If there are two clouds, both running consul and envoy proxies as side cars to services that need to talk each other, what is the typical pattern for ensuring that the endpoints for each cloud are able to securely talk to each other? Articles like the following, seemingly suggest that SDFs/SDNs are discouraged (ip whitelisting etc), which seems sensible as it results in couple what are two isolated services that need to talk (https://www.hashicorp.com/resources/how-zero-trust-networking/).
Between the two envoy sidecars, there are endpoints that require mutual authentication, which is great, but for those endpoints to be accessible, they either need to be talking via a VPN gateway (thus having to know the IP address, defeating the point of service discovery?), using something like DirectConnect (aws), or talking over public IP addresses.
Without whitelisting, and thus coupling services, public IP addresses are open to attack. Is the approach to rely on AWS shield or other cloud vendors built in denial of service protection? It feels like this could quickly expose a mechanism for an attacker to rack up huge denial of service protection bills or the ability to reduce availability.
Does the mesh gateway play a part here?