for external services (October 15, 2019)" href=/v1.9/blog/2019/proxy/>Istio as a Proxy for External Services</a></li><li role=none><a role=treeitem title="Deploy environments that require isolation into separate meshes and enable inter-mesh communication by mesh federation (October 2, 2019)" href=/v1.9/blog/2019/isolated-clusters/>Multi-Mesh Deployments for Isolation and Boundary Protection</a></li><li role=none><a role=treeitem title="How can you use Istio to monitor blocked and passthrough external traffic (September 28, 2019)" href=/v1.9/blog/2019/monitoring-external-service-traffic/>Monitoring Blocked and Passthrough External Service Traffic</a></li><li role=none><a role=treeitem title="Using Istio to secure multi-cloud Kubernetes applications with zero code changes (September 18, 2019)" href=/v1.9/blog/2019/app-identity-and-access-adapter/>App Identity and Access Adapter</a></li><li role=none><a role=treeitem title="Demonstrates a Mixer out-of-process adapter which implements the Knative scale-from-zero logic (September 18, 2019)" href=/v1.9/blog/2019/knative-activator-adapter/>Mixer Adapter for Knative</a></li><li role=none><a role=treeitem title="Taking advantage of Kubernetes trustworthy JWTs to issue certificates for workload instances more securely (September 10, 2019)" href=/v1.9/blog/2019/trustworthy-jwt-sds/>Change in Secret Discovery Service in Istio 1.3</a></li><li role=none><a role=treeitem title="The design principles behind Istio's APIs and how those APIs are evolving (August 5, 2019)" href=/v1.9/blog/2019/evolving-istios-apis/>The Evolution of Istio's APIs</a></li><li role=none><a role=treeitem title="Comparison of alternative solutions to control egress traffic including performance considerations (July 22, 2019)" href=/v1.9/blog/2019/egress-traffic-control-in-istio-part-3/>Secure Control of Egress Traffic in Istio, part 3</a></li><li role=none><a role=treeitem title="Use Istio Egress Traffic Control to prevent attacks involving egress traffic (July 10, 2019)" href=/v1.9/blog/2019/egress-traffic-control-in-istio-part-2/>Secure Control of Egress Traffic in Istio, part 2</a></li><li role=none><a role=treeitem title="Tools and guidance for evaluating Istio's data plane performance (July 9, 2019)" href=/v1.9/blog/2019/performance-best-practices/>Best Practices: Benchmarking Service Mesh Performance</a></li><li role=none><a role=treeitem title="Learn how to extend the lifetime of Istio self-signed root certificate (June 7, 2019)" href=/v1.9/blog/2019/root-transition/>Extending Istio Self-Signed Root Certificate Lifetime</a></li><li role=none><span role=treeitem class=current title="Attacks involving egress traffic and requirements for egress traffic control (May 22, 2019)">Secure Control of Egress Traffic in Istio, part 1</span></li><li role=none><a role=treeitem title="An overview of Istio 1.1 performance (March 19, 2019)" href=/v1.9/blog/2019/istio1.1_perf/>Architecting Istio 1.1 for Performance</a></li><li role=none><a role=treeitem title="Configuring Istio route rules in a multicluster service mesh (February 7, 2019)" href=/v1.9/blog/2019/multicluster-version-routing/>Version Routing in a Multicluster Service Mesh</a></li><li role=none><a role=treeitem title="Announces the new Istio blog policy (February 5, 2019)" href=/v1.9/blog/2019/sail-the-blog/>Sail the Blog!