What is Istio?
This 7-minute read is meant to be primer for developers, operators, and anyone curious about Istio service mesh.
To answer the question “what is Istio?”, we need to establish some context first. Modern applications are often composed of microservices that run in containers distributed on-premises and in the cloud. As they are decomposed from monolithic applications, these microservices need new tools to address new connectivity challenges that arise in handling distributed services. Common challenges include:
- Correctly routing traffic between all the distributed application services
- Handling issues and errors with retries, timeouts, circuit-breakers, and failover
- Securing connections, including authentication, authorization, and encryption
- Observability and troubleshooting of connections and traffic between services
A service mesh defines both the control plane (to configure desired service connectivity and behavior) and the data plane (to direct traffic and enforce security rules.) Without a service mesh, all of these capabilities would need to be built directly into all the various microservices — a complex and unsustainable task!
The open source Istio project is the most popular choice of service mesh, and is the solution most often deployed in production, with a large and active community backing it. Istio offers a programmable way to create and manage a service mesh that runs natively co-located within Kubernetes (K8s)-orchestrated containers (and even virtual machines) in hybrid- and multi-cloud environments. Istio abstracts management of the connectivity from the applications themselves, making it much easier for developers and operators.
An Istio service mesh provides essential capabilities around traffic management, security, observability, and reliability to ensure communications between microservices run as expected. Istio has had years to mature into a robust solution for enterprise environments, but also continues to develop many new innovations with releases on a predictable quarterly cadence.
How is Istio used?
If you are wondering “what is Istio going to look like in my environment?”, there are a couple of ways to think about its functions. First, Istio lets you define in a global namespace the resources that make up your microservices and applications, and lets you configure rules to securely route layer-4 and layer-7 traffic between them, including TCP, HTTP, and gRPC protocols. Identifying which resources make up your microservices and applications is the first step in establishing the desired connectivity and routes between them. Istio leverages the open source Envoy Proxy (a graduated project in the Cloud Native Computing Foundation – CNCF) to handle the control plane activities like connections and security. In effect, the Istio control plane acts as a configuration and management layer to give instructions to Envoy proxies in the data plane. The Envoy proxies are usually deployed as sidecars within the Kubernetes (K8s) clusters that support the microservices applications, while Istio itself is usually run in a separate cluster.
You can define basic routing behavior and load balancing, increase reliability with retries, timeouts, and failover, as well as more advanced behavior like rate limiting, quotas, and transforms. Traffic shaping features in Istio enable you to further manage exactly how microservices interconnect and can support canary and A/B testing by splitting traffic, enabling smoother rollout of new application updates with less risk. Fine-grained traffic management between Kubernetes microservices and other applications is the fundamental function of a service mesh.
For security, Istio provides for mutual Transport Layer Security (mTLS) encryption, access controls like authentication and authorization, and vulnerability scanning. Security is essential to protect sensitive information which is transmitted between microservices on your service mesh. Most customers aim to adopt a “zero-trust” security model which identifies connection requests and denies any/all unvalidated or unsecured connections, from both internal or external sources.
Istio gives you observability of your application communications with telemetry, tracing, logging for audits. Istio offers compatibility with other open source tools like Prometheus, Grafana, and Jaeger. Istio collects and aggregates traffic flow metrics and errors from across all points in the service mesh. Observability is critical to discover, analyze, and address issue around connectivity, performance, security, and other real-world behavior of your service mesh.
How to implement Istio
As an open source project, Istio can be downloaded directly from community-led repositories on GitHub or sourced and licensed from a commercial provider like Solo.io. The Istio control plane is deployed in Kubernetes clusters with open source Envoy Proxy gateways and sidecars to operate the data plane itself, and allows you to configure and enforce your policies for both North-South and East-West traffic.
Customers deploy and install Istio using Helm charts and/or YAML files in Kubernetes to both push the software and configure it. The Istio control plane is used to further manage the configurations, set policies, and perform updates. Many choose to use the Istio command line “istioctl” to programmatically define and implement configurations and changes. Once Istio is deployed and configured, the next step is to define the services in the mesh. Envoy proxies are usually set up as sidecars in each of the Kubernetes application clusters.
You can implement and manage Istio yourself, but you should think about what is Istio going to need in terms of investment. Certainly Istio will require a lot of administrative effort to self-support and adapt to enterprise requirements, or you can choose a more comprehensive Istio management product, such as Gloo Mesh which comes with enterprise production support. If you want to make it easier for your API producing and consuming developers, an Istio-native developer portal enables GitOps and CI/CD methodologies.
You can learn the fundamentals of Istio deployment and operations with free workshops and optional certification.
Benefits of Istio
When people ask “what is Istio?” they often want to understand the benefits and see how it fits their needs. The main benefit of Istio is enabling modern applications such as containerized microservices in hybrid- and multi-cloud environments to connect safely, reliably, and securely.
Without an Istio service mesh, tools to manage your desired behavior around connectivity and security would have to be implemented directly in each application – which would not be very efficient, consistent, or scalable. Istio abstracts the control plane and data plane from the applications and physical infrastructure, making it much easier to manage, secure, and observe your service mesh. Istio also lets you split traffic to support A/B testing, blue/green, canary deployments of applications for GitOps and CI/CD style application development.
Older offerings around API gateways simply don’t achieve all the capabilities of Istio, since they were developed without being Kubernetes- and cloud-native. While some vendors have tried to adapt their products, they have built-in architectural limitations that will make it much harder for teams to achieve their objectives.
From a business standpoint, adopting an Istio service mesh means you will have reduced risk, increased security, and easier management of the connectivity between Kubernetes-based and legacy applications. Istio even helps with application modernization and “migration to cloud” initiatives by providing a way to direct traffic between new microservices and application updates.
Read Istio Explained (O’Reilly) by Lin Sun (Solo) and Daniel Berg (IBM)
Read Istio in Action by Christian Posta (Solo)
Explore Gloo Mesh, an enhanced Istio service mesh