Achieve Compliance, Zero Trust with Istio Ambient Mesh


Application Networking Day

with Istio, Cilium, and Envoy Hosted by       

Additional IN-PERSON Registration Required

Waterview Loft 130 Atwater St, Detroit, MI 48226

Monday October 24, 2022

Start with equal parts API-GW, Kubernetes Ingress and Service Mesh, then throw in some Security, Observability, and Multi-Tenancy. The world of application networking is changing fast. Join us at this off-site co-located event to learn about what’s new with open source technologies including Istio, Cilium and Envoy, and how to use them together to better power your applications.

This event includes one full day of technical sessions presented by end users and industry leaders from across the cloud native ecosystem concurrent with live, hands-on Istio, Cilium and Envoy workshops so you can try out the technologies as you learn.

Please note that this is an off-site Sponsor Hosted Co-located Event.

For questions regarding this event, please contact:

Click here to register for KubeCon + CloudNativeCon and add this workshop/event to your registration.
If you are already registered for KubeCon + CloudNativeCon, please modify your registration to add-on this workshop/event.




Time Duration Title Description
9:15am 90min Fundamentals of Envoy (with certification option) Envoy Proxy is a foundational layer for many of the innovations propelling the cloud-native community, including service meshes and cloud-native API gateways. But many engineers understand Envoy only as a black-box, hidden by simplifying levels of abstraction. The purpose of this workshop is to provide a hands-on workshop that will bridge those gaps in Envoy understanding. Participants will explore first principles regarding Envoy architecture, filter chains, and a day-in-the-life of a request. Users will then put those principles to work to understand how to configure Envoy and debug real-world problems.
10:45am 15min Break
11:00am 60min Introduction to Cilium (Certification) Cilium is an open source software for providing, securing and observing network connectivity between container workloads – cloud native, and fueled by the revolutionary Kernel technology eBPF. This “Fundamentals for Cilium” credential, offered by with Credly, certifies that you possess the essential skills to deploy the Cilium CNI on a test Kubernetes cluster, gather metrics and enforce network policies. At the completion of the “Introduction to eBPF and Cilium” workshop, you will be able to take an assessment and a score 80% or higher earns the certification.
12:00pm 60min Lunch
1:10pm 60min Get Started with Istio Ambient Mesh (Certification) Istio Ambient Mesh implements a “sidecarless” architecture which is transparent to the workloads in the mesh. This approach has a number of benefits including incremental adoption, improved operations and more. This hands-on course will help you better understand how Istio Ambient Mesh works.
2:10pm 15min Break
2:25pm 120min Get Started with Istio (Certification) Microservices can be complicated and difficult to manage. These complexities have given rise to a new solution called service mesh. This workshop explains how to get started with Istio by incrementally adopting Istio and observing the benefits that Istio service mesh brings to you. We will explore various functions and benefits that Istio provides to your organization.