</a></li><li role=none><a role=treeitem title="De-mystify how Istio manages to plugin its data-plane components into an existing deployment (January 31, 2019)" href=/v1.9/blog/2019/data-plane-setup/>Demystifying Istio's Sidecar Injection Model</a></li><li role=none><a role=treeitem title="Verifies the performance impact of adding an egress gateway (January 31, 2019)" href=/v1.9/blog/2019/egress-performance/>Egress Gateway Performance Investigation</a></li><li role=none><a role=treeitem title="Addressing application startup ordering and startup latency using AppSwitch (January 14, 2019)" href=/v1.9/blog/2019/appswitch/>Sidestepping Dependency Ordering with AppSwitch</a></li><li role=none><a role=treeitem title="Describes how to deploy a custom ingress gateway using cert-manager manually (January 10, 2019)" href=/v1.9/blog/2019/custom-ingress-gateway/>Deploy a Custom Ingress Gateway Using Cert-Manager</a></li><li role=none><a role=treeitem title="Istio has a new discussion board (January 10, 2019)" href=/v1.9/blog/2019/announcing-discuss.istio.io/>Announcing discuss.istio.io</a></li></ul></div></div><div class=card><button class="header dynamic" id=card3 title="Blog posts for 2018." aria-controls=card3-body><svg class="icon blog"><use xlink:href="/v1.9/img/icons.svg#blog"/></svg>2018 Posts</button><div class=body aria-labelledby=card3 role=region id=card3-body><ul role=tree aria-expanded=true class=leaf-section aria-labelledby=card3><li role=none><a role=treeitem title="How to use Istio for traffic management without deploying sidecar proxies (November 21, 2018)" href=/v1.9/blog/2018/incremental-traffic-management/>Incremental Istio Part 1, Traffic Management</a></li><li role=none><a role=treeitem title="Describes a simple scenario based on Istio's Bookinfo example (November 16, 2018)" href=/v1.9/blog/2018/egress-mongo/>Consuming External MongoDB Services</a></li><li role=none><a role=treeitem title="Istio hosting an all day Twitch stream to celebrate the 1.0 release (August 3, 2018)" href=/v1.9/blog/2018/istio-twitch-stream/>All Day Istio Twitch Stream</a></li><li role=none><a role=treeitem title="How HP is building its next-generation footwear personalization platform on Istio (July 31, 2018)" href=/v1.9/blog/2018/hp/>Istio a Game Changer for HP's FitStation Platform</a></li><li role=none><a role=treeitem title="Automatic application onboarding and latency optimizations using AppSwitch (July 30, 2018)" href=/v1.9/blog/2018/delayering-istio/>Delayering Istio with AppSwitch</a></li><li role=none><a role=treeitem title="Describe Istio's authorization feature and how to use it in various use cases (July 20, 2018)" href=/v1.9/blog/2018/istio-authorization/>Micro-Segmentation with Istio Authorization</a></li><li role=none><a role=treeitem title="How to export Istio Access Logs to different sinks like BigQuery, GCS, Pub/Sub through Stackdriver (July 9, 2018)" href=/v1.9/blog/2018/export-logs-through-stackdriver/>Exporting Logs to BigQuery, GCS, Pub/Sub through Stackdriver</a></li><li role=none><a role=treeitem title="Describes how to configure Istio for monitoring and access policies of HTTP egress traffic (June 22, 2018)" href=/v1.9/blog/2018/egress-monitoring-access-control/>Monitoring and Access Policies for HTTP Egress Traffic</a></li><li role=none><a role=treeitem title="Introduction, motivation and design principles for the Istio v1alpha3 routing API (April 25, 2018)" href=/v1.9/blog/2018/v1alpha3-routing/>Introducing the Istio v1alpha3 routing API</a></li><li role=none><a role=treeitem title="Describes how to configure Istio ingress with a network load balancer on AWS (April 20, 2018)" href=/v1.9/blog/2018/aws-nlb/>Configuring Istio Ingress with AWS NLB</a></li><li role=none><a role=treeitem title="Using Kubernetes namespaces and RBAC to create an Istio soft multi-tenancy environment (April 19, 2018)" href=/v1.9/blog/2018/soft-multitenancy/>Istio Soft Multi-Tenancy Support</a></li><li role=none><a role=treeitem title="An introduction to safer, lower-risk deployments and release to production (February 8, 2018)" href=/v1.9/blog/2018/traffic-mirroring/>Traffic Mirroring with Istio for Testing in Production</a></li><li role=none><a role=treeitem title="Describes