![\"Istio](\"https://istio.io/latest/docs/ops/deployment/architecture/arch.svg\")
Istio is an Open Source service mesh (developed in partnership between teams from Google, IBM, and Lyft), providing a dedicated infrastructure layer for creating service-to-service communication that is safe, fast, and reliable. Having such a fanatical communication layer can provide various advantages, like providing observability into communications, providing secure connections, or automating retries and backoff for failed requests.
\nA service mesh also often has more complex operational requirements, like A/B testing, canary rollouts, rate limiting, access control, and end-to-end authentication.
\nIstio does this by adding a sidecar proxy which intercepts all network communication between microservices, then configures and manages Istio using its control plane functionality, which incorporates:
\nAn Istio service mesh is logically split into a data plane and a control plane.
\nThe data plane is composed of Envoy proxy deployed as sidecars. Envoy itself is an L7 proxy and communication bus designed for modern microservices-based architecture. These proxies intercept and control all network communication between microservices. They also collect and report telemetry on all mesh traffic.
\nThe control plane manages and configures the proxies to route traffic.
\n
Istio Pilot manages and configures all the Envoy proxy instances deployed. It takes the rules for traffic behavior provided by the control plane and converts them into configurations applied by Envoy.
\nResponsible for controlling the authentication and identity management between services. Allow developers to build a zero-trust network based on service identity.
\nResponsible for enforcing access control and usage policies across the service mesh and collects telemetry data from the Envoy proxy and other services.
\nIt is the basic feature of Istio, which facilitates the routing between services. Istio simplifies the configuration of service-level properties like circuit breakers, timeouts, and retries.\nAll traffic that your mesh services send and receive (data plane traffic) is proxied through Envoy, making it easy to direct and control traffic around your mesh without making any changes to your services.
\nFor discovering all the services in the ecosystem, Istio connects to the Service discovery System and populates its service registry. The Envoy sidecar proxy then uses this registry to route traffic to the correct service.
\nHere are a few resources you can add for your deployment apart from the basic service discovery and load balancing:
\nVirtual services play a key role in making Istio's traffic management flexible and powerful. They do this by strongly decoupling where clients send their requests from the destination workloads that actually implement them.
\nSo, instead of sending requests directly to a service data plane, you send traffic through this virtual service. Using virtual service, you can route requests to different versions of the same service or different hostnames based on particular endpoints. This helps us to do various other things like A/B testing or doing canary rollouts.
A typical example:
\napiVersion: networking.istio.io/v1alpha3\nkind: VirtualService\nmetadata:\n name: bookinfo\nspec:\n hosts:\n - bookinfo.com\n http:\n - match:\n - uri:\n prefix: /reviews\n route:\n - destination:\n host: reviews <-- Resolves to reviews.<namespace>.svc.cluster.local\n - match:\n - uri:\n prefix: /ratings\n route:\n - destination:\n host: ratingsWe use destination rules to configure what happens to traffic for that destination. Destination rules are applied after virtual service routing rules are evaluated, so they apply to the traffic's real destination.
\nUsing destination rules, we specify the subsets of the service using labels, which are then used by the virtual service to route requests to a particular subset. In addition to that, we can also customize traffic policy, load balancing policy, connection pool settings, mTLS, etc.
apiVersion: networking.istio.io/v1alpha3\nkind: DestinationRule\nmetadata:\n name: my-destination-rule\nspec:\n host: my-svc\n trafficPolicy:\n loadBalancer:\n simple: RANDOM\n subsets:\n #### This will work only if we have defined version label in the deployment\n - name: v1\n labels:\n version: v1\n - name: v2\n labels:\n version: v2\n trafficPolicy:\n loadBalancer:\n simple: ROUND_ROBIN\n - name: v3\n labels:\n version: v3Here we have defined destination rule for service my-svc and defined subsets and traffic policy global and per subset.
\nIt is used to manage inbound and outbound traffic for your mesh, letting you specify which traffic you want to enter or leave the mesh. Gateway configurations are applied to standalone Envoy proxies running at the edge of the mesh, rather than sidecar Envoy proxies running alongside your service workloads. Using this, we can expose our services to the internet.
