Securing Istio Service Mesh with Aporeto Made Easy

By: Abhijit Herekar & Marcus Heese 10.31.2019
Securing Istio Service Mesh with Aporeto Made Easy

If you’re using cloud-native technologies like containers, microservices, or using Kubernetes to manage containers, then you probably want to run a service mesh to help you. You need containers to talk to one another, and you want the ability to carry out circuit-breaking, canary deployments, load-balancing, and advanced routing. You always want strong powers of telemetry and visibility in the application network.

Istio injects policies, provisions TLS certificates, and performs the other key tasks of a control plane. It makes sense that Istio is the go-to service mesh for Kubernetes users.

When it comes to operationalizing a service mesh technology such as Istio in any enterprise, developers are not the only operators. Information Security teams and DevSecOps teams need to ensure proper guardrails are in place for the service mesh cluster, all while ensuring developers have the freedom to move fast. These guardrails need to go beyond a single service mesh cluster and should cover dependencies with brownfield environments. 

Working with a number of large enterprises, we have observed a clear need for a policy management system that enables security organizations to gain visibility for compliance, and enforce these guardrail policies in a service mesh as well as outside the mesh to legacy infrastructure.

This is where Aporeto comes in. Aporeto offers a plugin that slots into Istio and provides a watertight security model. 

The Seven Steps to an Aporeto-supported Secure Istio Environment

1. The Aporeto plugin makes Kubernetes secretless at a foundational level. Through x509 certificates and OAuth tokens, we provide consistent identities to all of your workloads. This enables identity federation between your workloads and any third party. For example, we provide an AWS Service Role per container; OIDC compatible identities per container (that can be used with any 3rd party OIDC compliant APP); and SPIFFE certificates for service-to-service configuration. We tightly integrate with OIDC, SAML, and Kerberos.

2. In Istio, we make it easy to turn on and manage keys and certificates through public key infrastructure (PKI), and we reduce the complexity of the Istio involvement and the installation of that procedure. For example, no Istio node agents are required.

3. We act as an HTTP envoy filter, and bring all of our Aporeto network policies and HTTP policies with us. In other cases, network security in Kubernetes clusters through network policy is implemented as L3 security. The Aporeto solution extends network security to layers L4-L7 providing real visibility to security operations on what is happening in the cluster.

4. With Aporeto, monitoring of connections and policies in Istio is considerably smoother and more intuitive than what Istio offers out of the box.

5. By making use of the Aporeto Zero Trust Cloud Security platform, you can bring your legacy services into Istio without any change: any non-Istio service can become a consumer of the service mesh with no code-change or operational configuration change of the service.

6. By making use of Aporeto, you can reach out to legacy services from within Istio: Every Istio service can reach out to a legacy service which is protected by Aporeto.

7. With all of this established, you can keep using all of the other benefits of the Istio service mesh without interruption.


Istio is complex. Applying a security model to Istio can be challenging. But with the Aporeto plugin, you can enhance your Istio setup with an identity-based, Zero Trust security model, making securing your Istio service mesh easy. 

Register today to test drive Aporeto’s solution for Kubernetes with a FREE Trial. For more information on how Aporeto can help with your Kubernetes security, read our whitepaper Defining Security for a Kubernetes Deployment.


Recent Posts Palo Alto Networks Acquires Aporeto Palo Alto Networks Announces Intent to Acquire Aporeto Aporeto – Flexible and Secure by Default