Modal Title
Cloud Native Ecosystem Containers Edge Computing Microservices Networking Serverless Storage
How GitHub Uses GitHub to Be Productive and Secure
May 31st 2023 10:30am, by Loraine Lawson
Top 3 Application Security Must-Haves
May 26th 2023 7:59am, by Guilherme (Gui) Alvarenga
Cloud Native Skill Gaps are Killing Your Gains 
May 22nd 2023 7:15am, by Victoria Wright
A Boring Kubernetes Release
May 19th 2023 12:23pm, by Alex Williams
Why Upgrade to Observability from Application Monitoring?
May 19th 2023 11:49am, by George Hamilton
Chainguard Improves Security for Its Container Image Registry
May 31st 2023 6:30am, by Steven J. Vaughan-Nichols
How to Protect Containerized Workloads at Runtime
May 30th 2023 4:00am, by Kevin Casey
How to Containerize a Python Application with Paketo Buildpacks
May 29th 2023 5:00am, by Sylvain Kalache
Can Rancher Deliver on Making Kubernetes Easy?
May 27th 2023 7:00am, by Jack Wallen
Red Hat Podman Container Engine Gets a Desktop Interface
May 23rd 2023 7:30am, by Joab Jackson
Dell Intros New Edge, Generative AI, Cloud, Zero Trust Prods
May 31st 2023 11:00am, by Chris J. Preimesberger
Gothenburg, Sweden Used Open Source IoT to Drastically Cut Water Waste
May 23rd 2023 6:58am, by Alex Handy
Building a Plant Monitoring Tool with IoT
May 8th 2023 9:27am, by Zoe Steinkamp
How to Choose and Model Time Series Databases
Apr 28th 2023 3:00am, by Robert Kimani
How to Optimize Queries for Time Series Data
Apr 27th 2023 12:00pm, by Robert Kimani
Case Study: A WebAssembly Failure, and Lessons Learned
May 25th 2023 7:00am, by Susan Hall
RabbitMQ Is Boring, and I Love It
May 15th 2023 6:30am, by Josh Long
How OpenSearch Visualizes Jaeger's Distributed Tracing
May 11th 2023 10:00am, by Derek Ho and Jonah Kowall
Spring Cloud Gateway: The Swiss Army Knife of Cloud Development
May 8th 2023 6:47am, by Juergen Sussner
Return of the Monolith: Amazon Dumps Microservices for Video Monitoring
May 4th 2023 7:23am, by Joab Jackson
WithSecure Pours Energy into Making Software More Efficient
Jun 1st 2023 7:14am, by Joe Fay
Don't Force Containers and Disrupt Workflows
May 25th 2023 3:10pm, by Alex Williams
How to Decide Between a Layer 2 or Layer 3 Network
Apr 25th 2023 10:00am, by Gino Dion
Linkerd Service Mesh Update Addresses More Demanding User Base
Apr 11th 2023 6:17am, by Joab Jackson
Wireshark Celebrates 25th Anniversary with a New Foundation
Mar 28th 2023 5:00am, by Joab Jackson
Microsoft Fabric Defragments Analytics, Enters Public Preview
May 23rd 2023 8:00am, by Andrew Brust
Forrester on WebAssembly for Developers: Frontend to Backend
May 17th 2023 6:00am, by Loraine Lawson
Return of the Monolith: Amazon Dumps Microservices for Video Monitoring
May 4th 2023 7:23am, by Joab Jackson
IBM's Quiet Approach to AI, Wasm and Serverless
May 4th 2023 6:00am, by Loraine Lawson
Cloud Control Planes for All: Implement Internal Platforms with Crossplane
Apr 13th 2023 10:00am, by Bassam Tabbara
The Architect’s Guide to Storage for AI
Jun 1st 2023 7:44am, by Keith Pijanowski
8 Real-Time Data Best Practices
Jun 1st 2023 5:00am, by Jennifer Riggins
Raft Native: The Foundation for Streaming Data’s Best Future
May 30th 2023 9:44am, by Doug Flora
Why the Document Model Is More Cost-Efficient Than RDBMS
May 25th 2023 9:24am, by Rick Houlihan
Amazon Aurora vs. Redshift: What You Need to Know
May 25th 2023 6:27am, by Casey Samulski
Frontend Development Software Development Typescript WebAssembly Cloud Services Data Machine Learning Security
LangChain: The Trendiest Web Framework of 2023, Thanks to AI
