{"id":760,"date":"2023-03-24T09:56:33","date_gmt":"2023-03-24T09:56:33","guid":{"rendered":"https:\/\/imesh.ai\/blog\/?p=760"},"modified":"2023-09-05T05:44:35","modified_gmt":"2023-09-05T05:44:35","slug":"how-to-implement-istio-ambient-mesh-in-gke-or-aks","status":"publish","type":"post","link":"https:\/\/imesh.ai\/blog\/how-to-implement-istio-ambient-mesh-in-gke-or-aks\/","title":{"rendered":"How to Implement Istio Ambient Mesh in GKE or AKS"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">Why do you need Istio Ambient mesh ?<\/h2>\n\n\n\n<p>It is given that Istio is a bit resource intensive due to sidecar proxy. Although there are a lot of compelling security features that can be used, the whole Istio (the side-car) has to be deployed from day-1. Recently, the Istio community has reimagined a new data plane &#8211; ambient mode &#8211; which will be far less resource intensive. Istio ambient mesh is a modified and sidecar less data plane developed for enterprises that want to deploy mTLS and other security features first, and seek to deploy an advanced network later. Read more on what is<a href=\"https:\/\/imesh.ai\/blog\/what-is-istio-ambient-mesh\/\"> Istio Ambient mesh<\/a>.<\/p>\n\n\n\n<p>Ambient mesh has two layers:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>L4 secure overlay layer or ztunnel: for <a href=\"https:\/\/imesh.ai\/blog\/what-is-mtls-and-how-to-implement-it-with-istio\/\" target=\"_blank\" rel=\"noreferrer noopener\">implementing mTLS<\/a> for communication between (services) nodes. Note, ztunne is a rust-based proxy.&nbsp;<\/li>\n\n\n\n<li>L7 processing layer or waypoint proxy: for accessing advanced L7 processing for security and networking, thus unlock full range of Istio capabilities<\/li>\n<\/ol>\n\n\n\n<figure class=\"wp-block-image size-full\"><img fetchpriority=\"high\" decoding=\"async\" width=\"800\" height=\"333\" src=\"https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/03\/Ambient-Mesh-architechture.jpg\" alt=\"Ambient Mesh architechture\" class=\"wp-image-781\" srcset=\"https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/03\/Ambient-Mesh-architechture.jpg 800w, https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/03\/Ambient-Mesh-architechture-300x125.jpg 300w, https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/03\/Ambient-Mesh-architechture-768x320.jpg 768w, https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/03\/Ambient-Mesh-architechture-400x167.jpg 400w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/><\/figure>\n\n\n\n<p>In this blog, we will explain how to implement Isito ambient mesh (with L4 and L7 authorization policies) in Google Kubernetes Engine and\/or Azure AKS.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Prerequisite&nbsp;<\/h2>\n\n\n\n<p>Please ensure you have the following software or infrastructure in your machine (I\u2019ve use the following):<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Kubernetes 1.23 or later. Version used for implementation: 1.25.6<\/li>\n\n\n\n<li>Istio 1.18.0-alpha.0 (Link: <a href=\"https:\/\/github.com\/istio\/istio\/releases\/\">https:\/\/github.com\/istio\/istio\/releases\/<\/a>)<\/li>\n<\/ul>\n\n\n\n<p><strong>Note:<\/strong> The current version of Istio Ambient mesh&nbsp; (1.18.0v) is in alpha and a few features might not work and it may not 100% be stable for production. At this time of the blog, the current version of Ambient mesh is not working with Calico CNI for now, so accordingly make your change in Google Kubernetes and Azure Kubernetes (refer the image below).<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" width=\"1024\" height=\"805\" src=\"https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/03\/GKE-configuration-for-Istio-ambient-mesh-1024x805.png\" alt=\"GKE configuration for Istio ambient mesh\" class=\"wp-image-763\" srcset=\"https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/03\/GKE-configuration-for-Istio-ambient-mesh-1024x805.png 1024w, https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/03\/GKE-configuration-for-Istio-ambient-mesh-300x236.png 300w, https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/03\/GKE-configuration-for-Istio-ambient-mesh-768x604.png 768w, https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/03\/GKE-configuration-for-Istio-ambient-mesh-1536x1207.png 1536w, https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/03\/GKE-configuration-for-Istio-ambient-mesh-2048x1610.png 2048w, https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/03\/GKE-configuration-for-Istio-ambient-mesh-400x314.png 400w, https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/03\/GKE-configuration-for-Istio-ambient-mesh-800x629.png 800w, https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/03\/GKE-configuration-for-Istio-ambient-mesh-1160x912.png 1160w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large is-resized\"><img decoding=\"async\" src=\"https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/03\/AKE-configuration-for-Istio-ambient-mesh-749x1024.png\" alt=\"AKE configuration for Istio ambient mesh\" class=\"wp-image-764\" width=\"749\" height=\"1024\"\/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Webinar on steps implementing Istio Ambient Mesh&nbsp;<\/h2>\n\n\n\n<p>If you want to skip the steps and watch the video for implementing Istio Ambient mesh in Google Cloud, here you go:<\/p>\n\n\n\n<iframe width=\"560\" height=\"315\" src=\"https:\/\/www.youtube.com\/embed\/KTFf0OkNiMg\" title=\"YouTube video player\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" allowfullscreen><\/iframe>\n\n\n\n<h2 class=\"wp-block-heading\">Steps to implement Istio ambient mesh<\/h2>\n\n\n\n<p>We will achieve the implementation of Istio ambient mesh with five major steps:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"#install-ambient-mesh\">Installation of Istio ambient mesh<\/a><\/li>\n\n\n\n<li><a href=\"#config-kubernetes\">Creating and configuring services in Kubernetes cluster<\/a><\/li>\n\n\n\n<li><a href=\"#ztunnel-mtls\">Implement Istio ambient mode and verify ztunnel and HBONE<\/a><\/li>\n\n\n\n<li><a href=\"#l4-authorization\">Enabling L4 authorization for services using ambient mesh<\/a><\/li>\n\n\n\n<li><a href=\"#l7-authorization\">Enabling L7 authorization for services using ambient mesh<\/a><\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading install-ambient-mesh\" id=\"install-ambient-mesh\">Steps for installing Istio ambient mesh&nbsp;<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\">Step-1: Download and extract Istio ambient mesh from the Git repo<\/h4>\n\n\n\n<p>You can go to Git repo <a href=\"https:\/\/github.com\/istio\/istio\/releases\/tag\/1.18.0-alpha.0\">https:\/\/github.com\/istio\/istio\/releases\/tag\/1.18.0-alpha.0<\/a> and download and extract the Istio ambient mesh set up in your local system. ( I&#8217;ve used the Windows version). Add &lt;extracted path of Istio installation package&gt;\/bin path to the environment path variable.