IBM Security Verify

Hello Team,

Before asking question here, I reached out through support channel and did not get a satisfactory answer.

The ask was if IAG supports service mesh in GKE? The response was it should but no guarantee and it was not tested officially in GCP.

The next question I asked if it was ever tested in any well known cloud provider but same answer that it should work but no guarantee in AWS/AKS as well.

Does IAG with service mesh works in AWS/GCP/Azure?

Does ISVA with service mesh works  in AWS/GCP/Azure?

Does ISVG containerized version supports service mesh in AWS/GCP/Azure?

Please let me know if you have similar architecture deployment, that will be great help for us.

Thank you!!

Hello Team,

Before asking question here, I reached out through support channel and did not get a satisfactory answer.

The ask was if IAG supports service mesh in GKE? The response was it should but no guarantee and it was not tested officially in GCP.

The next question I asked if it was ever tested in any well known cloud provider but same answer that it should work but no guarantee in AWS/AKS as well.

Does IAG with service mesh works in AWS/GCP/Azure?

Does ISVA with service mesh works  in AWS/GCP/Azure?

Does ISVG containerized version supports service mesh in AWS/GCP/Azure?

Please let me know if you have similar architecture deployment, that will be great help for us.

Thank you!!

Thank you Scott!

Can you suggest preferred cloud platform where other customers have already deployed?

Hello Team,

Before asking question here, I reached out through support channel and did not get a satisfactory answer.

The ask was if IAG supports service mesh in GKE? The response was it should but no guarantee and it was not tested officially in GCP.

The next question I asked if it was ever tested in any well known cloud provider but same answer that it should work but no guarantee in AWS/AKS as well.

Does IAG with service mesh works in AWS/GCP/Azure?

Does ISVA with service mesh works  in AWS/GCP/Azure?

Does ISVG containerized version supports service mesh in AWS/GCP/Azure?

Please let me know if you have similar architecture deployment, that will be great help for us.

Thank you!!

Thank you Scott!

Can you suggest preferred cloud platform where other customers have already deployed?

Hello Team,

Before asking question here, I reached out through support channel and did not get a satisfactory answer.

The ask was if IAG supports service mesh in GKE? The response was it should but no guarantee and it was not tested officially in GCP.

The next question I asked if it was ever tested in any well known cloud provider but same answer that it should work but no guarantee in AWS/AKS as well.

Does IAG with service mesh works in AWS/GCP/Azure?

Does ISVA with service mesh works  in AWS/GCP/Azure?

Does ISVG containerized version supports service mesh in AWS/GCP/Azure?

Please let me know if you have similar architecture deployment, that will be great help for us.

Thank you!!

Scott, appreciate your response.

 is service mesh in front of IAG with any cloud provider, will add any value? When you have tested with AKS, was there any service mesh in front of IAG?

Just trying to collect information regarding IAG + Service Mesh, if it actually adds any value? Service Mesh is a proxy, IAG is a proxy. Proxy on top of another proxy.

Thank you Scott!

Can you suggest preferred cloud platform where other customers have already deployed?

Hello Team,

Before asking question here, I reached out through support channel and did not get a satisfactory answer.

The ask was if IAG supports service mesh in GKE? The response was it should but no guarantee and it was not tested officially in GCP.

The next question I asked if it was ever tested in any well known cloud provider but same answer that it should work but no guarantee in AWS/AKS as well.

Does IAG with service mesh works in AWS/GCP/Azure?

Does ISVA with service mesh works  in AWS/GCP/Azure?

Does ISVG containerized version supports service mesh in AWS/GCP/Azure?

Please let me know if you have similar architecture deployment, that will be great help for us.

Thank you!!

Original Message:
Sent: 2/13/2024 4:12:00 PM
From: Bipin Dash
Subject: RE: Seeking information on ISVG/ISVA/IAG deployment in Service Mesh architecture - which cloud provider is preferred?

Scott, appreciate your response.

 is service mesh in front of IAG with any cloud provider, will add any value? When you have tested with AKS, was there any service mesh in front of IAG?

Just trying to collect information regarding IAG + Service Mesh, if it actually adds any value? Service Mesh is a proxy, IAG is a proxy. Proxy on top of another proxy.

------------------------------
Bipin Dash

Original Message:
Sent: Tue February 13, 2024 03:50 PM
From: Scott Exton
Subject: Seeking information on ISVG/ISVA/IAG deployment in Service Mesh architecture - which cloud provider is preferred?

