Service Mesh and Istio

A service mesh is a dedicated infrastructure layer like the open source project Istio, that controls how different parts of a distributed application share data with one another, without adding it into the application’s code. More precisely, service meshes control service-to-service communication in a microservices architecture to perform load balancing, deliver service requests to other services, encrypt data, and discover other services.

A service mesh is composed of a data plane and a control plane. The data plane consists of intelligent proxies that are responsible to control all communication between the services. The control plane on the other hand acts as the brain of the mesh and controls the proxies. Or simple: the data plane forwards data while the control plan controls how this data is forwarded.

Service meshes allow enterprises to deliver distributed applications at scale. The service mesh simplifies service-to-service based network operations like traffic management, load balancing, auditing, authorization and observability. The benefits of service mesh include:

Better service management: With service mesh, the developer overhead is reduced as the networking operators can consistently manage networking for all of their services.

Enhanced security of services: The network security operators can easily implement inter-service security including authentication, authorization, and encryption.

Improved application performance: Service mesh enables development teams to implement best practices and get deep insights into their services. Teams can identify areas for improvement and focus on efforts to enhance performance. 

Managed traffic: With service mesh, organizations will have control of traffic with rich routing rules, fault injection, refined policies, and more.

Simplified load balancing: The proxies in the data plane work to scale and balance the load, so the applications don’t fail. The proxies communicate with each other without involving the services providing enough space for scale.

Easy deployment with Kubernetes and VMs: Service mesh delivers network controls and visibility for traditional and modern workloads running in both virtual machines and containers.

The service mesh enables fast, reliable, and secure inter-service invocation in microservices architectures. Organizations can run microservices at scale with the help of a service mesh and get:

• A more flexible release process
• Availability and resilience
• Secure communications

More importantly, it is not a mesh of “services” but a mesh of “proxies” that services can plug into, hence abstracting the network from the application code.

Let’s take a closer look at Istio, one of the most widely adopted service meshes: Istio is a Kubernetes-native mesh that uses the high-performance proxy Envoy that controls all inbound and outbound service traffic. It also uses a simple Jaeger UI for visualizing and storing traces to debug their microservices.

Istio’s data plane comprises proxies, also known as sidecars, that control all the communication between microservices and generate telemetry on all traffic among services in the mesh.

The control plane controls traffic by managing and configuring proxies based on the defined policies for that particular application within the mesh.

The proxies are contained in each service as a sidecar through which the services communicate. Instead of invoking services directly, each of them invokes their local sidecar, which manages the requests on behalf of the services. This enables pushing the complexities of service communications into an infrastructure layer that can resolve them at a scale.

A service mesh comprises two main components, a data plane and a control plane.

Data plane: The data plane typically consists of a set of proxies, also known as sidecars. These proxies are responsible for mediating and controlling all network communication between microservices. In addition, the proxies collect and report telemetry on all mesh traffic. The main characteristics of data plane:

• It issues policies and configurations by communicating with proxies.
• It visualizes overall network behavior.
• It provides an API for continuous integration and deployment.

Control plane: The control plane is responsible for managing and configuring the proxies to route traffic. Here are some more characteristics of control plane:

• It is designed to manage configurations and improve traffic forwarding performance.
• Control plane functions, such as participating in routing protocols, run in the architectural control element.
• It can be deployed easily as it is transparent to the application.

There are several open source service meshes but the most popular and widely adopted ones are clearly Linkerd and Istio. 

Since, 2021, Linkerd is a graduated project of the Cloud Native Computing Foundation with 200+ contributors and 10,000+ stars on Github. Linkerd’s focus is on simplicity, security, and performance and is particularly suitable for highly-complex and large scale Kubernetes installations.  

Istio is the Greek word for “sail”. It was initially developed by teams from Google and IBM in partnership with the Envoy team from Lyft. Just as Linkerd, more than 200 contributors contribute to the service mesh. Istio is platform-independent and open source under the Apache 2.0 License.

The basic idea of microservice architecture is to split up a single application into a set of many loosely-coupled services, the so-called microservices. As these distributed applications become more and more complex, the requests between these services soar exponentially, requiring more sophisticated routing abilities to optimize the flow of data between the services and ensure the high performance of the application.

Service meshes enable fast, reliable, and secure inter-service invocation in microservices architectures. Organizations can run microservices at scale with the help of a service mesh and get:

• A more flexible release process
• Availability and resilience
• Secure communications

Istio is one of the most popular service meshes for distributed architectures. It allows developers to assemble apps using loosely coupled microservices to ensure portability in the cloud. In addition, Istio enables DevOps teams to manage the new cloud native apps within hybrid and multi-cloud environments.

Istio is an open source and Kubernetes-native service mesh to automate network functions of distributed and containerized applications. It provides a uniform and more efficient way to secure, connect, and monitor services. In addition, the Istio service mesh also supports how those services communicate and share data. In a nutshell, Istio is the path to more efficient and standardized load balancing, service-to-service authentication, and monitoring with few or no service code changes.

Istio enables organizations to secure, connect and monitor their distributed cloud native applications so organizations can modernize and migrate their services securely and hassle-free. From managing traffic flow between services to enforcing access policies, Istio service mesh does it all without requiring changes to application code. It also reduces deployment complexity by transparently layering onto existing distributed applications.

Top features of Istio include:

Traffic management: Istio uses routing rules to control the flow of traffic and API calls. This improves the reliability of the calls as well as the resilience of the network. 

Security: With Istio, organizations can enforce policies consistently across multiple protocols and runtimes with very few application changes. For example, using Istio with Kubernetes network policies, the benefits include securing communication from pod-to-pod or service-to-service at network and application layers communication in a cluster with TLS encryption, authorization and robust identity-based authentication.

Observability: The tracing, logging, and monitoring features of Istio help you get insights into your service mesh deployment. Through consistent monitoring, organizations can consider how service activity influences upstream and downstream performance. In addition, custom dashboards offer great visibility for performing all the services.

Expendability: Istio is designed for expansion and can handle various deployment needs. Istio’s control plane runs on Kubernetes and contains a variety of elements. Development teams can add applications deployed in that cluster to the mesh, expand it to other clusters, or even connect VMs or other nodes running outside of Kubernetes.

Implementing a service mesh in your organization comprises setting up the control plane components, preparing the data plane by injecting Envoy proxies as sidecars to each service instance, and connecting them to the control plane. DevOps teams can then easily configure the service mesh behavior from the control plane by utilizing policies. Of course, service mesh implementation depends on the platform you choose, but it will determine the exact steps involved.

Istio service mesh implementation is simplified by combining control plane components and data plane executables, eliminating the need to deploy them individually.

When installing Istio on Kubernetes, there are two modes of data plane available, traditional with sidecars and sidecarless called Ambient mode. With the traditional mode, it is easier to create the data plane entities as the proxy sidecar can be deployed automatically along with each service labeled. The proxy is manually installed along with each service and registered with the control plane on the virtual machine. Policies are used to configure the behavior of the service mesh and get desired outcomes to process application layer.

Ambient mode is designed for simplified operations, application compatibility, and reduced resource usage on the cluster, simply offering a shared ztunnel agent, running on each node in the Kubernetes cluster, that serves as a secure overlay that handles routing and zero trust security for traffic. When needed, you can enable application layer processing per namespace to get access to the full range of Istio features by deploying waypoint proxies.