Teach on Udemy

Turn what you know into an opportunity and reach millions around the world.

Learn More

Your cart is empty.

Keep shopping

Complete Istio Service Mesh (1.8) Masterclass + AWS EKS

Name: Complete Istio Service Mesh (1.8) Masterclass + AWS EKS
Rating: 4.3 (279 reviews)

Learn Istio Service Mesh using Handson (Gateway, Canary Traffic Shifting, Fault Injection, Circuit Breaker, JWT, Egress)

Created byDevOps大学 | CKA & CKS & AWS DevOps Pro (元GAFAM現シリバレエンジニア)

Last updated 7/2024

English

What you'll learn

how to control ingress traffic using Gateway, VirtualService, DestinationRules
how to configure SSL Termination at AWS ELB created by Istio ingress gateway using k8s service YAML
how to configure canary rollouts/weight-based routing/traffic splitting using Virtual Service and Destination Rule
how to configure identity/header based routing
how to configure and test failure recovery features (injecting delay and abort, setting retries and timeout)
how to configure and test mirroring live traffic to different versions of app workloads
how to configure and test rate limiting and circuit breaker
how to verify default "permissive mode" of mutual TLS in service mesh, and how to enable STRICT mode of mutual TLS
how to set up end user authentication and authorization with JWT using Request Authentication and Authorization Policy
how to control egress traffic using Service Entry and Virtual Service
how to enable TLS Origination for egress traffic using Destination Rule
how to use Kiali dashboard to visualize mesh topology, logs, metrics, and YAML validation

Course content

12 sections • 64 lectures • 5h 27m total length

5 Reasons Why You Should Take This Course!3:28
Instructor's background & career experiences2:33
Follow the instructor's cloud software engineering journey from a computing science degree to roles across Java, C++, Python, and Terraform, then implementing Kubernetes, OpenShift, and Istio service mesh in EKS.

Download Course Material0:03
What is Service Mesh5:44
Understand how a service mesh uses envoy sidecars and gateway patterns to connect, secure, and manage traffic between pods, with mutual TLS by default and SSL termination.
Istio Service Mesh Architecture7:57
Istio Architecture Change After v1.51:25
Consolidating pilot, Citadel, and policy into a single EOD control plane after v1.5 leads to a monolithic design that simplifies installation and maintenance.
Why Istio19:46
Learn why Istio enables traffic management with gateways, virtual services, and advanced routing. Secure service mesh with mutual TLS and JWT-based auth, and observe latency and topology via Kiali.
(Optional if using Minikube or GKE) AWS Setup (Account, IAM user, Access Key)6:47
Create an AWS account, sign in to the console, add an IAM user with programmatic access and a custom password, then generate and securely store access key and secret key.
TIPS: How to Reduce AWS Billing & Setup Email Alerts0:30
Install CLIs (aws, aws-iam-authenticator, kubectl, eksctl)11:47
Install and configure the aws, aws-iam-authenticator, kubectl, and eksctl CLIs using Homebrew on macOS or Chocolatey on Windows, then verify installations and set up access keys and region.
Create named AWS Profile in ~/.aws/credentials0:27
Create AWS EKS Cluster using eksctl3:33
Create an AWS EKS cluster with eksctl, set region and t3.medium workers, configure desired one, min one, max two, enable ssh access, and verify with eks describe cluster.

Deploy Pods and Services and Access Externally (public AWS ELB)10:09
Deploy pods and services on the x cluster, expose them via a public load balancer and AWS ELB, and verify a front-end guestbook app with a Redis master/slave setup.
Deploy Nginx Ingress Controller using Helm Chart3:23
Install Nginx ingress controller using a Helm chart, create a namespace, add the stable Helm repo, update charts, install, verify pods and services, and compare with an ingress gateway setup.
Create Ingress resource YAML2:02
Create an ingress resource YAML to enable layer 7 load balancing by host and path for guestbook service, then apply with kubectl and use the ingress DNS to access it.
Delete K8s Service of type LoadBalancer and AWS ELB2:58
Change the guestbook service from a load balancer to a nodeport, remove extraneous metadata, and apply a streamlined yaml to delete the old load balancer and restore access.
Architecture Recap5:00
BONUS: Create Private Ingress Gateway1:18