Original Message:
Sent: 2/13/2024 9:57:00 AM
From: Bipin Dash
Subject: RE: Seeking information on ISVG/ISVA/IAG deployment in Service Mesh architecture - which cloud provider is preferred?

Thank you Scott!

Can you suggest preferred cloud platform where other customers have already deployed?

------------------------------
Bipin Dash

Original Message:
Sent: Mon February 12, 2024 11:02 PM
From: Scott Exton
Subject: Seeking information on ISVG/ISVA/IAG deployment in Service Mesh architecture - which cloud provider is preferred?

Original Message:
Sent: 2/12/2024 10:06:00 PM
From: Bipin Dash
Subject: Seeking information on ISVG/ISVA/IAG deployment in Service Mesh architecture - which cloud provider is preferred?

Hello Team,

Before asking question here, I reached out through support channel and did not get a satisfactory answer.

The ask was if IAG supports service mesh in GKE? The response was it should but no guarantee and it was not tested officially in GCP.

The next question I asked if it was ever tested in any well known cloud provider but same answer that it should work but no guarantee in AWS/AKS as well.

Does IAG with service mesh works in AWS/GCP/Azure?

Does ISVA with service mesh works  in AWS/GCP/Azure?

Does ISVG containerized version supports service mesh in AWS/GCP/Azure?

Please let me know if you have similar architecture deployment, that will be great help for us.

Thank you!!

------------------------------
Bipin Dash
------------------------------

Scott,

There are 2 requirements to add service mesh in front of IAG for egress. But I am requesting if it's a recommended architectural approach, if you can suggest that would be helpful.

1 - In GCP, for egress connection there is no DNS based FW rule for dynamic IPs from pod. IAG Pod connects to ISV tenant and ISV tenant IPs are dynamic in nature. The current telecom/networking team are asking us if they can add a service mesh in front of IAG to make DNS based firewall rule working. Though they are exploring other options to solve DNS based firewall rule, we are thinking is it a good approach to have a service mesh in this situation.

2- we have 300-400 junctions/http-header based application, is it good idea to make each junction as a IAG POD to fit into a micro-service architecture? Do you think this is a good approach? Ultimately we will be having 300-400 pods

Please provide your suggestion as we are digging into different solutions.

------------------------------
Bipin Dash

Original Message:
Sent: Tue February 13, 2024 09:45 PM
From: Scott Exton
Subject: Seeking information on ISVG/ISVA/IAG deployment in Service Mesh architecture - which cloud provider is preferred?

Original Message:
Sent: 2/13/2024 4:12:00 PM
From: Bipin Dash
Subject: RE: Seeking information on ISVG/ISVA/IAG deployment in Service Mesh architecture - which cloud provider is preferred?

Scott, appreciate your response.

 is service mesh in front of IAG with any cloud provider, will add any value? When you have tested with AKS, was there any service mesh in front of IAG?

Just trying to collect information regarding IAG + Service Mesh, if it actually adds any value? Service Mesh is a proxy, IAG is a proxy. Proxy on top of another proxy.

------------------------------
Bipin Dash

Original Message:
Sent: Tue February 13, 2024 03:50 PM
From: Scott Exton
Subject: Seeking information on ISVG/ISVA/IAG deployment in Service Mesh architecture - which cloud provider is preferred?

Original Message:
Sent: 2/13/2024 9:57:00 AM
From: Bipin Dash
Subject: RE: Seeking information on ISVG/ISVA/IAG deployment in Service Mesh architecture - which cloud provider is preferred?

Thank you Scott!

Can you suggest preferred cloud platform where other customers have already deployed?

------------------------------
Bipin Dash

Original Message:
Sent: Mon February 12, 2024 11:02 PM
From: Scott Exton
Subject: Seeking information on ISVG/ISVA/IAG deployment in Service Mesh architecture - which cloud provider is preferred?

Original Message:
Sent: 2/12/2024 10:06:00 PM
From: Bipin Dash
Subject: Seeking information on ISVG/ISVA/IAG deployment in Service Mesh architecture - which cloud provider is preferred?

Hello Team,

Before asking question here, I reached out through support channel and did not get a satisfactory answer.

The ask was if IAG supports service mesh in GKE? The response was it should but no guarantee and it was not tested officially in GCP.

The next question I asked if it was ever tested in any well known cloud provider but same answer that it should work but no guarantee in AWS/AKS as well.

Does IAG with service mesh works in AWS/GCP/Azure?