Jun 1st 2023 10:57am, by
30 Non-Trivial Ways for Developers to Use GPT-4
Jun 1st 2023 9:39am, by
Bluesky vs. Nostr — Which Should Developers Care About More?
May 30th 2023 7:51am, by
Bad by Design: The World of Intentionally Awful User Interfaces
May 28th 2023 6:00am, by
Dev News: New Microsoft Edge Tools and Goodbye Node.js 16
May 27th 2023 6:00am, by
Demystifying WebAssembly: What Beginners Need to Know
Jun 2nd 2023 5:35am, by
PyPI Strives to Pull Itself Out of Trouble
Jun 1st 2023 11:43am, by
30 Non-Trivial Ways for Developers to Use GPT-4
Jun 1st 2023 9:39am, by
The Architect’s Guide to Storage for AI
Jun 1st 2023 7:44am, by
WithSecure Pours Energy into Making Software More Efficient
Jun 1st 2023 7:14am, by
Dev News: New Microsoft Edge Tools and Goodbye Node.js 16
May 27th 2023 6:00am, by
Dev News: Angular v16, plus Node.js and TypeScript Updates
Apr 22nd 2023 4:00am, by
This Week in Computing: Malware Gone Wild
Mar 25th 2023 7:10am, by
TypeScript 5.0: New Decorators Standard, Smaller npm
Mar 24th 2023 11:25am, by
JavaScript or WebAssembly: Which Is More Energy Efficient and Faster?
Jan 30th 2023 9:51am, by
Demystifying WebAssembly: What Beginners Need to Know
Jun 2nd 2023 5:35am, by
Case Study: A WebAssembly Failure, and Lessons Learned
May 25th 2023 7:00am, by
New Image Trends Frontend Developers Should Support
May 25th 2023 6:00am, by
Could WebAssembly Be the Key to Decreasing Kubernetes Use?
May 22nd 2023 6:00am, by
Forrester on WebAssembly for Developers: Frontend to Backend
May 17th 2023 6:00am, by
Dell Intros New Edge, Generative AI, Cloud, Zero Trust Prods
May 31st 2023 11:00am, by
Cloud Dependencies Need to Stop F---ing Us When They Go Down
May 25th 2023 10:00am, by
Microsoft Fabric Defragments Analytics, Enters Public Preview
May 23rd 2023 8:00am, by
A Boring Kubernetes Release
May 19th 2023 12:23pm, by
Optimizing Mastodon Performance with Sidekiq and Redis Enterprise
May 18th 2023 10:30am, by and
Bringing AI to the Data Center 
Jun 1st 2023 6:13am, by
8 Real-Time Data Best Practices
Jun 1st 2023 5:00am, by
MongoDB vs. PostgreSQL vs. ScyllaDB: Tractian’s Experience
May 31st 2023 6:10am, by and
Oracle Support for MySQL 5.7 Ends Soon, Key Upgrades in 8.0
May 30th 2023 10:35am, by
Raft Native: The Foundation for Streaming Data’s Best Future
May 30th 2023 9:44am, by
Maker Builds a ChatGPT DOS Client for a 1984 Computer
May 31st 2023 11:04am, by
Google’s Generative AI Stack: An In-Depth Analysis
May 31st 2023 7:59am, by
MongoDB vs. PostgreSQL vs. ScyllaDB: Tractian’s Experience
May 31st 2023 6:10am, by and
Alteryx Announces AiDIN for AI-Powered Features
May 26th 2023 8:06am, by
Proprietary AI Models Are Dead. Long Live Proprietary AI Models 
May 26th 2023 6:13am, by
Demystifying WebAssembly: What Beginners Need to Know
Jun 2nd 2023 5:35am, by
PyPI Strives to Pull Itself Out of Trouble
Jun 1st 2023 11:43am, by
Chainguard Improves Security for Its Container Image Registry
May 31st 2023 6:30am, by
How to Integrate OpenShift with Keycloak
May 30th 2023 11:00am, by
Cloud Security: Don’t Confuse Vendor and Tool Consolidation
May 30th 2023 6:24am, by
Platform Engineering Operations CI/CD Tech Life DevOps Kubernetes Observability Service Mesh
How to Host Your Own Platform as a Product Workshop
May 31st 2023 9:09am, by Jennifer Riggins
Take a Platform Engineering Deep Dive at PlatformCon 2023
May 26th 2023 10:00am, by Carrie Tang
Developer Platforms: Key Findings from a Forrester Snapshot
May 19th 2023 10:52am, by Aeris Stewart
How Otomi Helped the City of Utrecht Move to Kubernetes
