Istio, a service mesh, uses “zero trust” to authenticate services. We’ll look at 3 ways to connect BIG-IP to Istio.

1. TCP

The first method that we will use will be TCP. This will allow the BIG-IP to passthrough client traffic to Istio’s Ingress Gateway. 

2. Mutual TLS (mTLS)

The second method is to use the Client Certificate Constrained Delegation (C3D) feature of BIG-IP to authenticate client connections via mTLS and then generate a new client certificate (with similar attributes to the original) and use that newly minted certificate to authenticate to Istio.

This second example is useful for scenarios where you are unable to install a trusted (externally CA signed) certificate into Istio (corporate policy prohibits it) and/or you want to establish a TLS DMZ. Despite the connection using mTLS the BIG-IP can inspect the traffic (i.e. log to Splunk), apply policy (i.e. insert XFF headers, WAF protection), etc…

3. JSON Web Tokens (JWT)

Istio can use JWT tokens to authenticate users, but not all enterprise systems speak JWT. Using BIG-IP Access Policy Manager (APM) we can create an access policy that performs Single-Sign On (SSO) with an OAuth bearer token (JWT). This enables us to authenticate a client with username / password and convert the identity into a JWT token that is understood by Istio.

Video Please

These 3 methods are discussed and demo’d in the following YouTube video. Thanks for reading/watching!