IBM Security Verify

 View Only
  • 1.  Seeking information on ISVG/ISVA/IAG deployment in Service Mesh architecture - which cloud provider is preferred?

    Posted Mon February 12, 2024 10:06 PM

    Hello Team,

    Before asking question here, I reached out through support channel and did not get a satisfactory answer.

    The ask was if IAG supports service mesh in GKE? The response was it should but no guarantee and it was not tested officially in GCP.

    The next question I asked if it was ever tested in any well known cloud provider but same answer that it should work but no guarantee in AWS/AKS as well.

    Does IAG with service mesh works in AWS/GCP/Azure?

    Does ISVA with service mesh works  in AWS/GCP/Azure?

    Does ISVG containerized version supports service mesh in AWS/GCP/Azure?

    Please let me know if you have similar architecture deployment, that will be great help for us.

    Thank you!!



    ------------------------------
    Bipin Dash
    ------------------------------


  • 2.  RE: Seeking information on ISVG/ISVA/IAG deployment in Service Mesh architecture - which cloud provider is preferred?

    Posted Mon February 12, 2024 11:03 PM

    Bipin,

     

    I have to agree with the support team.  IAG has been tested to run on Kubernetes (among other containerisation platforms), but has not been specifically tested on GKE service mesh.  If GKE service mesh has been confirmed as a fully Kubernetes compliant then IAG should run on it just fine.  However, it would be incorrect for the support team to claim support for GKE service mesh without first knowing that it fully works on the platform.

     

    Thanks.

     

     

    Scott A. Exton
    Senior Software Engineer
    Chief Programmer - IBM Security Verify Access

    IBM Master Inventor

    cid4122760825*<a href=image002.png@01D85F83.85516C50">

     

     

     






  • 3.  RE: Seeking information on ISVG/ISVA/IAG deployment in Service Mesh architecture - which cloud provider is preferred?

    Posted Tue February 13, 2024 09:57 AM

    Thank you Scott!

    Can you suggest preferred cloud platform where other customers have already deployed?



    ------------------------------
    Bipin Dash
    ------------------------------



  • 4.  RE: Seeking information on ISVG/ISVA/IAG deployment in Service Mesh architecture - which cloud provider is preferred?

    Posted Tue February 13, 2024 03:50 PM

    Bipin,

     

    You just need to pick a cloud platform which is based on Kubernetes, or OpenShift.  I've personally tried a Kubernetes cluster, and OpenShift on IBM Cloud.  I've also tried AKS.

     

    Thanks.

     

     

    Scott A. Exton
    Senior Software Engineer
    Chief Programmer - IBM Security Verify Access

    IBM Master Inventor

    cid4122760825*<a href=image002.png@01D85F83.85516C50">

     

     

     






  • 5.  RE: Seeking information on ISVG/ISVA/IAG deployment in Service Mesh architecture - which cloud provider is preferred?

    Posted Tue February 13, 2024 04:12 PM

    Scott, appreciate your response.

     is service mesh in front of IAG with any cloud provider, will add any value? When you have tested with AKS, was there any service mesh in front of IAG?

    Just trying to collect information regarding IAG + Service Mesh, if it actually adds any value? Service Mesh is a proxy, IAG is a proxy. Proxy on top of another proxy.



    ------------------------------
    Bipin Dash
    ------------------------------



  • 6.  RE: Seeking information on ISVG/ISVA/IAG deployment in Service Mesh architecture - which cloud provider is preferred?

    Posted Tue February 13, 2024 09:45 PM

    Bipin,

     

    What are you trying to achieve by introducing a service mesh into the environment?  What service would the service mesh router be providing for you?  I suspect that if you cannot clearly articulate the benefits, there won't be any for your environment.  Alternatively, the IAG operator, using the sidecar method, can provide a simple service mesh.

     

    Thanks.

     

     

    Scott A. Exton
    Senior Software Engineer
    Chief Programmer - IBM Security Verify Access

    IBM Master Inventor

    cid4122760825*<a href=image002.png@01D85F83.85516C50">

     

     






  • 7.  RE: Seeking information on ISVG/ISVA/IAG deployment in Service Mesh architecture - which cloud provider is preferred?

    Posted Wed February 14, 2024 04:40 PM
    Edited by Bipin Dash Wed February 14, 2024 04:48 PM

    Scott,

    There are 2 requirements to add service mesh in front of IAG for egress. But I am requesting if it's a recommended architectural approach, if you can suggest that would be helpful.

    1 - In GCP, for egress connection there is no DNS based FW rule for dynamic IPs from pod. IAG Pod connects to ISV tenant and ISV tenant IPs are dynamic in nature. The current telecom/networking team are asking us if they can add a service mesh in front of IAG to make DNS based firewall rule working. Though they are exploring other options to solve DNS based firewall rule, we are thinking is it a good approach to have a service mesh in this situation.

    2- we have 300-400 junctions/http-header based application, is it good idea to make each junction as a IAG POD to fit into a micro-service architecture? Do you think this is a good approach? Ultimately we will be having 300-400 pods

    Please provide your suggestion as we are digging into different solutions.



    ------------------------------
    Bipin Dash
    ------------------------------



  • 8.  RE: Seeking information on ISVG/ISVA/IAG deployment in Service Mesh architecture - which cloud provider is preferred?

    Posted Tue February 27, 2024 12:55 PM

    Bipin,

    The service mesh (probably Anthos) you are looking into and the use case you are bringing up is a use case for egress traffic (IAG making calls to the /token or /introspect endpoint.  It is the CDN in front of Verify Saas that is changing at intervals the IP addresses in use to resolve the Verify services.

    K8s Network Policy can already help with the egress traffic.  A service mesh egress gateway might help but every service mesh technology has its requirements. See also this: https://www.tigera.io/blog/secure-egress-access-with-dns-policy-and-networksets/

    Making each junction into a pod is will bring a number of operational challenges.  E.g a IBM customer has approximately 150 junctions in 1 IAG configuration (9 IAG pods spread over 6 worker nodes ) and that works fine but for 300 -400 pods you probably can splits configuration over a number of different IAG configurations  (ConfigMaps,..) and map /group the applications (if you  have different virtual hosts (IAG), SSO mechanisms to the application.

    Hope this helps

    Kind regards

    Serge Vereecke



    ------------------------------
    Serge Vereecke
    ------------------------------



  • 9.  RE: Seeking information on ISVG/ISVA/IAG deployment in Service Mesh architecture - which cloud provider is preferred?

    Posted Wed February 28, 2024 10:17 AM

    This helps Serge, thanks for the information. 



    ------------------------------
    Bipin Dash
    ------------------------------