Lack of portable Layer-3 (L3) network policy enforcement mechanisms across heterogeneous infrastructures hinders data-plane traffic security and cross-environment policy consistency. Method: We propose a novel paradigm that deeply integrates L3 network policies into the service mesh data plane, building an IP-overlay network atop Kubernetes/Istio. Policy enforcement points (PEPs) perform routing and key-based authorization for access control, while service mesh proxies uniformly enforce policies—eliminating dependence on underlying network capabilities. Contribution: This work presents the first infrastructure-agnostic, portable L3 policy enforcement mechanism. It enables unified L3–L7 policy specification and end-to-end governance. Our prototype introduces less than 1 ms latency overhead while matching the expressiveness of Kubernetes native NetworkPolicy. Experimental evaluation validates consistent, cross-cloud and hybrid-environment policy enforcement feasibility.

Portable service mesh implementations enable layer 4 to layer 7 policy enforcement across diverse infrastructures, but they remain tied to infrastructure-specific layer 3 network policies. Network policies enable control over IP traffic flow regardless of whether traffic is authorized at the application level. However, not all infrastructure supports enforcing them, and achieving consistent enforcement across heterogeneous environments is challenging. For example, studies have shown that the majority of Kubernetes clusters do not enforce any network policies. We propose integrating network policy enforcement with service meshes to protect data-plane traffic in a portable, infrastructure-agnostic way. This enables developers to define integrated layer 3 to layer 7 policies and ensure they are enforced across any infrastructure. Additionally, due to its portability, our approach can be used outside the service environment to enforce policies on end-user traffic and provide an end-to-end secure extended overlay. Our solution builds an overlay layer 3 network and enforces layer 3 policies by routing traffic through specific policy enforcement points and utilizing authorization keys. We prototyped our idea using Kubernetes and Istio, and show that while it adds less than 1ms latency, it can implement complex policies comparable to Kubernetes native network policies.