Istio is a leading, CNCF graduated, open source platform for service mesh, and is instrumental in managing the infrastructure for the next generation of microservices applications. Istio can help development and operations teams manage distributed, cloud native applications at large scale across hybrid cloud and multi-cloud environments.
Technically, Istio functions as a service networking layer that automates networking and communication between microservices. It is language-independent and platform-agnostic, and supports a variety of programming languages, enabling seamless intercommunication among microservices built with different technologies. In addition, Istio seamlessly integrates with Kubernetes, the most popular orchestrator for containerized applications, as well as virtual machine (VM) technology utilized by legacy applications.
The need for Istio
Modern applications are often composed of microservices that run in containers, both on-premises and in the cloud. These microservices need new tools to address connectivity challenges that arise in handling distributed services.
Common challenges of microservices applications include:
- Correctly routing traffic between all the distributed application services
- Handling issues and errors with retries, timeouts, circuit-breakers, and failover
- Securing connections, including authentication, authorization, and encryption
- Observability and troubleshooting, of connections and traffic between services
A service mesh defines both the control plane (to configure desired service connectivity and behavior) and the data plane (to direct traffic and enforce security rules.) Without a service mesh, all of these capabilities would need to be built directly into all the various microservices — a complex task.
The open source Istio project is the most popular choice of service mesh, and is the solution most often deployed in production, with a large and active community backing it.
Istio offers a programmable way to create and manage a service mesh that runs natively co-located within Kubernetes (K8s)-orchestrated containers (and even virtual machines) in hybrid- and multi-cloud environments. Initially designed to seamlessly integrate with Kubernetes and leverage its orchestration capabilities, Istio has become the preferred service mesh for Kubernetes, deeply integrating with the platform and aligning with its evolving standards. Moreover, Istio has extended its support beyond Kubernetes, integrating with other container orchestration platforms and cloud-native environments, making it highly versatile and adaptable for various deployment scenarios.
What can you do with Istio?
Istio gives you operational control over your service mesh and its supported microservices, providing behavioral insights. You can use a service mesh to reduce deployment complexity and relieve some of the development team’s burden.
Istio offers the following service mesh management features:
- Traffic management – Istio lets you control traffic flows and service-to-service API calls by configuring rules and routing traffic. It makes the configuration of retries, timeouts, and circuit-breakers simpler.
- Security – Istio provides the backbone for communications and manages security controls such as service communication encryption, authentication, and authorization at scale. It consistently enforces policies across runtimes and protocols and helps secure communication between Kubernetes pods and services at the application and network layers.
- Observability – Istio provides insights into service mesh deployments using monitoring and logging features. Monitoring provides visibility into how service behavior impacts upstream and downstream performance. Istio offers custom dashboards to track performance across all services.
Key components in the Istio architecture include:
- The open source Envoy Proxy (a graduated project in the Cloud Native Computing Foundation – CNCF), which handles activities like connections and security. The Envoy proxies are usually deployed as sidecars within Kubernetes clusters that support the microservices applications, while
- The Istio data plane, which is made up of the set of all Envoy proxies running alongside applications in the cluster.
- The Istio control plane, which acts as a configuration and management layer to give instructions to Envoy proxies in the data plane. The control plane typically runs in a separate cluster.
Establishing trust boundaries
Istio lets you define in a global namespace the resources that make up your microservices and applications, and lets you configure rules to securely route layer-4 and layer-7 traffic between them, including TCP, HTTP, and gRPC protocols.
Defining routing and load balancing
Istio lets you define basic routing behavior and load balancing, increase reliability with retries, timeouts, and failover, as well as more advanced behavior like rate limiting, quotas, and transforms. Traffic shaping features in Istio enable you to further manage exactly how microservices interconnect and can support canary and A/B testing by splitting traffic, enabling smoother rollout of new application updates with less risk.
Securing communications with mTLS and authentication
For security, Istio provides for mutual Transport Layer Security (mTLS) encryption, access controls like authentication and authorization, and vulnerability scanning. Security is essential to protect sensitive information which is transmitted between microservices on your service mesh. Most customers aim to adopt a “zero-trust” security model which identifies connection requests and denies any/all unvalidated or unsecured connections, from both internal or external sources.
Collecting telemetry and integrating with observability tools
Istio gives you observability of your application communications with telemetry, tracing, logging for audits. Istio offers compatibility with other open source tools like Prometheus, Grafana, and Jaeger. Istio collects and aggregates traffic flow metrics and errors from across all points in the service mesh. Observability is critical to discover, analyze, and address issue around connectivity, performance, security, and other real-world behavior of your service mesh.
5 Benefits of Istio
The key benefits of Istio are:
- Safe, reliable, secure communications – without an Istio service mesh, tools to manage your desired behavior around connectivity and security would have to be implemented directly in each application – which is not very efficient, consistent, or scalable.
- Abstracting communications from the application layer – Istio abstracts the control plane and data plane from the applications and physical infrastructure, making it much easier to manage, secure, and observe your distributed applications.
- Advanced traffic management – Istio lets you split traffic to support A/B testing, blue/green, canary deployments of applications for GitOps and CI/CD style application development.
- Goes beyond API gateways – older offerings around API gateways simply don’t achieve all the capabilities of Istio, since they were developed without being Kubernetes- and cloud-native. While some vendors have tried to adapt their products, they have built-in architectural limitations.
- Supports application modernization – Istio even helps with digital transformation and cloud migration initiatives by providing a way to direct traffic between new microservices and legacy applications.
How to implement Istio
As an open source project, Istio can be downloaded directly from community-led repositories on GitHub or sourced and licensed from a commercial provider like Solo.io. To evaluate the Istio Ambient service mesh, use the Getting Started with Ambient Mesh guide. The Istio control plane is deployed in Kubernetes clusters with open source Envoy Proxy gateways and sidecars to operate the data plane itself, and allows you to configure and enforce your policies for both North-South and East-West traffic.
Customers deploy and install Istio using Helm charts and/or YAML files in Kubernetes to both push the software and configure it. The Istio control plane is used to further manage the configurations, set policies, and perform updates. Many choose to use the Istio command line “istioctl” to programmatically define and implement configurations and changes. Once Istio is deployed and configured, the next step is to define the services in the mesh. Envoy proxies are usually set up as sidecars in each of the Kubernetes application clusters.
You can implement and manage Istio yourself, but you should think about what is Istio going to need in terms of investment. Certainly Istio will require a lot of administrative effort to self-support and adapt to enterprise requirements, or you can choose a more comprehensive Istio management product, such as Gloo Mesh which comes with enterprise production support. If you want to make it easier for your API producing and consuming developers, an Istio-native developer portal enables GitOps and CI/CD methodologies. You can learn the fundamentals of Istio deployment and operations with free workshops and optional certification.