0

Scenario:

  • Within 1 Azure Kubernetes Service (AKS), there are 2 .NET services running: Service1 and Service2
  • Both Service1 and Service2 listen on HTTP:80 and HTTPS:443
  • Both services run Istio and Istio proxy

To ensure traffic encryption between services in the same cluster, with mutualTLS,

Does Service1 need to call Service2 HTTPS:443 endpoint ?

Or

Calling Service2 HTTP:80 is enough and istio handles the rest ?

Lydon Ch
  • 8,637
  • 20
  • 79
  • 132
  • everything is encrypted. independently of the port. Assuming you have not enabled port level mTLS. – suren Apr 02 '21 at 20:12

1 Answers1

1

When using Istio (unless you have very strict security requirements, which is unlikely) the applications should usually not initiate HTTPS connections.

Let Istio do automatic mTLS. Actually, you lose Istio features when applications initiate HTTPS.

In that case traffic is encrypted outside Istio and you lose features like telemetry since the proxies can't read the traffic.

It is also possible to have Istio initiate HTTPS connections for external calls (outside the mesh). This is known as TLS origination. However, this requires a bit of configuration and client libraries which themselves start HTTPS connections don't work with that

user140547
  • 7,750
  • 3
  • 28
  • 80