L3toL7-MitchConnors-BernardVanDeWalle.pdf

1、Bernard Van De Walle,SplunkMitch Connors,AviatrixNetwork Security at ScaleMeet Your SpeakersBernard Van De WallePrincipal software engineer,SplunkK8s,Istio,Envoy operations at scalePreviously at CruiseMitch ConnorsPrincipal software engineer,AviatrixIstio Member since 2018Istio TOCSplunk Cloud:Cloud

2、 Native splunkScale:35 K8s clustersDistributed across all regionsAWS and GCPCloud agnostic,K8s,Istio,EnvoyAGENDAL3/L4:Cloud ProviderVPCNetwork Load BalancerL3/L4:KubernetesServicesNetwork PoliciesL7:Istio/EnvoyAuthN/AuthZCloud ProviderL3/L4Standard VPCIsolated standard VPC3 set of subnets:Private fo

3、r Kubernetes workloadsPublic for Internet connectivityInternal for Splunk connectivityNetwork ACLsStatelessApplied by subnetBasic L3/L4 capabilitiesProvides a catch-all last resort set of rulesExample:Internal subnet SRC 10.x/8Kubernetes nodesCluster nodes deployed on private IP spaceMultiple node-g

4、roups:Ingress(Gateways)GenericWorkload-specificSecurity GroupsStatefulApplied per instanceAllow for fine-grained traffic across specific instancesExample:Ingress node-group-Generic node-groupIngress connectivityConnectivity through NLBsPublic NLBsInternal NLBsConnectivity through Ingress Gateways(En

5、voy/Istio)Internal connectivity(transit gateway)Internal connectivity through AWS transit gatewayInternal SRC IP advertised onlyConnected to Splunk firewallCloud connectivity(Aviatrix)Cloud services connectivity through AviatrixFlat networkSupports overlapping IPsAviatrix Network DomainsBy Default A

6、ll connected domains are routable in flat network across clouds,regions,on-premNetwork Domains limit routesProd can talk to Shared,Dev can talk to Shared,Dev cannot talk to ProdKubernetesL3/L4Kubernetes deploymentSelf-Service platformExternal connectivity ONLY through NLBsPod to pod connectivity and