Multi cloud DDoS concern with public IP address

If there are two clouds, both running consul and envoy proxies as side cars to services that need to talk each other, what is the typical pattern for ensuring that the endpoints for each cloud are able to securely talk to each other? Articles like the following, seemingly suggest that SDFs/SDNs are discouraged (ip whitelisting etc), which seems sensible as it results in couple what are two isolated services that need to talk (https://www.hashicorp.com/resources/how-zero-trust-networking/).

Between the two envoy sidecars, there are endpoints that require mutual authentication, which is great, but for those endpoints to be accessible, they either need to be talking via a VPN gateway (thus having to know the IP address, defeating the point of service discovery?), using something like DirectConnect (aws), or talking over public IP addresses.

Without whitelisting, and thus coupling services, public IP addresses are open to attack. Is the approach to rely on AWS shield or other cloud vendors built in denial of service protection? It feels like this could quickly expose a mechanism for an attacker to rack up huge denial of service protection bills or the ability to reduce availability.

Does the mesh gateway play a part here?

Hi @balancerofthings,

Mesh Gateways were designed to solve the exact connectivity challenges you described. Mesh Gateways are the only proxies which need to be exposed on the public Internet. All inter-DC service-to-service communication will flow across a single IP & port pair between gateways.

Gateways can be horizontally scaled to support higher network throughput, or high availability. See the Scaling Mesh Gateways thread for a recent conversation on this.

Consul 1.8 (currently in beta) further simplifies inter-DC communication by also forwarding the WAN federation traffic between Consul servers across the gateways. See the following links for the announcement of this feature, and instructions on deploying gateways in Kubernetes (other platforms are also supported).

• Announcing Consul 1.8
• Connecting Kubernetes Clusters with HashiCorp Consul WAN Federation
• Secure and Route Service Mesh Communication Across Kubernetes Clusters

Let me know if you have any additional questions.