What is Gateway3:53
Explore how an Istio gateway replaces ingress controllers to expose services at the mesh edge, using a standalone Envoy proxy, virtual service configurations, and edge TLS settings.
Gateway YAML Anatomy4:16
Explore gateway YAML anatomy by analyzing gateway definitions, ports, protocols, hosts, and how a virtual service binds to a gateway to route traffic in Istio on AWS EKS.
What is Virtual Service5:22
Learn how virtual service defines routing rules, hosts, and gateways to expose services. See how envoy routes traffic to destination services and enables canary releases and timeouts.
Virtual Service YAML Anatomy5:15
Explore virtual service yaml anatomy, including hosts, destinations, and http routing with condition matching, and learn how global versus route-specific rules, canary deployments, and fqdn naming influence traffic.
Deploy Gateway and Virtual Service8:55
Deploy Istio gateway and virtual service to route traffic to the guestbook service, replacing the ingress, configure path prefixes and service name or FQDN, and validate with DNS and curl.
Uninstall Nginx Ingress Controller2:28
Uninstall the nginx ingress controller with helm, remove its namespace, and clean up remaining ingress resources to ensure the cluster no longer exposes the previous ingress gateway.
Deploy Bookinfo App13:07

Traffic Management Overview3:11
Weight Based Routing (Canary/Traffic Splitting) using Destination Rules20:40
Learn to implement weight-based routing (canary/ traffic splitting) with destination rules and virtual services in Istio, defining subsets (v1, v2) and weights, and verify with the dashboard and traces.
Identity Based Routing using Virtual Service6:22
Use identity based routing with a virtual service to route end-user tester traffic to reviews v1 and then to BE1, via header match conditions and a preconfigured yaml file.
Query String Based Routing using Virtual Service2:59
Configure the Istio virtual service to route traffic by query string parameters and headers, defining match conditions to direct requests to specific subsets.
URI Path Based Routing using Virtual Service1:10
Configure uri path based routing with a virtual service to direct product page requests to product page v2 or reviews v2 using exact, prefix, or regex matches, with case-insensitive matching.
Inject Fault (Latency Delay) using Virtual Service7:41
Inject a 10-second latency delay using a virtual service to test resilience with 100 percent of traffic, affecting the product page, reviews, and ratings flow.
Configure Timeouts using Virtual Service4:30
Configure timeouts with a virtual service to cap delays at one second while a ten-second delay exists, revealing per-service timeout precedence and the impact of retries on responses.
Configure Retry using Virtual Service2:43
Mirror Live Traffic using Virtual Service5:08
demonstrate mirroring live traffic with a virtual service in Istio, routing 100 percent to the primary reviews version while mirroring to a canary version, with header augmentation for traceability.
Configure Custom Load Balancing Policy for Pods using Destination Rule5:34
Configure load balancing policies for pods with destination rules and traffic policies, including round-robin, least connections, and random, at global and subset levels.
Enable Sticky Session for Virtual Service Load Balancing1:30
Configure Rate Limiting1:25
Configure rate limiting by adjusting configuration collection settings in the situation room to cap http and tcp connections to the news service, with a 30 ms timeout.
Configure Circuit Breaker7:40
Configure circuit breaker in Istio by enabling outlier detection to eject unhealthy upstream hosts after consecutive errors for an interval, and test with Fortio to observe traffic disruption.

Enable TLS Termination at Load Balancer.9:45
Enable HTTPS for Multiple Domains using SNI20:56
Learn to enable https for multiple domains on a single istio gateway with sni, by issuing certificates, creating secrets, and configuring the gateway and virtual service to serve multiple hosts.
Verify Mutual TLS among pods in Service Mesh2:47
Enable STRICT Mutual TLS Globally (all namespaces)5:37
Enable STRICT Mutual TLS for Namespace4:19
Enable strict mutual TLS for the default namespace, disable the global authentication config, and verify plaintext requests are blocked in that namespace while other namespaces remain unaffected.
Enable STRICT Mutual TLS for workloads in namespace4:05
Enable strict mutual TLS for a specific workload in a namespace by configuring namespace-scoped peer authentication and a destination for outgoing requests, blocking plaintext while allowing TLS for targeted host.
Enable HTTP Redirect to HTTPS3:05
Enable http redirect to https in the gateway by configuring port 80 to forward to 443, then test the redirect and verify secure headers and certificate handshake.

