Skip to content
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
322 lines (231 sloc) 13.9 KB

Using Istio Across Private and Public Clusters

In this Code Pattern, we will create a hybrid cloud by connecting services between IBM Cloud Private (ICP) and IBM Cloud Kubernetes Service (IKS) Kubernetes clusters using Istio. We assume that the ICP is not accessible from outside of the organization network but can still access the IKS cluster. Therefore allows us to setup a bi-directional communication between services running on ICP and IKS through a VPN tunnel initiated by the ICP cluster.

When you complete this Code Pattern, you will understand how to:

  • Connect a private and a public cloud using a VPN tunnel
  • Distribute micro-services between the private and public clusters yet maintain bi-directional connectivity
  • Use Istio to conduct the multi-cluster traffic routing

While the example application used by this Code Pattern requires an IBM Cloud for its Watson Tone Analyzer, the pattern presented here can be used to integrate most of the private and public cluster.

We will deploy Istio on each cluster so that the communication between services will be routed according to the location of the service. When calling a remote service, Istio will route the traffic from the local calling service to the local egress, from there to the ingress of the remote cluster and eventually the remote destination service.

In this Code Pattern we took IBM's Guestbook v2 example application and configured our Multi-Cluster so that the Guestbook and Redis micro-services are running on an IKS cluster and the Analyzer service is running on the ICP cluster. This demonstrates communication between the clusters as Guestbook is calling the remote Analyzer service while Analyzer itself is calling the Watson Tone Analyzer service from the IBM Cloud.


  1. Users of the Guestbook app use their browser to access the Guestbook web page served by the guestbook service from the public cloud.
  2. Upon submission of a guest comment, the guestbook service needs to enrich it with an emoticon base on the submitted text tone. The guestbook service calls the analyzer service with the submitted text for the tone analysis. The guestbook service calls the analyzer service as if it was a local service. I.e. the service/app hasn't been modified to support remote services.
  3. analyzer service is running on the remote private cloud therefore call is routed by Istio through the VPN tunnel into the Ingress gateway of the private cloud.
  4. analyzer service calls the Watson Tone Analyzer service with the received text payload and get back the tone analysis result from the public service.
  5. Once response from analyzer service has arrived the guestbook adds the matching emoticon to the submitted text in the web page.

Included components

  • Kubernetes Cluster: Create and manage your own cloud infrastructure and use Kubernetes as your container orchestration engine.
  • Istio: An open platform to connect, manage, and secure micro-services.

Featured technologies

  • Containers: Virtual software objects that include all the elements that an app needs to run.
  • Hybrid Integration: Enabling customers to draw on the capabilities of public cloud service providers while using private cloud deployment for sensitive applications and data.
  • Micro-services: Collection of fine-grained, loosely coupled services using a lightweight protocol to provide building blocks in modern application composition in the cloud.


  1. Clone the repo
  2. Setup strongSwan VPN
    1. Install strongSwan on IKS
    2. Install strongSwan on ICP
  3. Setup Kubeconfig
  4. Setup Watson Tone Analyzer with IBM Cloud
  5. Download Istio
  6. Configure
  7. Install
  8. Verify

1. Clone the repo

Clone the istio-hybrid locally. In a terminal, run:

$ git clone

2. Setup strongSwan VPN

strongSwan is used to setup a IPSec VPN tunnel between clusters and share subnets of Kubernetes Pods and Services to remote clusters. As such, the deployment has two parts where in one the strongSwan is deployed on the public cluster as a VPN "server" and the other part installing the strongSwan as a "client" on the private cluster. Because the private cluster can access the public one but not vice versa, the "client" is the one that initiates the VPN tunnel.

If you require faster error recovery, higher security level or a more elaborate high availability solution than strongSwan, consider using a VPN solution that runs outside of the cluster on dedicated hardware or one of the IBM Cloud Direct Link service options.

Instructions below connects an ICP cluster that has no public access to an IKS cluster.

Install strongSwan on IKS

  1. Set up Helm in IBM Cloud Kubernetes Service by following these instructions.

  2. Install strongSwan to public IKS Cluster using Helm chart. Example configuration parameters (from config.yaml) for the strongSwan Helm release on an IKS (the rest as default):

    • add
    • remote.subnet:
  3. Execute:

    $ kubectl get svc vpn-strongswan

    And write down the External IP of the service as you will need it when installing on ICP.

Install strongSwan on ICP

  1. Complete the strongSwan IPSec VPN workarounds for ICP.

  2. Install the strongSwan from the Catalog in the management console.
    Example configuration parameters for the strongSwan Helm release on an ICP:

    • Chart name: vpn
    • Namespace: default
    • Operation at startup: start
    • Local subnets:
    • Local id: on-prem
    • Remote gateway: Public IP of IKS VPN service that you wrote down earlier
    • Remote subnets:,
    • Remote id: ibm-cloud
    • Privileged authority for VPN pod: checked
  3. Verify that ICP connected to IKS by running the following against the IKS:

    $ export STRONGSWAN_POD=$(kubectl get pod -l app=strongswan,release=vpn -o jsonpath='{ .items[0] }')
    $ kubectl exec $STRONGSWAN_POD -- ipsec status

    If configured correctly the output of the command will list one established connection:

    Security Associations (1 up, 0 connecting):
    k8s-conn[10]: ESTABLISHED 65 minutes ago,[ibm-cloud]...[on-prem]
    k8s-conn{34}:  INSTALLED, TUNNEL, reqid 9, ESP in UDP SPIs: c46d5d8d_i c688564f_o
    k8s-conn{34}: ===

3. Setup Kubeconfig

Make sure the two target clusters are available as contexts in the Kubeconfig path:

$ export KUBECONFIG=[location_of_kubeconfig_for_IKS_context]:[location_of_kubeconfig_for_ICP_context]
$ kubectl config get-contexts

The kubeconfig context name for each one of the clusters will be used as configuration parameters to the installation scripts.

You can test that both clusters are accessible with the context name by executing the command:

$ kubectl get nodes --context=<cluster_IKS_context>
$ kubectl get nodes --context=<cluster_ICP_context>

4. Setup Watson Tone Analyzer with IBM Cloud

Watson Tone Analyzer detects the tone from the words that users enter into the Guestbook app. The tone is converted to the corresponding emoticons.

  1. Use bx target --cf or bx target -o ORG -s SPACE to set the Cloud Foundry org and space where you want to provision the service.

  2. Create Watson Tone Analyzer in your account.

    $ ibmcloud service create tone_analyzer lite my-tone-analyzer-service
  3. Create a service key for the service.

    $ ibmcloud service key-create my-tone-analyzer-service myKey
  4. Show the service key that you created and note the password and username.

    $ ibmcloud service key-show my-tone-analyzer-service myKey

Save the username and password for your file in the next step.

5. Download Istio

Download Istio v1.0.0 for your platform and extract to your location of choice.

6. Configure

Edit the file with the necessary settings:

# Cluster A Kubeconfig context

# Cluster B Kubeconfig context

# Watson Tone Analyzer service credentials

# Istio v1.0.0 folder path

7. Install

Execute the installation script:

$ ./

The script will pause after installing Istio v1.0.0 on both clusters and wait for you to press any key. Before continuing, make sure all Istio pods are running on both clusters:

$ kubectl get pods -n istio-system --context=<cluster_IKS_context>
$ kubectl get pods -n istio-system --context=<cluster_ICP_context>

The script continues and the Guestbook web page URL will be printed at the end. You can open this URL in your browser.

8. Verify

If the integration between the two clusters has been established you should see the Tone Analyzer service response added in the form of text emoticons to the Guestbook history.

  1. Launch the Guestbook web page by opening in your browser the URL printed at the end of the installation
  2. Type in the Guestbook text field a sentence (e.g. I just love this app) and hit the submit button
  3. The history text at the top should show the sentence you entered along with a text emoticon based on the result from the Analyzer service.

Sample result:


Steps below will uninstall the demo app, Istio and it's cross-cluster configuration and strongSwan.

  1. Uninstall the Guestbook demo app and Istio:
    $ ./
  2. Uninstall strongSwan from ICP by logging into the ICP Management Console and then navigate to MenuWorkloadsHelm Releases. Look for vpn and from the Action menu choose Delete
  3. Uninstall strongSwan from IKS by executing:
    $ helm delete --purge vpn


  • Error: the server doesn't have a resource type "nodes"

    If you get this kind of error on any kubectl get with the ICP context then your session is probably expired. Log into the ICP management console and from the user menu choose Configure Client to reconfigure your Kubeconfig with a valid context.

  • Error from server (NotFound): error when deleting ... not found

    If you get these errors when running the then you can ignore those as the resources have been already deleted when removing the Istio namespace earlier in the script.


Learn more

  • With Watson: Want to take your Watson app to the next level? Looking to utilize Watson Brand assets? Join the With Watson program to leverage exclusive brand, marketing, and tech resources to amplify and accelerate your Watson embedded commercial solution.
  • Kubernetes on IBM Cloud: Deliver your apps with the combined the power of Kubernetes and Docker on IBM Cloud


The concepts of Istio Multi-Cluster used in this repo are based on works done by the Istio community.
Specifically two similar public proof of concepts done separately by Shriram Rajagopalan and Zack Butcher.


This code pattern is licensed under the Apache Software License, Version 2. Separate third party code objects invoked within this code pattern are licensed by their respective providers pursuant to their own separate licenses. Contributions are subject to the Developer Certificate of Origin, Version 1.1 (DCO) and the Apache Software License, Version 2.

Apache Software License (ASL) FAQ

You can’t perform that action at this time.