Technical Articles
F5 SMEs share good practice.
Showing results for 
Search instead for 
Did you mean: 
Custom Alert Banner
F5 Employee
F5 Employee

Istio, a service mesh, uses “zero trust” to authenticate services. We’ll look at 3 ways to connect BIG-IP to Istio.

1. TCP

The first method that we will use will be TCP. This will allow the BIG-IP to passthrough client traffic to Istio’s Ingress Gateway. 


2. Mutual TLS (mTLS)

The second method is to use the Client Certificate Constrained Delegation (C3D) feature of BIG-IP to authenticate client connections via mTLS and then generate a new client certificate (with similar attributes to the original) and use that newly minted certificate to authenticate to Istio.

This second example is useful for scenarios where you are unable to install a trusted (externally CA signed) certificate into Istio (corporate policy prohibits it) and/or you want to establish a TLS DMZ. Despite the connection using mTLS the BIG-IP can inspect the traffic (i.e. log to Splunk), apply policy (i.e. insert XFF headers, WAF protection), etc…


3. JSON Web Tokens (JWT)

Istio can use JWT tokens to authenticate users, but not all enterprise systems speak JWT. Using BIG-IP Access Policy Manager (APM) we can create an access policy that performs Single-Sign On (SSO) with an OAuth bearer token (JWT). This enables us to authenticate a client with username / password and convert the identity into a JWT token that is understood by Istio.


Video Please

These 3 methods are discussed and demo’d in the following YouTube video. Thanks for reading/watching!



thanks for this topic 😃

F5 Employee
F5 Employee

An important note is to ensure that the BIG-IP is forwarding the SNI header when using TLS. The following iRule is an example of how to do this.

Version history
Last update:
‎10-Sep-2019 09:19
Updated by: