First, setup kuma locally. The easiest way is to use the installer (through curl -L https://kuma.io/installer.sh | VERSION=2.0.2 sh -
)
3 AKS Clusters are required. "aks1" will host the global control plane. "aks2" and "aks3" are both seperate zones hosting workloads.
For the Global Control plane you can use: kumactl install control-plane --mode=global | kubectl apply -f -
Next, determind the Kuma LB IP Address of your Global Kuma Control Plan:
kubectl get service --namespace kuma-system
Then, for aks2 and aks3, run (update the IP accordingly): kumactl install control-plane \ --mode=zone \ --zone=aksx \ --ingress-enabled \ --egress-enabled \ --kds-global-address grpcs://192.168.0.1:5685 | kubectl apply -f
After deployment, add the following Annotation to the service definition
service.beta.kubernetes.io/azure-load-balancer-internal: "true"
Now, deploy service-1 to aks1, service-2 to aks2, and service-3 to aks3 using kubectl.
Next, ensure you have mTLS enabled: kubectl apply -f mtls.yml
And allow all communication using kubectl apply -f allowall.yml
Next, you can test the cross-zone communication, using for instance:
Running on "aks3":
$ curl service-2_service2_svc_80.mesh:80
Running on "aks2":
$ curl service-3_service3_svc_80.mesh:80
To restrict the traffic (e.g. only allow traffic from service2 to service3), you can try out the following trafficpermission (make sure to delete "allowall" beforehand): kubectl apply -f single-direction.yml
Once implemented, requests will only be successful from service-2 pod to service-3 service.