Enable End-User Authentication and Authorization with JWT8:11
Enable end-user authentication and authorization with Jason Web token across the gateway by creating a request authentication policy and an authorization policy, then test access with valid and invalid tokens.
Enable End-user Authentication with JWT per HTTP Path6:25
Enable end-user authentication with JWT for a specific HTTP path by applying namespace-scoped authorization policies, testing access to /heroes and /headers, and balancing global versus default namespace rules.
Enable End-user Authentication with JWT per HTTP Path and Host5:30
Enable end-user authentication with JWT per HTTP path and host by applying authorization policy rules that require a valid JWT token and deny requests without one.
Enable JWT Authorization using HTTP Header Attribute4:00
Enable jwt authorization with http header attributes in Istio service mesh, using x-token headers to gate endpoints and test admin versus non-admin access in AWS EKS environments.
Enable JWT Authorization using Source IP2:45
Block requests from a specific source IP by creating an explicit deny authorization policy in Istio, retrieving the client IP, applying the policy, and testing the denial.
Delete AuthorizationPolicy Resource0:02

Egress Security Overview4:49
Explore Istio egress security by comparing three modes—default pass-through, service entries for controlled external DNS access, and direct bypass for specific ranges—focusing on monitoring and traffic control.
Register External URLs with Service Entry4:55
Set Timeouts for Egress Requests2:11
Set a custom timeout for external egress calls using Istio service entries and virtual services, demonstrating a three-second limit that can cause a gateway timeout for delayed external responses.

Requirements

you have learned Kubernetes fundamentals (pod, service, deployment, ingress, configmap, role, etc)
you have development experience in Kubernetes YAML resources
you have experience using Minikube or AWS EKS or GKE
Mac or Linux highly recommended

Description

If I summarize this course in one sentence?

Learn Istio Service Mesh in Kubernetes (demo is done using AWS EKS) using Handson concepts and labs (e.g. Gateway, Virtual Service, Destination Rule, Canary Rollout, Load Balancing Rules, Mirror Live Traffic, Fault Injection, Circuit Breaker, JWT Authentication and Authentication, TLS Origination, Kiali Dashboard, etc).

☆Please check preview videos to see if this course is really for you☆

Are you one of the below?

You want to learn how to secure K8s in-cluster network with Istio Service Mesh
You feel overwhelmed and don't know where to start with Istio Service Mesh in Kubernetes
You used Nginx Ingress Controller but want to use production-ready Ingress Controller
You used AWS ALB Ingress Controller but its limitation with ingress YAML pushed you away from using it
You want to learn service mesh so that you can control in-cluster traffic to microservice applications
You want to authenticate and authorize end users using JWT using Istio
You want to be able to configure SSL for AWS ELB using Istio Ingress Gateway Service YAML
You want to learn how to monitor microservice app's distributed request tracing using Kiali and Jaeger dashboards

Who should take this course

you have learned Kubernetes fundamentals (pod, service, deployment, ingress, configmap, role, etc)
you don't know how to go about learning Istio Service mesh in Kubernetes
you have development experience in Kubernetes YAML resources
you want to learn about production-level in-cluster security such as mutual TLS using Istio Service Mesh in Kubernetes
you want to learn ins and outs of Istio Service Mesh features (traffic control, security, observability) from a cloud DevOps working at an US company in SF

who should NOT need to take this course

you already know a lot of Istio Service Mesh in Kubernetes
you are not planning on using Kuberenetes
you are not planning on working on security in Kuberenetes cluster
you have never used Kubernetes before