Time Title Description
9:00am Welcome and Overview
9:05am The Future of Application Networking with Istio, Cilium, and Envoy The last 5 years have been all about building Cloud-native 1.0, deploying Kubernetes, understanding how to containerize applications, and managing daily updates. Those early successes are now leading to a new set of challenges in scalability, security and observability. We’re now moving into the Cloud-native 2.0 era, which will require us to apply new technologies and architectures to solve bigger challenges. Learn how the evolution of Istio, Envoy and Cilium will play a critical role in this next stage of cloud-native applications.
9:20am State of Istio Ambient Mesh Istio is changing the way Cloud Native developers think about Application Networking concerns such as Routing, Security, and Observability. Join Louis and Lin who both are members of the Istio TOC to learn the state of Istio. We will cover our ongoing efforts to make operating your service mesh boring with Istio and an exciting new model for running your data plane, reducing resource usage, and increasing control over CVE exposure with our ambient sidecarless topology.
9:40am Enhancing Istio Ambient Mesh with eBPF Istio’s new ambient mesh mode is designed to alleviate challenges associated with the long-standing sidecar-based approach. However, moving from sidecars to a node-level agent fundamentally changes the data path for traffic flowing within the service mesh. As part of the initial release of ambient mesh, a working implementation of the necessary networking configuration was created. Still, there is room for improvement, especially when considering the exciting Linux kernel technology eBPF. In this session we will explore how traditional Istio networking works, what changes were necessary for ambient mesh, and finally we will dig into how eBPF can be used to further enhance ambient mesh.
10:00am Adapting to Ambient with Gloo Mesh Adopting or adapting to Istio Ambient mesh requires new kinds of decisions, engineering considerations, and procedures that might not be familiar to users of classic Istio with Sidecars. With Gloo Mesh, we aim to provide the same capabilities and APIs you are used to, while managing the practical differences between the Sidecar and Sidecarless worlds under the hood. We will explore how Gloo mesh achieves this goal, and explore a few additional knobs Gloo Mesh provides for fine-tuning ambient to optimize particular use cases.
10:20am Break
10:30am What does ambient mesh mean for your wallet? Istio’s new ambient feature, a sidecar-less operational mode, makes service mesh a first-class citizen of the cloud-native platform. What this means for your services is a friction-less entry into automatically providing zero-trust networking with minimal operational burden to the developer. In this talk, we take a look at resource usage and detail the differences between allocation and utilization and how best to optimize for costs when using ambient.
11:10am Sidecarless service mesh. No local TCP/IP stack. What’s left? Istio ambient mesh and network acceleration make lofty promises to make managing your microservices both easier and cheaper. This talk is an opportunity to deep-dive into the why and how of ambient mesh on EKS and eBPF network acceleration. Attendees will leave with an understanding of how these technologies solve problems you may not have even considered, as well as an in-depth understanding of istiod’s certificate management.
11:30am Data plane resilience, no problem, but what about control plane resilience? Envoy is an incredibly performant cloud native proxy which is quickly becoming one of the most used pieces of software across our industry. Due to Envoy’s popularity, and configurability, quite a few control planes have also been created to dynamically configure Envoy. These include Gloo, Istio, and others. There are now many control planes, but what makes a great control plane. In this talk we’ll examine one specific aspect of configuring Envoy, resilience, meaning it’s ability to tolerate failures.
11:50am Accelerate the Web with Envoy and HTTP3 “TTP/3 is the latest version of the HyperText Transfer Protocol used wildly in the WEB, Unlike its predecessors (HTTP/1 and HTTP/2), HTTP/3 doesn’t use TCP, and relay on a protocol based on top of UDP, which allows a significant improvement in performance and reducing latency, in this talk:

  • We will have an introduction to HTTP
  • We will compare HTTP/3 to HTTP/1 and HTTP/2
  • We explore QUIC, the new protocol based on UDP that HTTP/3 uses
  • We will see how HTTP/3 operates in practice through a demo.

Attendees will get a better understanding of HTTP/3, a fundamental technology that will accelerate the WEB.

12:10pm Lunch
1:10pm Understanding Istio Ambient Mesh Security Istio ambient mesh is a new sidecarless data plane for Istio that brings some desirable operational benefits, but how does it impact security? In this talk, we will dig into the implementation of Istio ambient and understand how we maintain the properties of zero trust and even improve the security posture of the mesh overall.
1:50pm An introduction to SPIRE, SPIFFE, and how they’re used in Istio An introduce to SPIFFE and SPIRE, how they relate to each other, and how they work. We’ll also take a look at the new SPIRE integration within Istio, and how it differs from the default Istio SPIFFE implementation.
2:10pm Access applications anywhere at anytime with virtual mesh A single cluster mesh deployment just doesn’t cut it in most environments today. Enterprises are deploying more Kubernetes clusters than ever before. Applications that used to live in the same cluster may span many and be managed by diferent teams. This talk will show how Istio and Gloo Mesh has evolved along side these environments to extend the same service mesh features you expect from a single cluster deployment to many.
2:50pm Break
3:00pm Leverage Defense In Depth by Using Cilium and Istio Together
3:20pm Exploring Network Security in Cilium Security is a responsibility shared by everyone. Developers and engineers alike should understand how to properly secure their applications and traffic in any environment it may be deployed. This talk will explore how to secure applications with a comprehensive look at how Cilium implements standard and extended security features.
3:40pm Panel Discussion: eBPF and Service Mesh