&nbsp;<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Step-2: Install Istio ambient mesh&nbsp;<\/h4>\n\n\n\n<p>Use the following command to install Istio ambient mesh to your cluster.&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-vivid-green-cyan-color has-black-background-color has-text-color has-background\"><tbody><tr><td>istioctl install -set profile=ambient<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>Istio will install the following components- Istio core, Istiod, Istio CNI, Ingress gateways, Ztunnel,&nbsp;<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Step-3: Check if ztunnel and Istio CNI are installed at node level<\/h4>\n\n\n\n<p>After installation there will be a new namespace created named <strong>istio-system<\/strong>. You can check the pods by running the below command.&nbsp;&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-vivid-green-cyan-color has-black-background-color has-text-color has-background\"><tbody><tr><td>kubectl get pods -n istio-system -o wide<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>Since I have created two nodes, there are two ztunnel pods (daemonset) running here.&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"70\" src=\"https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/03\/Check-ztunnel-pods-per-nodes-1024x70.png\" alt=\"Check-ztunnel-pods-per-nodes\" class=\"wp-image-767\" srcset=\"https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/03\/Check-ztunnel-pods-per-nodes-1024x70.png 1024w, https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/03\/Check-ztunnel-pods-per-nodes-300x21.png 300w, https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/03\/Check-ztunnel-pods-per-nodes-768x53.png 768w, https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/03\/Check-ztunnel-pods-per-nodes-400x28.png 400w, https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/03\/Check-ztunnel-pods-per-nodes-800x55.png 800w, https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/03\/Check-ztunnel-pods-per-nodes-1160x80.png 1160w, https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/03\/Check-ztunnel-pods-per-nodes.png 1294w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>Similarly you can use the following command to verify if Istio CNI is installed at the node level, by using the following command.<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-vivid-green-cyan-color has-black-background-color has-text-color has-background\"><tbody><tr><td>kubectl get pods -n kube-system<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh4.googleusercontent.com\/UKp6RrZcbnciPUyYgExf_wAYCiBXcwfUxTfPVyA8gALvUt9XUI_3dNB5XcqJiHNcM3Dttq-hbAwsV2bPuKp7RwXgJQvptNlaitE5KA5w7iCIRbbXUubP97k4LXHVWkjOfKa5l46kGCGrV4LPqngljSE\" alt=\"\"\/><\/figure>\n\n\n\n<p>Note: istio-cni is deployed in istio-system namespace in case of AKS.<\/p>\n\n\n\n<h3 class=\"wp-block-heading config-kubernetes\" id=\"config-kubernetes\">Steps to create and configure services in Kubernetes cluster<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\">Step-1: Create namespace, named ambient for deployments<\/h4>\n\n\n\n<pre class=\"wp-block-code has-white-color has-black-background-color has-text-color has-background\"><code>kubectl create namespace ambient<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\">Step-2: Create two services in separate nodes.<\/h4>\n\n\n\n<p>I have used the following yaml for creating deployment.yaml, service.yaml and service-account.yaml. You can refer to the files in the Github repo: <a href=\"https:\/\/github.com\/IMESHinc\/webinar\">https:\/\/github.com\/IMESHinc\/webinar<\/a>.<\/p>\n\n\n\n<p>Code for demo-deployment-1.yaml.<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-white-color has-black-background-color has-text-color has-background\"><tbody><tr><td>apiVersion: apps\/v1<br>kind: Deployment<br>metadata:<br>&nbsp; name: echoserver-depl-1<br>&nbsp; namespace: ambient<br>&nbsp; labels:<br>&nbsp; &nbsp; app: echoserver-depl-1<br>spec:<br>&nbsp; replicas: 2<br>&nbsp; selector:<br>&nbsp; &nbsp; matchLabels:<br>&nbsp; &nbsp; &nbsp; app: echoserver-app-1<br>&nbsp; template:<br>&nbsp; &nbsp; metadata:<br>&nbsp; &nbsp; &nbsp; labels:<br>&nbsp; &nbsp; &nbsp; &nbsp; app: echoserver-app-1<br>&nbsp; &nbsp; spec:<br>&nbsp; &nbsp; &nbsp; serviceAccountName: echo-service-account-1<br>&nbsp; &nbsp; &nbsp; containers:<br>&nbsp; &nbsp; &nbsp; &#8211; name: echoserver-app-1<br>&nbsp; &nbsp; &nbsp; &nbsp; image: imeshai\/echoserver<br>&nbsp; &nbsp; &nbsp; &nbsp; ports:<br>&nbsp; &nbsp; &nbsp; &nbsp; &#8211; containerPort: 80<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>Code for demo-service-1.yaml<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-white-color has-black-background-color has-text-color has-background\"><tbody><tr><td>apiVersion: v1<br>kind: Service<br>metadata:<br>&nbsp; name: echoserver-service-1<br>&nbsp; namespace: ambient<br>spec:<br>&nbsp; selector:<br>&nbsp; &nbsp; app: echoserver-app-1<br>&nbsp; ports:<br>&nbsp; &#8211; port: 80<br>&nbsp; &nbsp; targetPort: 80<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>Code for demo-service-account-1.yaml<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-white-color has-black-background-color has-text-color has-background\"><tbody><tr><td>apiVersion: v1<br>kind: ServiceAccount<br>metadata:<br>&nbsp; name: echo-service-account-1<br>&nbsp; namespace: ambient<br>&nbsp; labels:<br>&nbsp; &nbsp; account: echo-one<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>Similarly you can create deployments, service and service-account files for creating the 2nd service.