In this course, you will learn various aspects of Istio Service Mesh in Kubernetes such as:

how to control Ingress Traffic using Gateway, VirtualService, DestinationRules
how to configure SSL Termination at AWS ELB created by Istio ingress gateway using k8s service YAML
how to configure canary rollouts/weight-based routing/traffic splitting using Virtual Service and Destination Rule
how to configure identity/header based routing
how to configure and test failure recovery features (injecting delay and abort, setting retries and timeout)
how to configure and test mirroring live traffic to different versions of app workloads
how to configure and test rate limiting and circuit breaker
how to verify default "permissive mode" of mutual TLS in service mesh, and how to enable STRICT mode of mutual TLS
how to set up end user authentication and authorization with JWT using Request Authentication and Authorization Policy
how to control egress traffic using Service Entry and Virtual Service
how to enable TLS Origination for egress traffic using Destination Rule
how to use Kiali dashboard to visualize mesh topology, logs, metrics, and YAML validation

5 Reasons why you should take this course:

1. Instructed by a cloud DevOps engineer (with CKA and certified AWS DevOps pro) working at US company in SF

I have been pretty handson with Istio Service Mesh, Kubernetes, AWS, AWS EKS with 6.5+ industry experience in both North America and Europe.

2. Abstract Istio Concepts Explained with Diagrams

Istio is pretty complex, and its operational complexities are pretty high. That means, a learning curve is also high.

Especially with Istio, its documentation page offers LITTLE to NO diagrams explaining relationships between `Gateway`, `Virtual Service`, `Destination Rule`, `Service Entry`, etc.

So I created a whole bunch of diagrams from high level architectures to low level YAML resources for Istio features such as canary rollout/traffic splitting, JWT Authentication and Authorization, and much more. You will have the most VISUAL-oriented learning experience you can EVER find on the Internet for Istio.

3. Updated Knowledge about Istio Service Mesh v1.6~ in 2020

Some of the Istio Architecture and Componets are outdated. I will demonstrate 2020-updated version of resources and concepts.

4. Tons of handson!

I won't bore you with dry lectures. Instead every concepts are paired with handson demo.

5. Entire course under FIVE HOURS

I tried to make this course compact and concise so students can learn the concepts and handson skills in shorted amount of time, because I know a life of software engineer is already pretty busy :)

My background & Education & Career experience

Cloud DevOps Software Engineer with 6.5+ years experience
Bachelor of Science in Computing Science from a Canadian university
Knows Java, C#, C++, Bash, Python, JavaScript, Terraform, IaC
Expert in AWS (holds AWS DevOps Professional certification) and Kubernetes (holds Certified Kubernetes Administrator, CKA)

I will see you inside!

Who this course is for:

You want to learn how to secure K8s in-cluster network with Istio Service Mesh
You feel overwhelmed and don't know where to start with Istio Service Mesh in Kubernetes
You used Nginx Ingress Controller but want to use production-ready Ingress Controller
You used AWS ALB Ingress Controller but its limitation with ingress YAML pushed you away from using it
You want to learn service mesh so that you can control in-cluster traffic to microservice applications
You want to authenticate and authorize end users using JWT using Istio
You want to be able to configure SSL for AWS ELB using Istio Ingress Gateway Service YAML
You want to learn how to monitor microservice app's distributed request tracing using Kiali and Jaeger dashboards

Complete Istio Service Mesh (1.8) Masterclass + AWS EKS

What you'll learn

Explore related topics

Course content

Introduction2 lectures • 6min

Intro to Istio Service Mesh10 lectures • 58min

Install istio4 lectures • 16min

Monitoring2 lectures • 9min

Deploy and Expose Sample Apps (guestbook) using Service and Ingress6 lectures • 25min

Expose Apps using Istio Gateway and Virtual Service (vs Ingress Controller)7 lectures • 43min

Traffic Management13 lectures • 1hr 11min

Security in Transit (TLS/HTTPS)7 lectures • 51min

End-User Authentication and Authorization with JWT6 lectures • 27min

Egress Traffic Security and Traffic Control3 lectures • 12min

Requirements

Description

Who this course is for: