Istio With a Single Control Plane
Shared or single control planes are ideal for multicloud environments, connected via
VPN or transit gateways with flat, non-overlapping IP ranges. Multiple Kubernetes con-
trol planes are remotely connected to a central control plane by integrating remote
Istios with primary Istio Pilot, telemetry and policy pods. Once connected, Envoy com-
municates with a single control plane and forms a mesh network across multiple clus-
ters, while cross-cluster communications are managed through ingress Istio gateways.
global.remotePilotAddress=${PILOT_POD_IP}
global.remotePolicyAddress=${POLICY_POD_IP}
global.remoteTelemetryAddress=${TELEMETRY_POD_IP}
Kubernetes API
Istio Remote
Istio Controller
(Pilot, Mixer, Citadel)
VPN
Connection
Istio Gateway
MTLS
Service A.1
Service B.1
Istio Gateway
MTLS
Service A.2
Cluster A
Kubernetes API
Service B.2
Root CA
Cluster B
Istio with multiple control planes
For multicloud networks without VPN connectivity or with overlapping IP ranges, Istio
replicated control planes can be used to connect services across the clusters. Instead of
using a shared Istio control plane to manage the mesh, in this configuration each cluster
has its own Istio control plane installation, each managing its own endpoints. The IP
address of the Istio ingress gateway service in each cluster must be accessible from
68 | THE DOPPLER |
FALL 2019