3 Ways to Connect BIG-IP to Istio

Istio, a service mesh, uses “zero trust” to authenticate services. We’ll look at 3 ways to connect BIG-IP to Istio.

1. TCP

The first method that we will use will be TCP. This will allow the BIG-IP to passthrough client traffic to Istio’s Ingress Gateway. 

2. Mutual TLS (mTLS)

The second method is to use the Client Certificate Constrained Delegation (C3D) feature of BIG-IP to authenticate client connections via mTLS and then generate a new client certificate (with similar attributes to the original) and use that newly minted certificate to authenticate to Istio.

This second example is useful for scenarios where you are unable to install a trusted (externally CA signed) certificate into Istio (corporate policy prohibits it) and/or you want to establish a TLS DMZ. Despite the connection using mTLS the BIG-IP can inspect the traffic (i.e. log to Splunk), apply policy (i.e. insert XFF headers, WAF protection), etc…

3. JSON Web Tokens (JWT)

Istio can use JWT tokens to authenticate users, but not all enterprise systems speak JWT. Using BIG-IP Access Policy Manager (APM) we can create an access policy that performs Single-Sign On (SSO) with an OAuth bearer token (JWT). This enables us to authenticate a client with username / password and convert the identity into a JWT token that is understood by Istio.

Video Please

These 3 methods are discussed and demo’d in the following YouTube video. Thanks for reading/watching!

Published Sep 10, 2019
Version 1.0

Was this article helpful?


  • An important note is to ensure that the BIG-IP is forwarding the SNI header when using TLS. The following iRule is an example of how to do this. https://devcentral.f5.com/s/articles/serverside-sni-injection-irule-968