&nbsp;<\/p>\n\n\n\n<p>Deploy two services in the Kubernetes cluster by using the command:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-white-color has-black-background-color has-text-color has-background\"><tbody><tr><td>kubectl apply -f demo-service-account-1.yaml<br>kubectl apply -f demo-deployment-1.yaml<br>kubectl apply -f demo-service-1.yaml<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>You can verify if your pods and svc are running by executing the following commands<\/p>\n\n\n\n<pre class=\"wp-block-code has-white-color has-black-background-color has-text-color has-background\"><code>kubectl get pods -n &lt;&lt;namespace&gt;&gt;\n\nkubectl get svc -n &lt;&lt;namespace&gt;&gt;<\/code><\/pre>\n\n\n\n<p><strong>Note: <\/strong>Since I have selected two replicas for each service, Kubernetes automatically created the pods in each node to balance the loads. However, you can explicitly mention in the deployment yaml to create pods in two different nodes as well.&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"100\" src=\"https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/03\/pods-running-on-different-nodes-1024x100.png\" alt=\"Pods running on different nodes\" class=\"wp-image-768\" srcset=\"https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/03\/pods-running-on-different-nodes-1024x100.png 1024w, https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/03\/pods-running-on-different-nodes-300x29.png 300w, https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/03\/pods-running-on-different-nodes-768x75.png 768w, https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/03\/pods-running-on-different-nodes-400x39.png 400w, https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/03\/pods-running-on-different-nodes-800x78.png 800w, https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/03\/pods-running-on-different-nodes-1160x114.png 1160w, https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/03\/pods-running-on-different-nodes.png 1448w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h4 class=\"wp-block-heading\">Step-3: Create Istio gateway and virtual services to allow external traffic to the newly created services<\/h4>\n\n\n\n<p>Once the two services are created, we can create an ingress gateway to allow internet traffic to the newly created services. ( The names of my services are <strong>echoserver-service-1<\/strong> and <strong>echoserver-service-2 <\/strong>respectively).<\/p>\n\n\n\n<p>I have created a demo-gateway.yaml file (code below) to link to Istio ingress gateway.&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-white-color has-black-background-color has-text-color has-background\"><tbody><tr><td>apiVersion: networking.istio.io\/v1alpha3<br>kind: Gateway<br>metadata:<br>&nbsp; name: echoserver-gateway<br>&nbsp; namespace: ambient<br>spec:<br>&nbsp; selector:<br>&nbsp; &nbsp; istio: ingressgateway<br>&nbsp; servers:<br>&nbsp; &#8211; port:<br>&nbsp; &nbsp; &nbsp; number: 80<br>&nbsp; &nbsp; &nbsp; name: http<br>&nbsp; &nbsp; &nbsp; protocol: HTTP<br>&nbsp; &nbsp; hosts:<br>&nbsp; &nbsp; &#8211; &#8220;*&#8221;<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>Code for Istio VirtualService yaml file to route the traffic to service1 and service2 if the URL would match \u2018\/echo1\u2019 and \u2018\/echo2\u2019 respectively.&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-white-color has-black-background-color has-text-color has-background\"><tbody><tr><td>apiVersion: networking.istio.io\/v1alpha3<br>kind: VirtualService<br>metadata:<br>&nbsp; name: echoserver-virtual-service<br>&nbsp; namespace: ambient<br>spec:<br>&nbsp; hosts:<br>&nbsp; &#8211; &#8220;*&#8221;<br>&nbsp; gateways:<br>&nbsp; &#8211; echoserver-gateway<br>&nbsp; http:<br>&nbsp; &#8211; match:<br>&nbsp; &nbsp; &#8211; uri:<br>&nbsp; &nbsp; &nbsp; &nbsp; exact: \/echo1<br>&nbsp; &nbsp; route:<br>&nbsp; &nbsp; &#8211; destination:<br>&nbsp; &nbsp; &nbsp; &nbsp; host: echoserver-service-1<br>&nbsp; &nbsp; &nbsp; &nbsp; port:<br>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; number: 80<br>&nbsp; &#8211; match:<br>&nbsp; &nbsp; &#8211; uri:<br>&nbsp; &nbsp; &nbsp; &nbsp; exact: \/echo2<br>&nbsp; &nbsp; route:<br>&nbsp; &nbsp; &#8211; destination:<br>&nbsp; &nbsp; &nbsp; &nbsp; host: echoserver-service-2<br>&nbsp; &nbsp; &nbsp; &nbsp; port:<br>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; number: 80<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>Apply the yaml files in the Kubernetes cluster to create Istio ingress gateway and virtual service objects.<\/p>\n\n\n\n<p>You can check the status of Istio Ingress gateway resource in the Istio-system namespace by running the command.<\/p>\n\n\n\n<pre class=\"wp-block-code has-white-color has-black-background-color has-text-color has-background\"><code>kubectl get service -n istio-system<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh5.googleusercontent.com\/nJ2UkJqRUh1kff5t9ZjY70tM_10RVLo3J0Y2fn5QbxeP_j2qRqyG2PlBa0Xy69nfsjJn4Elk13fGFuevyJRzZLogBLCqIs5R7zRYpXbX3FX14ghGVTQMnv-3_j2ca_QOiiZhi8XKXfdO_NNE4LEWtyY\" alt=\"\"\/><\/figure>\n\n\n\n<h4 class=\"wp-block-heading\">Step-4: Access the services from the browser<\/h4>\n\n\n\n<p>You can use the external IP address of the Istio gateway to access the services.&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"911\" height=\"1024\" src=\"https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/03\/check-services-911x1024.png\" alt=\"check services\" class=\"wp-image-769\" srcset=\"https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/03\/check-services-911x1024.png 911w, https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/03\/check-services-267x300.png 267w, https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/03\/check-services-768x863.png 768w, https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/03\/check-services-1367x1536.png 1367w, https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/03\/check-services-1822x2048.png 1822w, https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/03\/check-services-400x450.png 400w, https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/03\/check-services-800x899.png 800w, https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/03\/check-services-1160x1304.png 1160w\" sizes=\"(max-width: 911px) 100vw, 911px\" \/><\/figure>\n\n\n\n<p>By default the communication will not go through the ztunnel of Istio ambient mesh. So we have to make it active by applying certain commands.