Securing East-West Traffic Patterns

Securing East-West Traffic Patterns

East-west traffic between services often exceeds north-south traffic from external clients. Traditional perimeter security ignores this internal traffic, creating opportunities for lateral movement. Service meshes secure all east-west traffic through encryption and authorization, eliminating implicit trust between services.

Microsegmentation through service mesh policies creates granular security boundaries. Unlike network-based segmentation, service mesh segmentation operates at the application layer with full context. Policies can consider service identity, API methods, headers, and payload attributes for precise access control.

# Multi-cluster service mesh security
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
  name: cross-cluster-gateway
  namespace: istio-system
spec:
  selector:
    istio: eastwestgateway
  servers:
  - port:
      number: 15443
      name: tls
      protocol: TLS
    tls:
      mode: ISTIO_MUTUAL
    hosts:
    - "*.local"

---
# Egress control for external services
apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
  name: external-api
  namespace: production
spec:
  hosts:
  - api.partner.com
  ports:
  - number: 443
    name: https
    protocol: HTTPS
  location: MESH_EXTERNAL
  resolution: DNS

---
# Egress authorization policy
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: egress-control
  namespace: production
spec:
  selector:
    matchLabels:
      app: istio-egressgateway
  action: ALLOW
  rules:
  - to:
    - operation:
        hosts: ["api.partner.com"]
    when:
    - key: source.labels[app]
      values: ["payment-processor", "order-service"]