eBay ranks amongst the most visited e-commerce sites, and efficient L4 load-balancing coupled with service mesh is key to handling planet scale traffic. Reusing HTTP connections reduces latencies by multiplexing client requests over existing connections between Istio ingress gateway and server pods. However, this introduces a unique security challenge where client requests not allowed by L4 policy can bypass policy enforcement due to connection reuse. The alternative solution of enforcing L4 policies at the gateway does not scale, so we need a new approach.

In this talk, Sudhi will describe eBay's new high-scale traffic ingress architecture built with Cilium XDP L4 load balancer & Istio mesh, and show how L4 identities are sent end-to-end over shared connections. Vinay will discuss innovative ways to enforce L4 network policies at L7, address security hurdles such as root access for BPF map lookup, show how to strike a balance between security & low latency, and conclude with a demo.