\nA typical example would be:
\napiVersion: networking.istio.io/v1alpha3\nkind: Gateway\nmetadata:\n name: my-svc-gateway\n namespace: test\nspec:\n selector:\n istio: ingressgateway\n servers:\n - port:\n number: 80\n name: http\n protocol: HTTP\n hosts:\n - my-svc.example.comistio: ingressgateway is the gateway which is enabled by default after installation. We can create our custom gateway. Here, the hosts my-svc.example.com will resolve to the load balancer provided by the Istio by default. To use this gateway, one has to add config in the virtual service like for example:
\napiVersion: networking.istio.io/v1alpha3\nkind: VirtualService\nmetadata:\n name: my-svc\nspec:\n hosts:\n - my-svc\n - my-svc.example.com <-- The host should match\n gateways: <--- gateway config\n - my-svc-gateway\n http:\n - route:\n - destination:\n host: my-svc.test.svc.cluster.local\n port:\n number: 80 This feature provides network configuration dynamically at runtime, which includes retries, fault injection, circuit breakers, and timeouts.
\nThis object is used to add an external service as part of the service mesh, including a service running in a VM or other K8s cluster in case of multi-cluster installation.
\nA typical example would be connecting a service to a database cluster that is not part of the mesh.
\napiVersion: networking.istio.io/v1alpha3\nkind: ServiceEntry\nmetadata:\n name: elasticsearch\n namespace: test\nspec:\n hosts:\n - elasticsearch.elasticsearch.svc.cluster.local\n location: MESH_INTERNAL\n ports:\n - name: https\n number: 9200\n protocol: TCP\n resolution: DNSThe Service Entry should be in the same namespace as that of the calling service. This is helpful, especially in the case where the service is not exposed to a public endpoint and can be accessed using internal service DNS like the above example.
\nIstio provides security features that will help us to establish a zero-trust network. Istio enables security by default and provides various authentication and authorization policy to regulate security.
\nFor example:
\napiVersion: security.istio.io/v1beta1\nkind: PeerAuthentication\nmetadata:\n name: dsl-es\n namespace: pdp-test\nspec:\n selector:\n matchLabels:\n app: dsl-es\n mtls:\n mode: STRICTHere we define a peer authentication object for a service labeled my-svc, which tells that any service that needs to talk to my-svc will communicate using mtls. The service will accept only TLS connection. By default, Istio enables PERMISSIVE mode, which accepts both plaintext and encrypted communication.
\nWe can define peer authentication on the mesh, namespace, and pod level.
\nThat is all for the introduction to Istio. In the next part, we will look at installing Istio and configuring services to use Istio.
\n","headings":[{"value":"What is Istio?","depth":2},{"value":"Istio Architecture","depth":2},{"value":"Istio Core Components","depth":2},{"value":"Pilot","depth":3},{"value":"Citadel","depth":3},{"value":"Mixer","depth":3},{"value":"Istio Features","depth":2},{"value":"Traffic Management","depth":3},{"value":"Virtual Services","depth":3},{"value":"Destination Rule","depth":3},{"value":"Gateway","depth":3},{"value":"Network Resilience","depth":3},{"value":"Service Entries","depth":3},{"value":"Security","depth":3}],"fields":{"slug":"/engineering/istio-service-mesh/"},"frontmatter":{"metatitle":null,"metadescription":null,"description":"This post will give a high-level introduction to Istio and its related concepts and terminologies.","title":"Istio Service Mesh: A Beginners Guide","canonical":null,"date":"December 07, 2020","updated_date":null,"tags":["Istio","Service Mesh"],"coverImage":{"childImageSharp":{"fluid":{"aspectRatio":1.5037593984962405,"src":"/static/452f4d9f7cb358e3d6224ed3aba3d5d6/03979/Istio.png","srcSet":"/static/452f4d9f7cb358e3d6224ed3aba3d5d6/f5f11/Istio.png 200w,\n/static/452f4d9f7cb358e3d6224ed3aba3d5d6/6d133/Istio.png 400w,\n/static/452f4d9f7cb358e3d6224ed3aba3d5d6/03979/Istio.png 800w,\n/static/452f4d9f7cb358e3d6224ed3aba3d5d6/0d359/Istio.png 900w","sizes":"(max-width: 800px) 100vw, 800px"}}},"author":{"id":"Piyush Kumar","github":"kpiyush17","bio":"Software Engineer","avatar":null}}}},"pageContext":{"id":"63d288ed-cd2e-57db-911e-3f267b8ae61d","fields__slug":"/engineering/istio-service-mesh/","__params":{"fields__slug":"engineering"}}},"staticQueryHashes":["1171199041","1384082988","1711371485","1753898100","2100481360","229320306","23180105","528864852"]}