API Connect

Hi, I'm Krithika Prakash - Security & Technology architect at IBM APIConnect/DataPower Product development team.  In a recent post we explored the relationship between API management and a service mesh such as Istio. In this post, let's look into Istio and how DataPower API Gateway can integrate in an Istio Service Mesh. The intended audience would be someone who is familiar with IBM APIConnect/DataPower end to end API management solution and is curious on integrating it with Istio.

This is a two part series. In the first part, I'll talk about the concepts on how DataPower can act as an Istio Ingress gateway and in the second part, I'll show you hands on step by step tutorial on how you can setup your environment with DataPower and Istio working together.

Let's get started.  What is Istio ?  I highly recommend reading up on Istio documentation. It explains the concepts clearly.

Istio is an OpenSource project. It is a platform to manage service interactions across containers and VM based work loads. It addresses most of the common problems that you would encounter when working with micro services.

This picture depicts a high level architecture on Istio. It has a control plane and a data Plane. It has support for security policies, authorization, traffic control, rate limiting, load balancing to name a few. It has a number of features and the  list is increasing rapidly. There is a lot of interest in the project and IBM is one of the major contributors. Without touching the code of your micro services, you can configure these features dynamically, as every micro service deployed on an Istio framework gets its own proxy called the Envoy proxy. So any request that goes in and out of the service, goes through this proxy. There is a control plane where you can implement policies and they will be enforced on the envoy proxies which is part of the data plane.

With that quick introduction to Istio, let's look at how we can bring DataPower APIGateway and Istio worlds together.

We all know about DataPower  - it is a well established product, been in the market for 10+ years as the number one security and API gateway. Just to highlight some key features that many customers are using DataPower currently  (not an exhaustive list) -  Security policies - JWT, SSL, Kerberos, SAML,  Map policies, XML <-> JSON policies, Parse policies, many customers also have hand written custom policies to suit their environment need. On the other side, we have the istio framework, which is coming up and growing rapidly. It has some cool features like traffic management. Say you want to route to 10% of the traffic to a your bookinfo service's beta version, and 90%of the traffic to the stable version, you can implement the traffic routing policies accordingly without touching the code of your bookinfo service.

 In order to bring both these worlds together, we can bring DataPower into the mesh as the Ingress gateway.

Implement all the DataPower gateway functionality and also implement the policies on the Istio mesh, but then the entire mesh can be secured using DataPower issued JWT tokens. In this case, the 'bookinfo' app is exposed as an API via DataPower gateway. It is not exposed outside of the mesh otherwise. So DataPower secures the entire mesh and acts as the ingress. The next part of this series will show you step by step on how to implement this.

Going one level further, you all know how DataPower and APIConnect has this powerful concept called client subscriptions and products/plans.

Every time a client wants to access an API, it has to be subscribed to a plan and based on that subscription you can identify if this is a premium or a free client. You can actually enforce policies to route traffic based on client type and not at random. For example, if you want to route beta customers to the beta version and premium customers to stable version, you can implement the policies on the Istio framework and you can configure  DataPower to augment the request context. I will also demonstrate this use case step by step in the next video tutorial.

I'll leave you all with that information on these two use cases of DataPower securing the mesh using JWT tokens and in addition augmenting request context with client subscription details. There are many more use cases - like  DataPower as the ingress as well as the egress gateway, DataPower terminating SSL sessions that come into the  mesh, DataPower gateway shared across multiple service mesh and so on.  I'll keep you posted as we work on these scenarios and we also welcome feedback from DataPower and APIConnect customers on what you would like to see us do in this space.