May 15th 2023 10:00am, by Sander Rodenhuis
IBM Cloud CTO: Pros Outweigh the Cons with Platform Engineering
May 5th 2023 6:00am, by Loraine Lawson
How to Improve Operational Maturity in an Economic Downturn
May 31st 2023 8:30am, by Jonathan Rende
MongoDB vs. PostgreSQL vs. ScyllaDB: Tractian’s Experience
May 31st 2023 6:10am, by Joao Pedro Voltani and Joao Granzotti
How to Protect Containerized Workloads at Runtime
May 30th 2023 4:00am, by Kevin Casey
Meet The Hobbyists Building Their Own DIY Cyberpunk Devices
May 29th 2023 6:00am, by David Cassel
Cloud Dependencies Need to Stop F---ing Us When They Go Down
May 25th 2023 10:00am, by Jeff Martens
Is DevOps Tool Complexity Slowing Down Developer Velocity?
May 17th 2023 6:29am, by Heather Joslyn and Lawrence E Hecht
AI Has Become Integral to the Software Delivery Lifecycle
May 12th 2023 11:01am, by Richard MacManus
4 Core Principles of GitOps
May 11th 2023 2:17pm, by Alex Williams
5 Version-Control Tools Game Developers Should Know About
May 9th 2023 10:00am, by Sharone Zitzman
Mitigate Risk Beyond the Supply Chain with Runtime Monitoring
May 8th 2023 10:00am, by Mike Long
How to Build a DevOps Engineer in Just 6 Months
Jun 1st 2023 10:43am, by Keri Barnett-Howell
Maker Builds a ChatGPT DOS Client for a 1984 Computer
May 31st 2023 11:04am, by David Cassel
Developers Can Turn Turbulent Times into Innovation and Growth
May 31st 2023 9:53am, by Ivan Letenko
Bluesky vs. Nostr — Which Should Developers Care About More?
May 30th 2023 7:51am, by Richard MacManus
Meet The Hobbyists Building Their Own DIY Cyberpunk Devices
May 29th 2023 6:00am, by David Cassel
How to Build a DevOps Engineer in Just 6 Months
Jun 1st 2023 10:43am, by Keri Barnett-Howell
Cloud Security: Don’t Confuse Vendor and Tool Consolidation
May 30th 2023 6:24am, by Rani Osnat
Take a Platform Engineering Deep Dive at PlatformCon 2023
May 26th 2023 10:00am, by Carrie Tang
Developer Guide: A New Way to Build on the Slack Platform
May 26th 2023 8:30am, by Lauren Gil
Better Security with ChatGPT: Using AI's Defensive Strengths
May 26th 2023 6:00am, by Jeff Goldman
How to Protect Containerized Workloads at Runtime
May 30th 2023 4:00am, by Kevin Casey
Can Rancher Deliver on Making Kubernetes Easy?
May 27th 2023 7:00am, by Jack Wallen
Don't Force Containers and Disrupt Workflows
May 25th 2023 3:10pm, by Alex Williams
Overcoming the Kubernetes Skills Gap with ChatGPT Assistance
May 23rd 2023 11:00am, by Dev Nag
Could WebAssembly Be the Key to Decreasing Kubernetes Use?
May 22nd 2023 6:00am, by Loraine Lawson
Red Hat Ansible Gets Event-Triggered Automation, AI Assist on Playbooks
May 24th 2023 6:22am, by Joab Jackson
Observability: Working with Metrics, Logs and Traces
May 22nd 2023 8:23am, by Jessica Wachtel
Why Upgrade to Observability from Application Monitoring?
May 19th 2023 11:49am, by George Hamilton
Datadog’s $65M Bill and Why Developers Should Care
May 17th 2023 10:56am, by Loraine Lawson
How OpenSearch Visualizes Jaeger's Distributed Tracing
May 11th 2023 10:00am, by Derek Ho and Jonah Kowall
Don't Force Containers and Disrupt Workflows
May 25th 2023 3:10pm, by Alex Williams
Linkerd Service Mesh Update Addresses More Demanding User Base
Apr 11th 2023 6:17am, by Joab Jackson
How to Create Zero Trust Architecture for Service Mesh
Mar 27th 2023 7:00am, by Joe Fay
Ambient Mesh: Sidestepping the Sidecar
Mar 1st 2023 8:44am, by Jeff Goldman
Service Mesh Demand for Kubernetes Shifts to Security
Oct 27th 2022 11:04am, by B. Cameron Gain
Cloud Native Ecosystem / Microservices / Service Mesh