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading ztunnel-mtls\" id=\"ztunnel-mtls\">Steps to verify communication through ztunnel (mTLS) in ambient mesh<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\">Step-0 (Optional): Log the ztunnel and Istio CNI<\/h4>\n\n\n\n<p>This is an optional step you can use to observe the logs of ztunnel and Istio CNI while transitioning of service communication to Istio ambient mode, you can apply these commands:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-vivid-green-cyan-color has-black-background-color has-text-color has-background\"><tbody><tr><td>kubectl logs -f &lt;&lt;istio-cni-pod-name&gt;&gt; -n kube-system<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-vivid-green-cyan-color has-black-background-color has-text-color has-background\"><tbody><tr><td>kubectl logs -f &lt;&lt;ztunnel-pod-name&gt;&gt; -n istio-system<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h4 class=\"wp-block-heading\">Step-1: Apply ambient mesh to the namespace<\/h4>\n\n\n\n<p>You need to apply Istio Ambient mesh to the namespace by using the following command:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-vivid-green-cyan-color has-black-background-color has-text-color has-background\"><tbody><tr><td>kubectl label namespace ambient istio.io\/dataplane-mode=ambient<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>Both the services would be a part of the Istio ambient service mesh now. You can verify by again accessing them from the browser.&nbsp;<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Step-2: Verify the communication through ztunnel of external traffic<\/h4>\n\n\n\n<p>If you login to the browser and try to access the services (echoserver-service-1 and 2 for me), you will see the communication is already happening through the ztunnel.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh5.googleusercontent.com\/qbnvlW1dET4SU6i_NQc4frOv1E8L1lQIdYd2Kw5iD4bvp5FnCslsuWw2NRh4g6rk9waZ8lM4C0ZDyuhsreSjWxtAsZiZUz_yCxYKAvqAE3bhdi9yRMKpCNBvdMey-ouF5QV8fO-kR7DSyX5ikiT5Huk\" alt=\"\"\/><\/figure>\n\n\n\n<h4 class=\"wp-block-heading\">Step-3: Verify the HBONE of service-to-service communication&nbsp;<\/h4>\n\n\n\n<p>You can also verify if your service-to-service communication is secured by letting one pod to communicate with another ( and then check the logs of ztunnel pods).&nbsp;<\/p>\n\n\n\n<p>Log into one of the pods of a service (say echoserver-service-1) and use bash to send requests to another service (say echoserver-service-2).&nbsp;<\/p>\n\n\n\n<p>You can use the following command to go to bash of one pod:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-vivid-green-cyan-color has-black-background-color has-text-color has-background\"><tbody><tr><td>kubectl exec -it &lt;&lt;pod name of service-1&gt;&gt; -n &lt;&lt;namespace&gt;&gt; \u2013- bash<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>Use curl to send request to another services<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-vivid-green-cyan-color has-black-background-color has-text-color has-background\"><tbody><tr><td>curl &lt;&lt;service-2&gt;&gt;<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>You will see the in the logs of one of ztunnel pods that the communication is already happening over the HBONE (a secure overlay tunnel for communication between two pods in different nodes).&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"52\" src=\"https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/03\/curl-command-and-checking-HBONE-1024x52.png\" alt=\"curl command and checking HBONE\" class=\"wp-image-770\" srcset=\"https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/03\/curl-command-and-checking-HBONE-1024x52.png 1024w, https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/03\/curl-command-and-checking-HBONE-300x15.png 300w, https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/03\/curl-command-and-checking-HBONE-768x39.png 768w, https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/03\/curl-command-and-checking-HBONE-400x20.png 400w, https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/03\/curl-command-and-checking-HBONE-800x41.png 800w, https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/03\/curl-command-and-checking-HBONE-1160x59.png 1160w, https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/03\/curl-command-and-checking-HBONE.png 1280w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h4 class=\"wp-block-heading\">Step-4: Verification of mTLS-based communication in service-to-service communication&nbsp;<\/h4>\n\n\n\n<p>Connect to ssh of one of the nodes to dump TCP packets and analyze the traffic request; we will understand if the communication between two nodes is going through the secure channel or not.&nbsp;<\/p>\n\n\n\n<p>Execute the following command in the node-ssh: (15008 port is used for HBONE communication in Istio ambient mesh). We will write the logs into node1.pcap<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-vivid-green-cyan-color has-black-background-color has-text-color has-background\"><tbody><tr><td>sudo tcpdump -nAi ens4 port 9080 or port 15008 -w node1.pcap<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>You can curl a service from one pod and check the node logs (download node1.pcap file), and when you open the file in the network analyzer, it would show something like below:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"530\" src=\"https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/03\/nod1_pcap_network-analyser-1024x530.png\" alt=\"nod1 pcap network analyzer\" class=\"wp-image-771\" srcset=\"https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/03\/nod1_pcap_network-analyser-1024x530.png 1024w, https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/03\/nod1_pcap_network-analyser-300x155.png 300w, https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/03\/nod1_pcap_network-analyser-768x397.png 768w, https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/03\/nod1_pcap_network-analyser-400x207.png 400w, https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/03\/nod1_pcap_network-analyser-800x414.png 800w, https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/03\/nod1_pcap_network-analyser-1160x600.png 1160w, https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/03\/nod1_pcap_network-analyser.png 1280w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>You will observe that all the application data exchanged between the two nodes are secured and using mTLS encryption.