a simple scenario based on Istio's Bookinfo example (February 6, 2018)" href=/v1.9/blog/2018/egress-tcp/>Consuming External TCP Services</a></li><li role=none><a role=treeitem title="Describes a simple scenario based on Istio's Bookinfo example (January 31, 2018)" href=/v1.9/blog/2018/egress-https/>Consuming External Web Services</a></li></ul></div></div><div class=card><button class="header dynamic" id=card4 title="Blog posts for 2017." aria-controls=card4-body><svg class="icon blog"><use xlink:href="/v1.9/img/icons.svg#blog"/></svg>2017 Posts</button><div class=body aria-labelledby=card4 role=region id=card4-body><ul role=tree aria-expanded=true class=leaf-section aria-labelledby=card4><li role=none><a role=treeitem title="Improving availability and reducing latency (December 7, 2017)" href=/v1.9/blog/2017/mixer-spof-myth/>Mixer and the SPOF Myth</a></li><li role=none><a role=treeitem title="Provides an overview of Mixer's plug-in architecture (November 3, 2017)" href=/v1.9/blog/2017/adapter-model/>Mixer Adapter Model</a></li><li role=none><a role=treeitem title="How Kubernetes Network Policy relates to Istio policy (August 10, 2017)" href=/v1.9/blog/2017/0.1-using-network-policy/>Using Network Policy with Istio</a></li><li role=none><a role=treeitem title="Using Istio to create autoscaled canary deployments (June 14, 2017)" href=/v1.9/blog/2017/0.1-canary/>Canary Deployments using Istio</a></li><li role=none><a role=treeitem title="Istio Authentication 0.1 announcement (May 25, 2017)" href=/v1.9/blog/2017/0.1-auth/>Using Istio to Improve End-to-End Security</a></li></ul></div></div></div></nav></div><div class=article-container><button tabindex=-1 id=sidebar-toggler title="Toggle the navigation bar"><svg class="icon pull"><use xlink:href="/v1.9/img/icons.svg#pull"/></svg></button><nav aria-label=Breadcrumb><ol><li><a href=/v1.9/ title="Connect, secure, control, and observe services.">Istio</a></li><li><a href=/v1.9/blog/ title="Posts about using Istio.">Blog</a></li><li><a href=/v1.9/blog/2019/ title="Blog posts for 2019.">2019 Posts</a></li><li>Secure Control of Egress Traffic in Istio, part 1</li></ol></nav><article aria-labelledby=title><div class=title-area><div style=width:100%><h1 id=title>Secure Control of Egress Traffic in Istio, part 1</h1><p class=subtitle>Attacks involving egress traffic and requirements for egress traffic control</p><p class=byline><span>By</span>
<span class=attribution>Vadim Eisenberg (IBM)</span><span> | </span><span><svg class="icon calendar"><use xlink:href="/v1.9/img/icons.svg#calendar"/></svg><span>&nbsp;</span>May 22, 2019</span><span> | </span><span title="1631 words"><svg class="icon clock"><use xlink:href="/v1.9/img/icons.svg#clock"/></svg><span>&nbsp;</span>8 minute read</span>
<span>&nbsp;</span>
<span></span></p></div></div><nav class=toc-inlined aria-label="Table of Contents"><div><hr><ol><li role=none aria-label="The attacks"><a href=#the-attacks>The attacks</a><li role=none aria-label="The solution: secure control of egress traffic"><a href=#the-solution-secure-control-of-egress-traffic>The solution: secure control of egress traffic</a><li role=none aria-label="Requirements for egress traffic control"><a href=#requirements-for-egress-traffic-control>Requirements for egress traffic control</a><li role=none aria-label=Summary><a href=#summary>Summary</a><li role=none aria-label="See also"><a href=#see-also>See also</a></li></ol><hr></div></nav><p>This is part 1 in a new series about secure control of egress traffic in Istio that I am going to publish.
In this installment, I explain why you should apply egress traffic control to your cluster, the attacks
involving egress traffic you want to prevent, and the requirements for a system for egress traffic control
to do so.