Chart a Course for a Service Mesh Future: Lifting Off with Istio

A primer for how a service mesh works and why you'd need one in a microservices environment.
Sep 24th, 2019 10:00am by
Featued image for: Chart a Course for a Service Mesh Future: Lifting Off with Istio

Karen Bruner
Karen Bruner is a Principal DevOps Engineer for StackRox, where she drives automation and advocates for operationalizing the product. Previously, Karen has held DevOps and site reliability engineering roles at Clari, Ooyala, LinkedIn, and Yahoo. She started her career working in Hollywood in the digital effects industry and has a film credit in “Babe” for Internet Bandit. She spends her spare time rendering puns in yarn, learning obscure fiber crafts, and tripping over cats.

The maturation of cloud native architectures and technologies, such as containers and Kubernetes, is driving the emergence and adoption of service mesh architectures. While cloud native environments promise a wealth of benefits for organizations that deploy them, complexity has emerged as a significant challenge for those responsible for architecting, developing, operating and securing such systems, including DevOps practitioners, infrastructure engineers, software developers, and network operators as well as CIOs, CTOs, and other organizational technology leaders.

The ability to consolidate on a consistent service and network management experience for applications across cloud native environments and how that aligns with and speeds DevOps practices together propel the development of service mesh frameworks. As cloud native adoption continues to accelerate, it’s critical for the engineering teams that own cloud native applications to familiarize themselves with service mesh capabilities now to determine if that technology will provide value to their organization in the future.

What Is a Service Mesh?

A service mesh allows you to connect, secure, control, and observe services in an orchestrator platform. The term “service mesh” itself applies either to the set of overlapping network connections between services in a distributed application or to a set of tools used to manage that group of connected services. If you have two microservices which interact via network connections, you have a service mesh. Here’s the simplest example, a mesh with two services:

More likely, as the number of microservices in your environment grows, your service mesh will start to look something like the following:

As cloud environments expand into hybrid and multicloud deployments, developers use microservices to speed development and to ensure portability among the many containers and distributed cloud resources used by an organization — a vast and complex network of data and applications. As the complexity of a microservices ecosystem grows, so does the need to manage it effectively and intelligently, to get insights into how the microservices interact, and to secure communications between the microservices.

What Is Istio?

If you’ve heard about service meshes, you’ve almost certainly heard about Istio in conjunction. Istio is an open source service mesh that can be deployed alongside existing cloud-native applications. It also has platform-like features that allows it to be integrated into logging platforms, or telemetry or policy systems. The policy integration allows Istio to act as a security tool creating a uniform method to secure, connect, and monitor microservices within a given environment. When referenced, “the Istio service mesh” usually refers to the Istio toolset, whereas “an Istio service mesh” usually denotes a specific application cluster managed by an Istio installation. Istio’s many Custom Resource Definitions (CRDs) enable programmatic configuration (using the Kubernetes API) of the behavior of the application network layer, where the application is the set of interdependent microservices. Istio, more or less, is the Kleenex of service meshes in today’s cloud native stack — it’s the most feature-rich and standardized.

Do I Need a Service Mesh?

Although service mesh adoption is likely to continue to spread quickly, especially as the feature sets and manageability of tools like Istio improve, not every cloud native environment needs it. So how do you know if a service is right for your organization and environment? You should consider deploying a service mesh if you need a solution to one or more of the requirements or problems outlined below:

  • You have performance issues in a distributed microservice-based application
  • You need to gather and deliver consistent request and connection metrics for all microservices
  • You want to make over-the-wire encryption the default without having to manage TLS certificates directly
  • You require service-to-service control at a finer-grained resolution than vanilla Kubernetes can provide with Network Policies
  • You want to enable release automation with canary rollouts and application API multi-version support
  • You desire to add user authentication and authorization without modifying the application

On the other hand, using a service mesh comes with some trade-offs if it’s not needed in your stack. Deploying a service mesh (Istio included) will require a significant level of migration effort and operational overhead given how complex these environments can be. If you don’t expect the number of microservices deployed to grow, if other solutions meet your internal HTTP request routing needs, or if you already have manageable effective solutions to any of the key requirements listed above, then a service mesh probably isn’t the best solution for your environment at this time.

But as service mesh adoption continues to surge, the ecosystem of features developed to support it will inevitably continue to expand. This increase will improve manageability and functionality so that in the future, as organizational maturity demands it, DevOps teams will have easier access to a more robust set of service mesh tools without the anxiety associated with deploying a fresh layer of infrastructure into the cloud native stack.

