Service mesh vs. API gateway

What is service mesh?

A service mesh is an infrastructure layer that facilitates service-to-service communication over a network by providing traffic management, observability and security. It is often deployed in Kubernetes environments. It enables separate components of a microservices application to securely communicate. A service mesh can help make service-to-service communication reliable, secure, and fast. Containerized and cloud native applications often utilize service meshes.

You can use a service mesh to control the delivery of service requests in your application. Common service mesh features include load balancing, service discovery, failure recovery, and encryption. A service mesh can also improve reliability for APIs.

1. Communication

• API gateways manage externally initiated requests, such as application user requests to display specific pages. It is mainly responsible for client-to-server communication often referred to as north/south traffic.
• Service mesh handles internal requests that microservices send to other microservices in your application. It is mainly responsible for service-to-service communication, often referred to as east/west traffic.

2. Position in the Architecture

• API gateways are an infrastructure component that sits between the network edge and the application backend (this backend can include a service mesh). When external components and services initiate requests for your application, the API gateway receives and validates those requests and controls access to your internal services.
• Service mesh controls how different parts of an application interact and communicate with one another. Learn more in our guide to service mesh architecture

3. Observability 

• API gateways provide the most value when tracking application health. For example, they can provide data on how long an API request takes to respond, how long it takes to identify that an API is down, and how it affects traffic.
• Service mesh helps teams identify issues with individual microservices and components in the backend of an application. Monitoring the service mesh can help you troubleshoot services and determine the cause of specific application performance issues. However, with a service mesh you typically cannot monitor applications end-to-end, for example to understand the impact of a malfunctioning microservice on the end-user experience.

4. Deployment and Management

• API gateways are managed at the edge of networks and are primarily focused on authentication, protocol translations and rate-limiting.

Service mesh is deployed along with microservice applications, typically as a sidecar container, and their configurations specify how to manage concerns like security, encryption, observability, and logging.

Benefits of using a service mesh include:

• Built-in observability—teams often have multiple tools for tracking logging, tracing, metrics, and security controls. A service mesh provides these capabilities out of the box.
• Improved security—provides a certificate authority that generates service-specific certificates for transport layer security (TLS) communication between services.
• Reliability—provides resiliency features such as service discovery, latency-aware load balancing, circuit breakers, retries, and timeouts.
• Traffic control— enables fine-grained control over East-West network traffic to determine where requests are routed.
• Defect simulation—enables developers to inject defects and delays to simulate and debug real life problems.
• Abstracting communication logic—reduces the amount of code in a microservice, by taking care of concerns like networking, service retries, and timeouts, etc. This provides advanced communication capabilities while keeping microservices light.

Downsides of using a service mesh include:

• Increased learning curve—while the service mesh control plane is designed to help manage the data plane, it adds more capabilities and concepts that need to be understood before adoption.
• Emerging market—service mesh is a new technology, there are several open source and commercial options available, and existing staff may not have experience operating a service mesh.

Benefits of API gateways include:

• Standardized service delivery—centralizes the way services are delivered through APIs and microservices.
• Simplified communication—combines multiple API calls to request data and services, reducing requests and traffic. This simplifies API management and improves user experience.
• Flexibility—enables a high degree of customization, making it possible to encapsulate the internal structure of an application in multiple ways, invoking back end services as needed and aggregating the results.
• Support for legacy applications—enables interaction with legacy applications, making it possible to extend their capabilities. However, this can make migration to an API gateway more complex.
• Improved monitoring—instead of relying on dedicated monitoring tools for APIs, teams can use API Gateway logs to monitor API activity, identify failure and troubleshoot issues.

Downsides of API gateways include:

• Resilience—some API gateway architectures (e.g. hardware load balancers) can become a single point of failure because all communications to and from the microservices application rely on it. 
• Performance—different API gateway products utilize different underlying technologies and performance can be dependent on this technology.
• Maintenance & Extensibility—Older API gateway products can rely on outdated scripting languages for extensibility or operational databases that can increase maintenance tasks. 

One of the latest advancements in the API gateway and service mesh markets is the introduction of Gloo Platform. This product provides an API gateway (Gloo Gateway) and a service mesh (Gloo Mesh) in a single integrated platform. This enables organizations to utilize a single management product for both the edge API gateway (north/south traffic) and service-to-service communication (east/west traffic). This advancement simplifies lifecycle management and centralizes integrations and extensibility while providing Zero Trust security and delegated ownership of API access, configuration and policy.