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading l4-authorization\" id=\"l4-authorization\">Steps to create L4 authorization policies in Istio ambient mesh<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\">Step-1: Create an authorization policy yaml in Istio<\/h4>\n\n\n\n<p>Create a <strong>demo-authorization-L4.yaml <\/strong>file to write policies that would allow the public traffic to the service-1 containers only, and not from any other services. We have mentioned in the rules to allow the traffic from Istio ingress controller.<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-white-color has-black-background-color has-text-color has-background\"><tbody><tr><td>apiVersion: security.istio.io\/v1beta1<br>kind: AuthorizationPolicy<br>metadata:<br>&nbsp; name: echoserver-policy<br>&nbsp; namespace: ambient<br>spec:<br>&nbsp; selector:<br>&nbsp; &nbsp; matchLabels:<br>&nbsp; &nbsp; &nbsp; app: echoserver-app-1<br>&nbsp; action: ALLOW<br>&nbsp; rules:<br>&nbsp; &#8211; from:<br>&nbsp; &nbsp; &#8211; source:<br>&nbsp; &nbsp; &nbsp; &nbsp; principals: [&#8220;cluster.local\/ns\/istio-system\/sa\/istio-ingressgateway-service-account&#8221;]<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>Use the command to apply the yaml file.&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-vivid-green-cyan-color has-black-background-color has-text-color has-background\"><tbody><tr><td>kubectl apply -f demo-authorization-L4.yaml<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>Note: Once you try to reach our service-1 ( echoserver-service-1) from the browser then you can access it without any problem. But if you curl from one of the pod of service-2, it would fail (refer the screenshot).&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh3.googleusercontent.com\/m0XRzPOMKgAEi4n0cY9KiP1p9UuSjfnAaxKkL-ISTGc7hOfFato6imuWEK_gasFM92IeD5b1tl1V36oB9UHN7h-Fbyxus3ppa3-tyo3aJ2dGRiG8j3KlQmn-5o6MjOaFDW3xHaVrwuZ0l15IWqvekU4\" alt=\"\"\/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading l7-authorization\" id=\"l7-authorization\">Steps to create L7 authorization policies using waypoint proxy&nbsp;<\/h3>\n\n\n\n<p>For L7 authorization policies we have to create a way-point proxy. The waypoint proxy can be configured using K8s gateway API. Note, by default the gateway API CRDs might not be available in most of the cloud providers, so we need to install it.&nbsp;<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Step-1: Download Kubernetes gateway API CRDs<\/h4>\n\n\n\n<p>Use the command to download gateway API CRDs using Kustomize.&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-vivid-green-cyan-color has-black-background-color has-text-color has-background\"><tbody><tr><td>kubectl kustomize \u201cgithub.com\/kubernetes-sigs\/gateway-api\/crd?ref=v0.6.1\u201d &gt; gateway-api.yaml&nbsp;<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h4 class=\"wp-block-heading\">Step-2: Apply Kubernetes gateway API<\/h4>\n\n\n\n<p>Use the command to apply gateway API CRDs.<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-vivid-green-cyan-color has-black-background-color has-text-color has-background\"><tbody><tr><td>kubectl apply -f gateway-api.yaml<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h4 class=\"wp-block-heading\">Step-3: Create waypoint proxy of Kubernetes gateway API kind<\/h4>\n\n\n\n<p>We can create a waypoint proxy of gateway API with a yaml file. You can use the demo-waypoint-1.yaml. We have basically created a waypoint proxy for service-1 (echoserver-service-1).&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-white-color has-black-background-color has-text-color has-background\"><tbody><tr><td>apiVersion: gateway.networking.k8s.io\/v1beta1<br>kind: Gateway<br>metadata:<br>&nbsp; name: echoserver-gtw-1<br>&nbsp; namespace: ambient<br>&nbsp; annotations:<br>&nbsp; &nbsp; istio.io\/for-service-account: echo-service-account-1<br>spec:<br>&nbsp; gatewayClassName: istio-waypoint<br>&nbsp; listeners:<br>&nbsp; &#8211; allowedRoutes:<br>&nbsp; &nbsp; &nbsp; namespaces:<br>&nbsp; &nbsp; &nbsp; &nbsp; from: Same<br>&nbsp; &nbsp; name: imesh.ai<br>&nbsp; &nbsp; port: 15008<br>&nbsp; &nbsp; protocol: ALL<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>And apply this to the K8s cluster.&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-vivid-green-cyan-color has-black-background-color has-text-color has-background\"><tbody><tr><td>kubectl apply -f demo-waypoint-1.yaml<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h4 class=\"wp-block-heading\">Step-4: Create L7 authorization policy to declare the waypoint proxy for traffic<\/h4>\n\n\n\n<p>Create L7 authorization policy to define rules when to apply the waypoint proxy (<strong>echoserver-gtw-1<\/strong>) for traffic. You can use the following <strong>demo-authorization-L7.yaml <\/strong>file to write the policy.&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-white-color has-black-background-color has-text-color has-background\"><tbody><tr><td>apiVersion: security.istio.io\/v1beta1<br>kind: AuthorizationPolicy<br>metadata:<br>&nbsp; name: echoserver-policy<br>&nbsp; namespace: ambient<br>spec:<br>&nbsp; selector:<br>&nbsp; &nbsp; matchLabels:<br>&nbsp; &nbsp; &nbsp; istio.io\/gateway-name: echoserver-gtw-1<br>&nbsp; action: ALLOW<br>&nbsp; rules:<br>&nbsp; &#8211; from:<br>&nbsp; &nbsp; &#8211; source:<br>&nbsp; &nbsp; &nbsp; &nbsp; principals: [&#8220;cluster.local\/ns\/istio-system\/sa\/istio-ingressgateway-service-account&#8221;]<br>&nbsp; &nbsp; to:<br>&nbsp; &nbsp; &#8211; operation:<br>&nbsp; &nbsp; &nbsp; &nbsp; methods: [&#8220;GET&#8221;]<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>Use the command to apply the yaml file.