How Istio Works

Istio components can be broken down into two groups — the control plane and the data plane. The control plane refers to the services that manage configurations and monitor the data plane. The data plane consists of intelligent proxies deployed as sidecars in application pods, the smallest deployable object in the Kubernetes object model. These Istio proxies facilitate controlling and monitoring the network connections between microservices. Routing and policy rules are received from the control plane. The data plane then reports back connection handling telemetry.

Istio service meshes are configured through the creation of Kubernetes resources. There are many Kubernetes Custom Resource Definitions that map to various elements of Istio’s functionality created by the folks behind it. We discuss more about the control and data planes below, but first we wanted to raise a few points about Istio’s potential (as well as potential pitfalls).

The Potential and Pitfalls

Istio offers a range of features to handle and control network connections through its mesh of dynamically-configurable proxies. But this functionality comes with a steep learning curve and a heavy load of configurations. There are also sometimes many common issues that come along with migrating existing applications into Istio architectures, even if they are already Kubernetes-native microservices.

Ironically, Istio lacks visibility into how it translates user-supplied configurations to Envoy routes. Envoy is the high-performance proxy developed as an intermediary for inbound and outbound traffic for the services in a service mesh created by developers from the ride-share service Lyft to transition from a monolithic architecture to a service mesh architecture. Other adoption issues can include the learning curve required to understand requirements for deployment and service resource configuration, addressing Kubernetes readiness and liveness probes that break when mTLS is turned on, and working with headless services (Kubernetes services with no ClusterIP) or services that otherwise bypass the normal Kubernetes service discovery flow.

The upside is that Istio is rapidly evolving with frequent releases and engaged working groups that actively solicit user feedback. Many limitations come from the Envoy proxy, which is also being actively developed and improved as Istio continues to drive its usefulness.

Configuring the Control Plane

A typical Istio deployment in a Kubernetes cluster should have the following services:

  • The Pilot service, which aggregates traffic management specifications configured in Istio networking custom resources and delivers it to the istio-proxy sidecars.
  • The Mixer service, which handles telemetry for request metrics generated by proxy sidecars to send them to configured backends and acts as an authorization policy enforcer. If policy checks are turned on (Istio 1.1 turns them off by default), the proxy sidecars will connect to the Mixer to confirm that the connection is allowed. This approach, unfortunately, comes at the slight cost of additional network latency.
  • The Citadel service, which is Istio’s Public Key Infrastructure (PKI) service, generates, rotates, and revokes the client TLS certificates generated for each service in a mesh and used for peer-to-peer authentication.
  • The Galley service, which is the Kubernetes controller for most of the Istio Custom Resource Definitions enabling users to make changes to custom resources and distribute the contents to the other Istio services.

The Data Plane

The data plane is powered by the Envoy service proxy, built with extensions for Istio. The proxy intercepts incoming traffic to the pod’s service ports and, by default, all outgoing TCP traffic from the pod’s other containers. In most cases, the proxy sidecar can run in a pod without requiring any changes to the application code and with only minor changes to the application’s Kubernetes Deployment and Service resource specifications. The configuration of the proxy sidecars is managed dynamically by the services in the Istio control plane.

Ultimately, a time may come when you will need to deploy a service mesh to ensure your cloud native environment is fully functioning and amply secured. Familiarizing yourself with the fundamentals today will give you a leg up when it comes time for recognizing when it’s time to deploy and being prepared. With visibility into the design and functionality of Istio, and how it reduces the inherent complexity of containerized microservices and cloud-native environments, engineers trying to plan for scaling on Kubernetes and other container platforms can feel relief knowing that a highly functional and rapidly improving solution exists and is actively evolving to enhance scalability, security and ease of management.

As organizations continue on their journey towards the adoption of cloud native and distributed architectures, Istio’s service mesh capabilities, along with lower-level infrastructure network controls and general Kubernetes security best practices, will unburden DevOps organizations from the pressures associated with scaling and managing application infrastructure.

Feature image via Pixabay.

Group Created with Sketch.
SHARE THIS STORY
RELATED STORIES
A Boring Kubernetes Release 4 Core Principles of GitOps Bobsled Offers Platform-Neutral Data Sharing Service Walkthrough: Bitwarden's New Secrets Manager Cloud Native Basics: 4 Concepts to Know 
RELATED STORIES
Rafay Backstage Plugins Simplify Kubernetes Deployments How GitHub Uses GitHub to Be Productive and Secure 4 Ways to Enhance Your Dockerfiles Why Upgrade to Observability from Application Monitoring? Bobsled Offers Platform-Neutral Data Sharing Service
THE NEW STACK UPDATE A newsletter digest of the week’s most important stories & analyses.