Features of Istio Service Mesh
Istio provides a number of benefits that make software development and delivery faster, easier, more reliable and more secure. Following is a brief description of key capabilities that you can expect Istio + Envoy software to provide:
Istio helps application teams to achieve zero trust security with the ability to define and implement authentication, authorization, and access control policies. All your data communicated among the services, in and outside of the cluster or data center, will be encrypted based on mTLS protocols provided by Istio resources. You can also ensure authentication of apps from internal and external users using JSON Web Tokens (JWT) provided by Istio.
One of the primary needs of an application running in a production environment is to be highly available. This requires one to scale up the number of service instances with increasing load and scale down when needed to save costs. Istio’s service discovery capability keeps track of all the available nodes ready to pick up new tasks. In case of node unavailability, service discovery removes a node from the list of available nodes and stops sending new requests to the node.
Using Envoy proxies, Istio provides flexibility to finely control the traffic among the available services. Istio provides features like load balancing, health checks, and deployment strategies. Istio allows load balancing based on algorithms that include round robin, random selection, weighted algorithms, etc. Istio performs constant health checks of service instances to ensure they are available before routing the traffic request. And based on the deployment type used in the configuration, Istio drives traffic to new nodes in a weighted pattern.
Istio removes the need for coding circuit breakers within an application. Istio helps platform architects to define mechanisms such as timeouts to a service, number of retries to be made and planned automatic failover of high availability (HA) systems, without the application knowing about them.
Istio keeps track of network requests and traces each call across multiple services. Istio provides the telemetry (such as latency, saturation, traffic health, and errors) that helps SREs to understand service behavior and troubleshoot, maintain, and optimize their applications.
Istio provides visibility and fine-grained network controls for traditional and modern workloads, including containers and virtual machines. Istio helps to achieve canary and blue-green deployment by providing the capability to route specific user groups to newly deployed applications.
Most of the features stated in the data plane such as routing, health checking, service discovery, load balancing, security, etc, are available in projects such as HAProxy, Nginx, and Envoy. However, the configuration has to be written, deployed, and maintained manually using multiple other tools. Istio combines all these and provides an integrated platform, removing boilerplate configurations and offering durability in the solution.
Under the hood , Istio uses five major tools:
- Envoy Proxy: Istio uses Envoy proxy as a sidecar proxy in the data plane. Envoy in the data plane is responsible for functionalities like failure handling, health checks, service discovery, and load balancing. Envoy proxies provide detailed information about each service request.
- Mixer: Mixer in the control plane acts as Istio’s telemetry hub, gathering attributes about service requests from Envoy proxies in the mesh. Mixer provides an API to fetch those attributes for monitoring and logging purposes.
- Pilot: Istio uses Pilot in the control plane to provide traffic controls and load balancing based on the service mesh. All the traffic rules can be specified in Istio, and Pilot under the hood can communicate with Kubernetes infrastructure about deployment changes affecting traffic. Istio also uses Pilot to distribute security policies (such as authentication and authorization policies) to all Envoy proxies.
- Citadel: Istio uses Citadel to provide policy-driven and secured communication between Envoy proxies. All the authentication and key-based credential management between sidecar proxies is managed by Citadel.
- Galley: Istio control plane also includes Galley, which is responsible for interpreting user-defined Kubernetes YAML files into a format that Istio understands. Galley stores the user configuration, validates it, and then sends it to Pilot for further action.
Benefits of using Istio service mesh
Organizations having large-scale applications based on microservices architecture will benefit the most from Istio. With growing traffic between various microservices, the need for sophisticated routing capabilities and secured flow of data will increase exponentially. Here are the benefits of using Istio service mesh:
Increased developer focus
As Istio service mesh can manage the communication layer, it abstracts out the network infrastructure for the code. Developers can now focus on adding business value with each service they build, rather than worrying about how each service communicates with other services.
Easy-to-implement secured communication
With the abstraction of the network layer, security operators can easily implement service-to-service security including authentication, authorization, and encryption using mTLS based connections.
100% compliant to industry standards
Istio service mesh helps engineering and platform teams to define security and compliance policies and ensure their application and infrastructure are compliant with industry standards like PCI, FedRAMP, and GDPR compliance.
Improved business agility
With Istio service mesh, DevOps teams can easily implement deployment strategies like canary and blue-green deployment by splitting the traffic in run-time. You can get deep visibility on how your applications are consumed by a certain targeted audience so you can focus your efforts to improve performance.
Success Stories of Istio
Getting Started with Istio Service Mesh
- Understand Istio: Guide to learning and understanding the value of Istio and Envoy
- Learn Istio Fundamentals: Watch 5 hours of video and learn quickly about Istio for free
- Install Tetrate Istio Distro: Get started with trusted, FIPS-compliant, and supported versions of Istio service mesh
- Monitoring Istio: Learn how to get metrics from Istio service mesh using Prometheus