&nbsp;<\/p>\n\n\n\n<pre class=\"wp-block-code has-white-color has-black-background-color has-text-color has-background\"><code>kubectl apply -f demo-authorization-L7.yaml<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\">Step-5: Verify the L7 authorization policy&nbsp;<\/h4>\n\n\n\n<p>As we have created a waypoint proxy for service-1 and applied a policy to allow all traffic from the Istio ingress gateway, you will see you can still access service-1 (echoserver-service-1) from the browser.&nbsp;<\/p>\n\n\n\n<p>However, if you want to access service-1 from one of the pods of service-2 ( echoserver-service-2), the waypoint proxy will not allow the traffic as per the policy (refer the screenshot below).<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"439\" height=\"57\" src=\"https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/03\/failure-of-pod-to-pod-communication-with-authorization-policy.png\" alt=\"failure of pod to pod communication with authorization policy\" class=\"wp-image-772\" srcset=\"https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/03\/failure-of-pod-to-pod-communication-with-authorization-policy.png 439w, https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/03\/failure-of-pod-to-pod-communication-with-authorization-policy-300x39.png 300w, https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/03\/failure-of-pod-to-pod-communication-with-authorization-policy-400x52.png 400w\" sizes=\"(max-width: 439px) 100vw, 439px\" \/><\/figure>\n\n\n<!-- Ad space powered by WP AdCenter v2.5.7 - https:\/\/wpadcenter.com\/ --><div class=\"wpadcenter-ad-container\" ><div id=\"wpadcenter-ad-1456\" class=\" ad-placement  wpadcenter-alignnone alignnone\"><div class=\"wpadcenter-ad-inner\" ><a id=\"wpadcenter_ad\" data-value=1456 data-placement=\"\" href=\"https:\/\/24115860.fs1.hubspotusercontent-na1.net\/hubfs\/24115860\/IMESH%20Enterprise%20Istio%20Support%20.pdf\" target=\"_self\" class=\"wpadcenter-ad-inner__item\" ><img loading=\"lazy\" decoding=\"async\" width=\"641\" height=\"124\" src=\"https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/07\/IMESH-for-enterprise-Istio-1.png\" class=\"attachment-post-thumbnail size-post-thumbnail wp-post-image\" alt=\"IMESH for enterprise Istio\" srcset=\"https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/07\/IMESH-for-enterprise-Istio-1.png 641w, https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/07\/IMESH-for-enterprise-Istio-1-300x58.png 300w, https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/07\/IMESH-for-enterprise-Istio-1-400x77.png 400w\" sizes=\"(max-width: 641px) 100vw, 641px\" \/><\/a><\/div><\/div><\/div>\n\n\n\n<h2 class=\"wp-block-heading\">Conclusion<\/h2>\n\n\n\n<p>Ambient mesh is very cost-efficient and less resource intensive in applying Istio in a staggered manner. We feel there will be more <a href=\"https:\/\/imesh.ai\/blog\/implementation-architecture-of-istio-and-api-gateway\/\">implementation of Istio<\/a> after the ambient version.&nbsp;<\/p>\n\n\n\n<p>If you want to adopt enterprise Istio for your project and adopt it without any operation hassle, please feel free to <a href=\"https:\/\/imesh.ai\/talk-to-an-istio-expert.html\">talk to an Istio expert <\/a>or book <a href=\"https:\/\/imesh.ai\/request-an-istio-service-mesh-demo.html\">an Istio service mesh pilot<\/a>.&nbsp;<\/p>\n\n\n\n<p><strong>About IMESH<\/strong><\/p>\n\n\n\n<p><a href=\"https:\/\/imesh.ai\/\">IMESH <\/a>offers solutions to help you avoid errors during the experimentation of implementing Istio and fend off operational issues. IMESH provides a platform built on top of Istio and Envoy API gateway to help start with Istio from Day-1. IMESH Istio platform is hardened for production and is fit for multicloud and hybrid cloud applications. IMESH also provides consulting services and expertise to help you adopt Istio rapidly in your organization.&nbsp;<\/p>\n\n\n\n<p>IMESH also provides a strong visibility layer on top of Istio which provides Ops and SREs a multicluster view of services, dependencies, and network traffic. The visibility layer also provides details of logs, metrics, and traces to help Ops folks to troubleshoot any network issues faster.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Why do you need Istio Ambient mesh ? It is given that<span class=\"excerpt-more\"><\/span><\/p>\n","protected":false},"author":7,"featured_media":774,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[63,62],"tags":[99,98,53,104],"class_list":["post-760","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-ambient-mesh","category-istio-operations","tag-aks","tag-gke","tag-istio","tag-istio-ambient-mesh"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v26.7 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>How to implement Istio Ambient Mesh in GKE\/AKS<\/title>\n<meta name=\"description\" content=\"Learn the steps and the commands to get started with Istio Ambient mesh in Google and Azure Kubernetes (GKE\/AKS), with easy steps. Ambient mesh is good to achieve security for microservices across multiple clusters.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/imesh.ai\/blog\/how-to-implement-istio-ambient-mesh-in-gke-or-aks\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"How to implement Istio Ambient Mesh in GKE\/AKS\" \/>\n<meta property=\"og:description\" content=\"Learn the steps and the commands to get started with Istio Ambient mesh in Google and Azure Kubernetes (GKE\/AKS), with easy steps. Ambient mesh is good to achieve security for microservices across multiple clusters.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/imesh.ai\/blog\/how-to-implement-istio-ambient-mesh-in-gke-or-aks\/\" \/>\n<meta property=\"og:site_name\" content=\"IMESH\" \/>\n<meta property=\"article:published_time\" content=\"2023-03-24T09:56:33+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2023-09-05T05:44:35+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/03\/How-to-Implement-Istio-Ambient-Mesh-in-GKE-or-AKS-1.