Istio Mesh Engineer

Role: Istio Mesh Engineer 
Location: Dallas, TX /Remote

Job Description:

·       Design, deploy, and operate Istio service mesh on AKS (ingress/egress gateways, traffic shifting, retries/timeouts, circuit breaking).

·       Enforce zero-trust service-to-service security with MTLS, Authorization Policy, PeerAuthentication, and RequestAuthentication.

·       Drive kubenet → Azure CNI transition (including Azure CNI Overlay), with IP planning, subnetting, IPAM, and routing/NSG alignment.

·       Implement and validate Kubernetes Network Policies (Cilium/Calico) to restrict east-west traffic and control egress.

·       Kubernetes/Platform, strong Istio (prod ops), Gateway API migrations, and aware of Azure networking (VNets, UDR, NSG, NAT, Private Link).

·       Establish compliant egress architectures (NAT Gateway, Istio egress gateway, Private Link) and DNS patterns (CoreDNS + Private DNS Zones).

·       Build GitOps workflows (Argo CD/Flux) for mesh, Gateway API, and policy manifests; manage lifecycle via Helm/Kustomize.

·       Define lac with Terraform/Bicep for AKS, networking, identity, and Key Vault; integrate with Azure DevOps/GitHub Actions pipelines.

·       Configure PKI/certificates for mesh (Istio CA, cert-manager with Azure Key Vault), TLS termination, and automated rotation.

·       Stand up observability: PrometheGrafana, OpenTelemetry/Jaeger, Azure Monitor/Log Analytics; publish SLOs, alerts, and runbooks.

·       Gatekeeper/Kyverno), and DR drills. Perform security hardening (CIS benchmarks), policy enforcement (OPA

·       Partner with app teams to refactor ingress to Gateway/HTTPRoute, implement canary/blue-green (Argo Rollouts/Flagger), and document patterns.

·       Tooling & languages: YAML/bash plus Go or Python; hands-on with Azure AD/Entra, Azure Workload Identity, Key Vault, and eBPF/Cilium.

Roles & Responsibilities

·       Design, deploy, and operate Istio service mesh on AKS (ingress/egress gateways, traffic shifting, retries/timeouts, circuit breaking).

·       Enforce zero-trust service-to-service security with MTLS, Authorization zationPolicy. Policy, Peer Authentication, and Request Authentication.

·       Drive kubenet → Azure CNI transition (including Azure CNI Overlay), with IP planning, subnetting, IPAM, and routing/NSG alignment.

·       Implement and validate Kubernetes Network Policies (Cilium/Calico) to restrict east-west traffic and control egress.

·       Establish compliant egress architectures (NAT Gateway, Istio egress gateway, Private Link) and DNS patterns (CoreDNS + Private DNS Zones).

·       Build GitOps workflows (Argo CD/Flux) for mesh, Gateway API, and policy manifests; manage lifecycle via Helm/Kustomize.

·       Define lac with Terraform/Bicep for AKS, networking, identity, and Key Vault; integrate with Azure DevOps/GitHub Actions pipelines.

·       Configure PKI/certificates for mesh (Istio CA, cert-manager with Azure Key Vault), TLS termination, and automated rotation.

·       Stand up observability: PrometheGrafana, OpenTelemetry/Jaeger, Azure Monitor/Log Analytics; publish SLOs, alerts, and runbooks.

·       Perform security hardening (CIS benchmarks), policy enforcement (OPA Gatekeeper/Kyverno), and DR drills.

·       Partner with app teams to refactor ingress to Gateway/HTTPRoute, implement canary/blue-green (Argo Rollouts/Flagger), and document patterns.

·       Tooling & languages: YAML/bash plus Go or Python; hands-on with Azure AD/Entra, Azure Workload Identity, Key Vault, and eBPF/Cilium.