← All patterns

DP-CDNET-001: Istio Service Mesh Security and Policy Enforcement

Status: Draft • Design lead: Kewin Joffe

Problem statement

Modern service-based architectures require fine-grained control over traffic flow and security policies to ensure reliable, secure, and compliant communication.

Solution

Use Istio security-related CRDs to enforce traffic management, authentication, and authorization policies.

These capabilities include mTLS for service communication, JWT validation, and RBAC/ABAC policies. Combined with integrations like APIM, AppGW, and WAF, this pattern provides layered security for both internal and external traffic.

Enabling technology

Istio CRDs

• AuthorizationPolicy
  • Apply RBAC/ABAC rules to manage access at the service, namespace, or mesh level.
• RequestAuthentication
  • Enforce JWT validation for API calls; supports multiple identity providers.
• PeerAuthentication
  • Enforce strict mTLS for service-to-service traffic; supports permissive mode for gradual rollout.

Platform and integrations

• AKS — hosts workloads and Istio.
• APIM — external traffic authentication.
• AppGW + WAF — perimeter security.
• External Secrets Operator — manages token secrets.

Flow

1. Authorization policies — RBAC/ABAC enforcement
2. Authentication policies — JWT validation
3. Service-to-service security — strict mTLS
4. Integration with external services — APIM/AppGW/WAF layered controls

When to use

• Many microservices requiring secure communication
• External traffic authentication via APIM/AppGW
• Need mTLS + fine-grained access controls

When not to use

• Simple monoliths / low complexity
• Non-containerized workloads / not on Kubernetes

Design pattern in a page

Purpose

Secure traffic and enforce fine-grained policies within a service mesh.

Core CRDs

• AuthorizationPolicy (RBAC/ABAC)
• RequestAuthentication (JWT)
• PeerAuthentication (mTLS)

Integration points

• APIM (external auth)
• AppGW/WAF (perimeter)
• AKS (multi-tenancy, isolation)

Reference implementation

TODO: add link

Attachment

TODO: diagram path (./images/Design-Pattern-DP-CDNET-001.png)

Tags: istio, service-mesh, security, policy, aks, apim, waf