Does ISVA with service mesh works  in AWS/GCP/Azure?

Does ISVG containerized version supports service mesh in AWS/GCP/Azure?

Please let me know if you have similar architecture deployment, that will be great help for us.

Thank you!!

------------------------------
Bipin Dash
------------------------------

Bipin,

The service mesh (probably Anthos) you are looking into and the use case you are bringing up is a use case for egress traffic (IAG making calls to the /token or /introspect endpoint.  It is the CDN in front of Verify Saas that is changing at intervals the IP addresses in use to resolve the Verify services.

K8s Network Policy can already help with the egress traffic.  A service mesh egress gateway might help but every service mesh technology has its requirements. See also this: https://www.tigera.io/blog/secure-egress-access-with-dns-policy-and-networksets/

Making each junction into a pod is will bring a number of operational challenges.  E.g a IBM customer has approximately 150 junctions in 1 IAG configuration (9 IAG pods spread over 6 worker nodes ) and that works fine but for 300 -400 pods you probably can splits configuration over a number of different IAG configurations  (ConfigMaps,..) and map /group the applications (if you  have different virtual hosts (IAG), SSO mechanisms to the application.

Hope this helps

Kind regards

Serge Vereecke

Scott,

There are 2 requirements to add service mesh in front of IAG for egress. But I am requesting if it's a recommended architectural approach, if you can suggest that would be helpful.

1 - In GCP, for egress connection there is no DNS based FW rule for dynamic IPs from pod. IAG Pod connects to ISV tenant and ISV tenant IPs are dynamic in nature. The current telecom/networking team are asking us if they can add a service mesh in front of IAG to make DNS based firewall rule working. Though they are exploring other options to solve DNS based firewall rule, we are thinking is it a good approach to have a service mesh in this situation.

2- we have 300-400 junctions/http-header based application, is it good idea to make each junction as a IAG POD to fit into a micro-service architecture? Do you think this is a good approach? Ultimately we will be having 300-400 pods

Please provide your suggestion as we are digging into different solutions.

------------------------------
Bipin Dash

Original Message:
Sent: Tue February 13, 2024 09:45 PM
From: Scott Exton
Subject: Seeking information on ISVG/ISVA/IAG deployment in Service Mesh architecture - which cloud provider is preferred?

Original Message:
Sent: 2/13/2024 4:12:00 PM
From: Bipin Dash
Subject: RE: Seeking information on ISVG/ISVA/IAG deployment in Service Mesh architecture - which cloud provider is preferred?

Scott, appreciate your response.

 is service mesh in front of IAG with any cloud provider, will add any value? When you have tested with AKS, was there any service mesh in front of IAG?

Just trying to collect information regarding IAG + Service Mesh, if it actually adds any value? Service Mesh is a proxy, IAG is a proxy. Proxy on top of another proxy.

------------------------------
Bipin Dash

Original Message:
Sent: Tue February 13, 2024 03:50 PM
From: Scott Exton
Subject: Seeking information on ISVG/ISVA/IAG deployment in Service Mesh architecture - which cloud provider is preferred?

Original Message:
Sent: 2/13/2024 9:57:00 AM
From: Bipin Dash
Subject: RE: Seeking information on ISVG/ISVA/IAG deployment in Service Mesh architecture - which cloud provider is preferred?

Thank you Scott!

Can you suggest preferred cloud platform where other customers have already deployed?

------------------------------
Bipin Dash

Original Message:
Sent: Mon February 12, 2024 11:02 PM
From: Scott Exton
Subject: Seeking information on ISVG/ISVA/IAG deployment in Service Mesh architecture - which cloud provider is preferred?

Original Message:
Sent: 2/12/2024 10:06:00 PM
From: Bipin Dash
Subject: Seeking information on ISVG/ISVA/IAG deployment in Service Mesh architecture - which cloud provider is preferred?

Hello Team,

Before asking question here, I reached out through support channel and did not get a satisfactory answer.

The ask was if IAG supports service mesh in GKE? The response was it should but no guarantee and it was not tested officially in GCP.

The next question I asked if it was ever tested in any well known cloud provider but same answer that it should work but no guarantee in AWS/AKS as well.

Does IAG with service mesh works in AWS/GCP/Azure?

Does ISVA with service mesh works  in AWS/GCP/Azure?

Does ISVG containerized version supports service mesh in AWS/GCP/Azure?

Please let me know if you have similar architecture deployment, that will be great help for us.

Thank you!!

------------------------------
Bipin Dash
------------------------------