Service mesh products such as Istio use a software approach to provide powerful network control capabilities. You can fully control not only the inside of the mesh, but also the communication from the outside to the inside of the mesh and the communication from the inside to the outside of the mesh.
These are completely infrastructure environments when viewed from the application, but conversely they are application environments when viewed from the VM level such as nodes.
My question is, in general, how should network security be configured for pure physical layers such as VMs and nodes?
Taking Istio as an example, communication between services is via an Envoy proxy that is inserted as a sidecar. This communication can span nodes. Communication from outside the mesh is controlled using Gateway. The port and protocol used can be controlled.
Ideally, the VM and node level network settings should be widely open for communication inside the mesh (ports used by Envoy for internal communication are automatically assigned and I don't want to control them) and outside the mesh. I understand that you only need to configure the communication you need.
However, these can be a significant administrative burden.