Istio offers mutual TLS as a solution for service-to-service authentication.
- When a service receives or sends network traffic, the traffic always goes through the Envoy proxies first.
- When mTLS is enabled between two services, the client side and server side Envoy proxies verify each other’s identities before sending requests.
- If the verification is successful, then the client-side proxy encrypts the traffic, and sends it to the server-side proxy.
- The server-side proxy decrypts the traffic and forwards it locally to the actual destination service.
In Backyards, you can manage mTLS settings between services with the CLI or on the UI, mesh-wide, namespace-wide, and on the service-specific level.
Using the Backyards CLI 🔗︎
The following procedures show how you can change the mTLS settings. These are just examples to get you started, you can check the full list of mTLS commands in the Backyards CLI repo.
Mesh-wide mTLS settings 🔗︎
Change the mesh-wide setting to
PERMISSIVEwith the following command:
$ backyards mtls allow mesh INFO switched global mTLS to PERMISSIVE successfully
Then, verify that the setting is present:
$ backyards mtls get mesh mTLS rule for /mesh Policy Targets MtlsMode /default  PERMISSIVE
Namespace-wide and service-specific mTLS settings 🔗︎
STRICTPolicy for the
Note that after the command has been run successfully, the output returns the Policy which applies to the namespace.
$ backyards mtls require backyards-demo INFO policy peers for backyards-demo/ set successfully mTLS rule for backyards-demo/ Policy Targets MtlsMode backyards-demo/default  STRICT
PERMISSIVEPolicy for the 8080 port of the
bookingsservice in the
$ backyards mtls allow backyards-demo/bookings:8080 INFO policy peers for backyards-demo/bookings set successfully mTLS rule for backyards-demo/bookings Policy Targets MtlsMode backyards-demo/bookings-r2xux [bookings(8080)] PERMISSIVE
Remove the Policy you’ve just set with the following command:
$ backyards mtls unset backyards-demo/bookings:8080 INFO policy peers for backyards-demo/bookings unset successfully mTLS rule for backyards-demo/bookings Policy Targets MtlsMode backyards-demo/default  STRICT
Note that when the service-specific Policy is removed for the
bookingsservice, the namespace-wide Policy will be applied to the service.
Remove the Policy from the
backyards-demonamespace as well:
$ backyards mtls unset backyards-demo INFO policy peers for backyards-demo/ unset successfully mTLS rule for backyards-demo/ Policy Targets MtlsMode /default  PERMISSIVE
Note that when the namespace-wide Policy is removed from the
backyards-demonamespace, the mesh-wide MeshPolicy will be applied to the namespace.
Using the Backyards UI 🔗︎
You can change the mesh-wide mTLS settings on the
To create, edit, view, or remove namespace-wide and service-specific mTLS settings, open the
Detailspanel of the namespace or service, then click on the
When a load is sent to the demo application, you can easily verify whether the traffic between your services is actually encrypted or not by glancing at the security edge labels. Either red open locks or green closed ones will appear around the services in the UI, indicating that encrypted or non-encrypted data has been sent between the services.