Once you agree that you should control the egress traffic coming from your cluster, the following questions arise:
What is required from a system for secure control of egress traffic? Which is the best solution to fulfill
these requirements? (spoiler: Istio in my opinion)
Future installments will describe
<a href=/v1.9/blog/2019/egress-traffic-control-in-istio-part-2/>the implementation of the secure control of egress traffic in Istio</a>
and compare it with other solutions.</p><p>The most important security aspect for a service mesh is probably ingress traffic. You definitely must prevent attackers
from penetrating the cluster through ingress APIs. Having said that, securing
the traffic leaving the mesh is also very important. Once your cluster is compromised, and you must be
prepared for that scenario, you want to reduce the damage as much as possible and prevent the attackers from using the
cluster for further attacks on external services and legacy systems outside of the cluster. To achieve that goal,
you need secure control of egress traffic.</p><p>Compliance requirements are another reason to implement secure control of egress traffic. For example, the <a href=https://www.pcisecuritystandards.org/pci_security/>Payment Card
Industry (PCI) Data Security Standard</a> requires that inbound
and outbound traffic must be restricted to that which is necessary:</p><div><aside class="callout quote"><div class=type><svg class="large-icon"><use xlink:href="/v1.9/img/icons.svg#callout-quote"/></svg></div><div class=content><em>1.2.1 Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic.</em></div></aside></div><p>And specifically regarding outbound traffic:</p><div><aside class="callout quote"><div class=type><svg class="large-icon"><use xlink:href="/v1.9/img/icons.svg#callout-quote"/></svg></div><div class=content><em>1.3.4 Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet&mldr; All traffic outbound from the cardholder data environment should be evaluated to ensure that it follows established, authorized rules. Connections should be inspected to restrict traffic to only authorized communications (for example by restricting source/destination addresses/ports, and/or blocking of content).</em></div></aside></div><p>Let&rsquo;s start with the attacks that involve egress traffic.</p><h2 id=the-attacks>The attacks</h2><p>An IT organization must assume it will be attacked if it hasn&rsquo;t been attacked already, and that
part of its infrastructure could already be compromised or become compromised in the future.
Once attackers are able to penetrate an application in a cluster, they can proceed to attack external services:
legacy systems, external web services and databases. The attackers may want to steal the data of the application and to
transfer it to their external servers. Attackers&rsquo; malware may require access to attackers&rsquo; servers to download
updates. The attackers may use pods in the cluster to perform DDOS attacks or to break into external systems.
Even though you <a href=https://en.wikipedia.org/wiki/There_are_known_knowns>cannot know</a> all the possible types of
attacks, you want to reduce possibilities for any attacks, both for known and unknown ones.</p><p>The external attackers gain access to the applications container from outside the mesh through a
bug in the application but attackers can also be internal, for example, malicious DevOps people inside the
organization.</p><p>To prevent the attacks described above, some form of egress traffic control must be applied. Let me present egress
traffic control in the following section.</p><h2 id=the-solution-secure-control-of-egress-traffic>The solution: secure control of egress traffic</h2><p>Secure control of egress traffic means monitoring the egress traffic and enforcing all the security policies regarding
the egress traffic.
Monitoring the egress traffic, enables you to analyze it, possibly offline, and detect the attacks even if
you were unable to prevent them in real time.