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1280\" \/>\n\t<meta property=\"og:image:height\" content=\"720\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Ravi Verma\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Ravi Verma\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"12 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/imesh.ai\/blog\/how-to-implement-istio-ambient-mesh-in-gke-or-aks\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/imesh.ai\/blog\/how-to-implement-istio-ambient-mesh-in-gke-or-aks\/\"},\"author\":{\"name\":\"Ravi Verma\",\"@id\":\"https:\/\/imesh.ai\/blog\/#\/schema\/person\/de71147e8308a9de3e6e329890ba3fb8\"},\"headline\":\"How to Implement Istio Ambient Mesh in GKE or AKS\",\"datePublished\":\"2023-03-24T09:56:33+00:00\",\"dateModified\":\"2023-09-05T05:44:35+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/imesh.ai\/blog\/how-to-implement-istio-ambient-mesh-in-gke-or-aks\/\"},\"wordCount\":2348,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/imesh.ai\/blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/imesh.ai\/blog\/how-to-implement-istio-ambient-mesh-in-gke-or-aks\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/03\/How-to-Implement-Istio-Ambient-Mesh-in-GKE-or-AKS-1.jpg\",\"keywords\":[\"aks\",\"gke\",\"istio\",\"istio ambient mesh\"],\"articleSection\":[\"Ambient Mesh\",\"Istio Operations\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/imesh.ai\/blog\/how-to-implement-istio-ambient-mesh-in-gke-or-aks\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/imesh.ai\/blog\/how-to-implement-istio-ambient-mesh-in-gke-or-aks\/\",\"url\":\"https:\/\/imesh.ai\/blog\/how-to-implement-istio-ambient-mesh-in-gke-or-aks\/\",\"name\":\"How to implement Istio Ambient Mesh in GKE\/AKS\",\"isPartOf\":{\"@id\":\"https:\/\/imesh.ai\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/imesh.ai\/blog\/how-to-implement-istio-ambient-mesh-in-gke-or-aks\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/imesh.ai\/blog\/how-to-implement-istio-ambient-mesh-in-gke-or-aks\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/03\/How-to-Implement-Istio-Ambient-Mesh-in-GKE-or-AKS-1.jpg\",\"datePublished\":\"2023-03-24T09:56:33+00:00\",\"dateModified\":\"2023-09-05T05:44:35+00:00\",\"description\":\"Learn the steps and the commands to get started with Istio Ambient mesh in Google and Azure Kubernetes (GKE\/AKS), with easy steps. Ambient mesh is good to achieve security for microservices across multiple clusters.\",\"breadcrumb\":{\"@id\":\"https:\/\/imesh.ai\/blog\/how-to-implement-istio-ambient-mesh-in-gke-or-aks\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/imesh.ai\/blog\/how-to-implement-istio-ambient-mesh-in-gke-or-aks\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/imesh.ai\/blog\/how-to-implement-istio-ambient-mesh-in-gke-or-aks\/#primaryimage\",\"url\":\"https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/03\/How-to-Implement-Istio-Ambient-Mesh-in-GKE-or-AKS-1.jpg\",\"contentUrl\":\"https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/03\/How-to-Implement-Istio-Ambient-Mesh-in-GKE-or-AKS-1.jpg\",\"width\":1280,\"height\":720,\"caption\":\"How to Implement Istio Ambient Mesh in GKE or AKS\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/imesh.ai\/blog\/how-to-implement-istio-ambient-mesh-in-gke-or-aks\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/imesh.ai\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"How to Implement Istio Ambient Mesh in GKE or AKS\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/imesh.ai\/blog\/#website\",\"url\":\"https:\/\/imesh.ai\/blog\/\",\"name\":\"IMESH Blog\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\/\/imesh.ai\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/imesh.ai\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/imesh.ai\/blog\/#organization\",\"name\":\"IMESH\",\"url\":\"https:\/\/imesh.ai\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/imesh.ai\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/03\/IMESH-LOGO-scaled.jpg\",\"contentUrl\":\"https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/03\/IMESH-LOGO-scaled.jpg\",\"width\":2560,\"height\":1665,\"caption\":\"IMESH\"},\"image\":{\"@id\":\"https:\/\/imesh.ai\/blog\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.linkedin.com\/company\/imeshai\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/imesh.ai\/blog\/#\/schema\/person\/de71147e8308a9de3e6e329890ba3fb8\",\"name\":\"Ravi Verma\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/imesh.ai\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/03\/Ravi-Color-e1679567181569-142x150.jpg\",\"contentUrl\":\"https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/03\/Ravi-Color-e1679567181569-142x150.jpg\",\"caption\":\"Ravi Verma\"},\"description\":\"Ravi is the CTO of IMESH. Ravi, a technology visionary, brings 12+ years of experience in software development and cloud architecture in enterprise software. He has led R&amp;D divisions at Samsung and GE Healthcare and architected high-performance, secure and scalable systems for Baxter and Aricent. \u200bHis passion and interest lie in network and security. Ravi frequently discusses open-source technologies such as Kubernetes, Istio, and Envoy Proxy from the CNCF landscape.\",\"sameAs\":[\"https:\/\/imesh.ai\"],\"url\":\"https:\/\/imesh.ai\/blog\/author\/raviimesh-ai\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"How to implement Istio Ambient Mesh in GKE\/AKS","description":"Learn the steps and the commands to get started with Istio Ambient mesh in Google and Azure Kubernetes (GKE\/AKS), with easy steps. Ambient mesh is good to achieve security for microservices across multiple clusters.