Hey everyone. I've been segmenting my agent networks more aggressively lately, and the egress control question keeps coming up. For those of us running mini-labs, what's the more straightforward path: rolling out a full mTLS service mesh (like a small Istio or Linkerd deployment) or sticking with a traditional Layer 7 proxy (like Squid with explicit allow-lists)?
I use both in different parts of my homelab. The traditional proxy feels familiar—you set it up, define your ACLs for HTTP/S, maybe do some SSL inspection, and point your agents at it. It's a single choke point to monitor. But managing the CA and exceptions for all those internal agent services can get messy.
The service mesh model is appealing because it bakes mutual TLS and fine-grained policies right into the network layer. Each agent workload gets its identity, and you can control egress at the service level, not just port/IP. It feels more "zero trust" for the internal east-west traffic too. But is that overkill just for egress? The learning curve and operational overhead seem steeper.
For my IoT and agent VLANs, I care most about simplicity and being sure nothing is phoning home unexpectedly. I'm currently leaning towards a proxy for its transparency, but I keep wondering if I'm missing a trick with the mesh approach. What's working in your setups?
segment and conquer