Another good practice to reduce possibilities of attacks is to specify policies that limit access following the
<a href=https://en.wikipedia.org/wiki/Need_to_know#In_computer_technology]>Need to know</a> principle: only the applications that
need external services should be allowed to access the external services they need.</p><p>Let me now turn to the requirements for egress traffic control we collected.</p><h2 id=requirements-for-egress-traffic-control>Requirements for egress traffic control</h2><p>My colleagues at IBM and I collected requirements for secure control of egress traffic from several customers, and
combined them with the
<a href=https://docs.google.com/document/d/1-Cq_Y-yuyNklvdnaZF9Qngl3xe0NnArT7Xt_Wno9beg>egress traffic control requirements from Kubernetes Network Special Interest Group</a>.</p><p>Istio 1.1 satisfies all gathered requirements:</p><ol><li><p>Support for <a href=https://en.wikipedia.org/wiki/Transport_Layer_Security>TLS</a> with
<a href=https://en.wikipedia.org/wiki/Server_Name_Indication>SNI</a> or for <a href=/v1.9/docs/reference/glossary/#tls-origination>TLS origination</a> by Istio.</p></li><li><p><strong>Monitor</strong> SNI and the source workload of every egress access.</p></li><li><p>Define and enforce <strong>policies per cluster</strong>, e.g.:</p><ul><li><p>all applications in the cluster may access <code>service1.foo.com</code> (a specific host)</p></li><li><p>all applications in the cluster may access any host of the form <code>*.bar.com</code> (a wildcarded domain)</p></li></ul><p>All unspecified access must be blocked.</p></li><li><p>Define and enforce <strong>policies per source</strong>, <em>Kubernetes-aware</em>:</p><ul><li><p>application <code>A</code> may access <code>*.foo.com</code>.</p></li><li><p>application <code>B</code> may access <code>*.bar.com</code>.</p></li></ul><p>All other access must be blocked, in particular access of application <code>A</code> to <code>service1.bar.com</code>.</p></li><li><p><strong>Prevent tampering</strong>. In case an application pod is compromised, prevent the compromised pod from escaping
monitoring, from sending fake information to the monitoring system, and from breaking the egress policies.</p></li><li><p>Nice to have: traffic control is <strong>transparent</strong> to the applications.</p></li></ol><p>Let me explain each requirement in more detail. The first requirement states that only TLS traffic to the external
services must be supported.
The requirement emerged upon observation that all the traffic that leaves the cluster must be encrypted.
This means that either the applications perform TLS origination or Istio must perform TLS origination
for them.
Note that in the case an application performs TLS origination, the Istio proxies cannot see the original traffic,
only the encrypted one, so the proxies see the TLS protocol only. For the proxies it does not matter if the original
protocol is HTTP or MongoDB, all the Istio proxies can see is TLS traffic.</p><p>The second requirement states that SNI and the source of the traffic must be monitored. Monitoring is the first step to
prevent attacks. Even if attackers would be able to access external services from the cluster, if the access is
monitored, there is a chance to discover the suspicious traffic and take a corrective action.</p><p>Note that in the case of TLS originated by an application, the Istio sidecar proxies can only see TCP traffic and a
TLS handshake that includes SNI.
A label of the source pod could identify the source of the traffic but a service account of the pod or some
other source identifier could be used. We call this property of an egress control system as <em>being Kubernetes-aware</em>:
the system must understand Kubernetes artifacts like pods and service accounts. If the system is not Kubernetes-aware,
it can only monitor the IP address as the identifier of the source.</p><p>The third requirement states that Istio operators must be able to define policies for egress traffic for the entire
cluster.
The policies state which external services may be accessed by any pod in the cluster. The external services can be
identified either by a <a href=https://en.wikipedia.org/wiki/Fully_qualified_domain_name>Fully qualified domain name</a> of the
service, e.g. <code>www.ibm.com</code> or by a wildcarded domain, e.g. <code>*.ibm.com</code>. Only the specified external services may be
accessed, all other egress traffic is blocked.</p><p>This requirement originates from the need to prevent
attackers from accessing malicious sites, for example for downloading updates/instructions for their malware. You also
want to limit the number of external sites that the attackers can access and attack.
You want to allow access only to the external services that the applications in the cluster need to
access and to block access to all the other services, this way you reduce the
<a href=https://en.wikipedia.org/wiki/Attack_surface>attack surface</a>. While the external services
can have their own security mechanisms, you want to exercise <a href=https://en.wikipedia.org/wiki/Defense_in_depth_(computing)>Defense in depth</a> and to have multiple security layers: a security layer in your cluster in addition to
the security layers in the external systems.</p><p>This requirement means that the external services must be identifiable by domain names. We call this property
of an egress control system as <em>being DNS-aware</em>.
If the system is not DNS-aware, the external services must be specified by IP addresses.
Using IP addresses is not convenient and often is not feasible, since the IP addresses of a service can change. Sometimes
all the IP addresses of a service are not even known, for example in the case of
<a href=https://en.wikipedia.org/wiki/Content_delivery_network>CDNs</a>.</p><p>The fourth requirement states that the source of the egress traffic must be added to the policies effectively extending
the third requirement.