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/imesh.ai\/blog\/how-to-implement-istio-ambient-mesh-in-gke-or-aks\/","og_locale":"en_US","og_type":"article","og_title":"How to implement Istio Ambient Mesh in GKE\/AKS","og_description":"Learn the steps and the commands to get started with Istio Ambient mesh in Google and Azure Kubernetes (GKE\/AKS), with easy steps. Ambient mesh is good to achieve security for microservices across multiple clusters.","og_url":"https:\/\/imesh.ai\/blog\/how-to-implement-istio-ambient-mesh-in-gke-or-aks\/","og_site_name":"IMESH","article_published_time":"2023-03-24T09:56:33+00:00","article_modified_time":"2023-09-05T05:44:35+00:00","og_image":[{"width":1280,"height":720,"url":"https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/03\/How-to-Implement-Istio-Ambient-Mesh-in-GKE-or-AKS-1.jpg","type":"image\/jpeg"}],"author":"Ravi Verma","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Ravi Verma","Est. reading time":"12 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/imesh.ai\/blog\/how-to-implement-istio-ambient-mesh-in-gke-or-aks\/#article","isPartOf":{"@id":"https:\/\/imesh.ai\/blog\/how-to-implement-istio-ambient-mesh-in-gke-or-aks\/"},"author":{"name":"Ravi Verma","@id":"https:\/\/imesh.ai\/blog\/#\/schema\/person\/de71147e8308a9de3e6e329890ba3fb8"},"headline":"How to Implement Istio Ambient Mesh in GKE or AKS","datePublished":"2023-03-24T09:56:33+00:00","dateModified":"2023-09-05T05:44:35+00:00","mainEntityOfPage":{"@id":"https:\/\/imesh.ai\/blog\/how-to-implement-istio-ambient-mesh-in-gke-or-aks\/"},"wordCount":2348,"commentCount":0,"publisher":{"@id":"https:\/\/imesh.ai\/blog\/#organization"},"image":{"@id":"https:\/\/imesh.ai\/blog\/how-to-implement-istio-ambient-mesh-in-gke-or-aks\/#primaryimage"},"thumbnailUrl":"https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/03\/How-to-Implement-Istio-Ambient-Mesh-in-GKE-or-AKS-1.jpg","keywords":["aks","gke","istio","istio ambient mesh"],"articleSection":["Ambient Mesh","Istio Operations"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/imesh.ai\/blog\/how-to-implement-istio-ambient-mesh-in-gke-or-aks\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/imesh.ai\/blog\/how-to-implement-istio-ambient-mesh-in-gke-or-aks\/","url":"https:\/\/imesh.ai\/blog\/how-to-implement-istio-ambient-mesh-in-gke-or-aks\/","name":"How to implement Istio Ambient Mesh in GKE\/AKS","isPartOf":{"@id":"https:\/\/imesh.ai\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/imesh.ai\/blog\/how-to-implement-istio-ambient-mesh-in-gke-or-aks\/#primaryimage"},"image":{"@id":"https:\/\/imesh.ai\/blog\/how-to-implement-istio-ambient-mesh-in-gke-or-aks\/#primaryimage"},"thumbnailUrl":"https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/03\/How-to-Implement-Istio-Ambient-Mesh-in-GKE-or-AKS-1.jpg","datePublished":"2023-03-24T09:56:33+00:00","dateModified":"2023-09-05T05:44:35+00:00","description":"Learn the steps and the commands to get started with Istio Ambient mesh in Google and Azure Kubernetes (GKE\/AKS), with easy steps. Ambient mesh is good to achieve security for microservices across multiple clusters.","breadcrumb":{"@id":"https:\/\/imesh.ai\/blog\/how-to-implement-istio-ambient-mesh-in-gke-or-aks\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/imesh.ai\/blog\/how-to-implement-istio-ambient-mesh-in-gke-or-aks\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/imesh.ai\/blog\/how-to-implement-istio-ambient-mesh-in-gke-or-aks\/#primaryimage","url":"https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/03\/How-to-Implement-Istio-Ambient-Mesh-in-GKE-or-AKS-1.jpg","contentUrl":"https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/03\/How-to-Implement-Istio-Ambient-Mesh-in-GKE-or-AKS-1.jpg","width":1280,"height":720,"caption":"How to Implement Istio Ambient Mesh in GKE or AKS"},{"@type":"BreadcrumbList","@id":"https:\/\/imesh.ai\/blog\/how-to-implement-istio-ambient-mesh-in-gke-or-aks\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/imesh.ai\/blog\/"},{"@type":"ListItem","position":2,"name":"How to Implement Istio Ambient Mesh in GKE or AKS"}]},{"@type":"WebSite","@id":"https:\/\/imesh.ai\/blog\/#website","url":"https:\/\/imesh.ai\/blog\/","name":"IMESH Blog","description":"","publisher":{"@id":"https:\/\/imesh.ai\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/imesh.ai\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/imesh.ai\/blog\/#organization","name":"IMESH","url":"https:\/\/imesh.ai\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/imesh.ai\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/03\/IMESH-LOGO-scaled.jpg","contentUrl":"https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/03\/IMESH-LOGO-scaled.jpg","width":2560,"height":1665,"caption":"IMESH"},"image":{"@id":"https:\/\/imesh.ai\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.linkedin.com\/company\/imeshai"]},{"@type":"Person","@id":"https:\/\/imesh.ai\/blog\/#\/schema\/person\/de71147e8308a9de3e6e329890ba3fb8","name":"Ravi Verma","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/imesh.ai\/blog\/#\/schema\/person\/image\/","url":"https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/03\/Ravi-Color-e1679567181569-142x150.jpg","contentUrl":"https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/03\/Ravi-Color-e1679567181569-142x150.jpg","caption":"Ravi Verma"},"description":"Ravi is the CTO of IMESH. Ravi, a technology visionary, brings 12+ years of experience in software development and cloud architecture in enterprise software. He has led R&amp;D divisions at Samsung and GE Healthcare and architected high-performance, secure and scalable systems for Baxter and Aricent. \u200bHis passion and interest lie in network and security. Ravi frequently discusses open-source technologies such as Kubernetes, Istio, and Envoy Proxy from the CNCF landscape.","sameAs":["https:\/\/imesh.ai"],"url":"https:\/\/imesh.ai\/blog\/author\/raviimesh-ai\/"}]}},"jetpack_featured_media_url":"https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/03\/How-to-Implement-Istio-Ambient-Mesh-in-GKE-or-AKS-1.jpg","_links":{"self":[{"href":"https:\/\/imesh.ai\/blog\/wp-json\/wp\/v2\/posts\/760","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/imesh.ai\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/imesh.ai\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/imesh.ai\/blog\/wp-json\/wp\/v2\/users\/7"}],"replies":[{"embeddable":true,"href":"https:\/\/imesh.ai\/blog\/wp-json\/wp\/v2\/comments?post=760"}],"version-history":[{"count":13,"href":"https:\/\/imesh.ai\/blog\/wp-json\/wp\/v2\/posts\/760\/revisions"}],"predecessor-version":[{"id":1459,"href":"https:\/\/imesh.ai\/blog\/wp-json\/wp\/v2\/posts\/760\/revisions\/1459"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/imesh.ai\/blog\/wp-json\/wp\/v2\/media\/774"}],"wp:attachment":[{"href":"https:\/\/imesh.ai\/blog\/wp-json\/wp\/v2\/media?parent=760"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/imesh.ai\/blog\/wp-json\/wp\/v2\/categories?post=760"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/imesh.ai\/blog\/wp-json\/wp\/v2\/tags?post=760"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}