Policies can specify which source can access which external service and the source must be identified just as in the
second requirement, for example, by a label of the source pod or by service account of the pod.
It means that policy enforcement must also be <em>Kubernetes-aware</em>.
If policy enforcement is not Kubernetes-aware, the policies must identify the source of traffic by
the IP of the pod, which is not convenient, especially since the pods can come and go so their IPs are not static.</p><p>The fifth requirement states that even if the cluster is compromised and the attackers control some of the pods, they
must not be able to cheat the monitoring or to violate policies of the egress control system. We say that such a
system provides <em>secure</em> control of egress traffic.</p><p>The sixth requirement states that the traffic control should be provided without changing the application containers, in
particular without changing the code of the applications and without changing the environment of the containers.
We call such a control of egress traffic <em>transparent</em>.</p><p>In the next posts I will show that Istio can function as an example of an egress traffic control system that satisfies
all of these requirements, in particular it is transparent, DNS-aware, and Kubernetes-aware.</p><h2 id=summary>Summary</h2><p>I hope that you are convinced that controlling egress traffic is important for the security of your cluster. In <a href=/v1.9/blog/2019/egress-traffic-control-in-istio-part-2/>the
part 2 of this series</a> I describe the Istio way to perform secure
control of egress traffic. In
<a href=/v1.9/blog/2019/egress-traffic-control-in-istio-part-3/>the
part 3 of this series</a> I compare it with alternative solutions such as
<a href=https://kubernetes.io/docs/concepts/services-networking/network-policies/>Kubernetes Network Policies</a> and legacy
egress proxies/firewalls.</p><nav id=see-also><h2>See also</h2><div class=see-also><div class=entry><p class=link><a data-skipendnotes=true href=/v1.9/blog/2019/egress-traffic-control-in-istio-part-3/>Secure Control of Egress Traffic in Istio, part 3</a></p><p class=desc>Comparison of alternative solutions to control egress traffic including performance considerations.</p></div><div class=entry><p class=link><a data-skipendnotes=true href=/v1.9/blog/2019/egress-traffic-control-in-istio-part-2/>Secure Control of Egress Traffic in Istio, part 2</a></p><p class=desc>Use Istio Egress Traffic Control to prevent attacks involving egress traffic.</p></div><div class=entry><p class=link><a data-skipendnotes=true href=/v1.9/blog/2019/isolated-clusters/>Multi-Mesh Deployments for Isolation and Boundary Protection</a></p><p class=desc>Deploy environments that require isolation into separate meshes and enable inter-mesh communication by mesh federation.</p></div><div class=entry><p class=link><a data-skipendnotes=true href=/v1.9/blog/2019/egress-performance/>Egress Gateway Performance Investigation</a></p><p class=desc>Verifies the performance impact of adding an egress gateway.</p></div><div class=entry><p class=link><a data-skipendnotes=true href=/v1.9/blog/2018/egress-mongo/>Consuming External MongoDB Services</a></p><p class=desc>Describes a simple scenario based on Istio's Bookinfo example.</p></div><div class=entry><p class=link><a data-skipendnotes=true href=/v1.9/blog/2018/egress-monitoring-access-control/>Monitoring and Access Policies for HTTP Egress Traffic</a></p><p class=desc>Describes how to configure Istio for monitoring and access policies of HTTP egress traffic.</p></div></div></nav></article><nav class=pagenav><div class=left><a title="Learn how to extend the lifetime of Istio self-signed root certificate." href=/v1.9/blog/2019/root-transition/><svg class="icon left-arrow"><use xlink:href="/v1.9/img/icons.svg#left-arrow"/></svg>Extending Istio Self-Signed Root Certificate Lifetime</a></div><div class=right><a title="An overview of Istio 1.1 performance." href=/v1.9/blog/2019/istio1.1_perf/>Architecting Istio 1.1 for Performance<svg class="icon right-arrow"><use xlink:href="/v1.9/img/icons.svg#right-arrow"/></svg></a></div></nav><div id=feedback><div id=feedback-initial>Was this information useful?<br><button class="btn feedback" onclick="sendFeedback('en',1)">Yes</button>
<button class="btn feedback" onclick="sendFeedback('en',0)">No</button></div><div id=feedback-comment>Do you have any suggestions for improvement?<br><br><input id=feedback-textbox type=text placeholder="Help us improve..." data-lang=en></div><div id=feedback-thankyou>Thanks for your feedback!</div></div><div id=endnotes-container aria-hidden=true><h2>Links</h2><ol id=endnotes></ol></div></div><div class=toc-container><nav class=toc aria-label="Table of Contents"><div id=toc><ol><li role=none aria-label="The attacks"><a href=#the-attacks>The attacks</a><li role=none aria-label="The solution: secure control of egress traffic"><a href=#the-solution-secure-control-of-egress-traffic>The solution: secure control of egress traffic</a><li role=none aria-label="Requirements for egress traffic control"><a href=#requirements-for-egress-traffic-control>Requirements for egress traffic control</a><li role=none aria-label=Summary><a href=#summary>Summary</a><li role=none aria-label="See also"><a href=#see-also>See also</a></li></ol></div></nav></div></main><footer><div class=user-links><a class=channel title="Go download Istio 1.9.5 now" href=/v1.9/docs/setup/getting-started/#download aria-label="Download Istio"><span>download</span><svg class="icon download"><use xlink:href="/v1.9/img/icons.svg#download"/></svg>
</a><a class=channel title="Join the Istio discussion board to participate in discussions and get help troubleshooting problems" href=https://discuss.istio.io aria-label="Istio discussion board"><span>discuss</span><svg class="icon discourse"><use xlink:href="/v1.9/img/icons.svg#discourse"/></svg></a>
<a class=channel title="Stack Overflow is where you can ask questions and find curated answers on deploying, configuring, and using Istio" href=https://stackoverflow.com/questions/tagged/istio aria-label="Stack Overflow"><span>stack overflow</span><svg class="icon stackoverflow"><use xlink:href="/v1.9/img/icons.svg#stackoverflow"/></svg></a>
<a class=channel title="Interactively discuss issues with the Istio community on Slack" href=https://slack.istio.io aria-label=slack><span>slack</span><svg class="icon slack"><use xlink:href="/v1.9/img/icons.svg#slack"/></svg></a>
<a class=channel title="Follow us on Twitter to get the latest news" href=https://twitter.com/IstioMesh aria-label=Twitter><span>twitter</span><svg class="icon twitter"><use xlink:href="/v1.9/img/icons.svg#twitter"/></svg></a><div class=tag>for everyone</div></div><div class=info><p class=copyright>Istio Archive
1.9.5<br>&copy; 2020 Istio Authors, <a href=https://policies.google.com/privacy>Privacy Policy</a><br>Archived on May 18, 2021</p></div><div class=dev-links><a class=channel title="GitHub is where development takes place on Istio code" href=https://github.com/istio/community aria-label=GitHub><span>github</span><svg class="icon github"><use xlink:href="/v1.9/img/icons.svg#github"/></svg></a>
<a class=channel title="Access our team drive if you'd like to take a look at the Istio technical design documents" href=https://groups.google.com/forum/#!forum/istio-team-drive-access aria-label="team drive"><span>drive</span><svg class="icon drive"><use xlink:href="/v1.9/img/icons.svg#drive"/></svg></a>
<a class=channel title="If you'd like to contribute to the Istio project, consider participating in our working groups" href=https://github.com/istio/community/blob/master/WORKING-GROUPS.md aria-label="working groups"><span>working groups</span><svg class="icon working-groups"><use xlink:href="/v1.9/img/icons.svg#working-groups"/></svg></a><div class=tag>for developers</div></div></footer><div id=scroll-to-top-container aria-hidden=true><button id=scroll-to-top title="Back to top"><svg class="icon top"><use xlink:href="/v1.9/img/icons.svg#top"/></svg></button></div></body></html>
Reference in New Issue View Git Blame Copy Permalink