Micro-service mesh management framework

It provides a uniform way to connect, manage, and secure microservices. It supports managing traffic flows between microservices, enforcing access policies, and aggregating telemetry data, all without requiring changes to the microservice code.


* A/B testing, 
* canary releases, 
* failure recovery, 
* metrics,

Key Capability

* Traffic Management 

- load balancing, 
- rate limiting, 
* Observability
- monitoring
* Policy Enforcement 
- access control,
- load balancing, 
* Service identity and security
- service-to-service authentication, 
- discovery of services, 
- end-to-end authentication.
* Platform Support
- Cloud, 
- on-premise, 
- Kubernetes, 
- Mesos
* Integration and Customization : integrate with existing solutions for 
- ACLs, 
- logging, 
- monitoring, 
- quotas, 
- auditing 
- etc.

Istio pre-configured add-ons

* Grafana : dashboard to visualize service mesh traffic data
* Prometheus : to query istio metrics 
* ServiceGraph :  generating and visualizing a graph of services within a mesh
* Zipkin : distributed tracing system


1. Data plane : 
set of intelligent proxy (Envoy)

2. Control plane :

manage and configure proxy 
- to route traffic
- to enforce policy runtime. 

1. Envoy : sidecar proxy in same pod with features : 
dynamic service discovery, 
load balancing, 
TLS termination, 
HTTP & gRPC proxying, 
circuit breakers, 
health checks, 
staged roll-outs with percentage-based traffic split, 
fault injection, 
rich metrics.
 rich L7 routing

2. Mixer: 

platform independent

flexible plugin model 
with a variety of host environments and infrastructure back end


- enforce access control
- enforce usage policies such as authorization, rate limits, quotas, authentication etc.
- collect telemetry data from envoy
  - request tracing

Mixer configuration for
- attribute extraction
- policy evaluation


  Go Package. 
  Guide to develop new adapter :

3. Pilot

- converts high level routing rules that control traffic behavior into Envoy-specific configurations
- propagates Envoy-specific configurations to the sidecars at runtime
- abstracts platform-specific service discovery mechanisms
- translate service discovery to Envoy data plane API


* service discovery
* traffic management
* intelligent routing
- A/B tests, 
- canary deployments
* resiliency 
- timeouts, 
- retries, 
- circuit breakers, 
- etc.
* multiple environments 
- Kubernetes, 
- Consul/Nomad

4. istio-Auth
Authentication using mutua TLS
Built-in identity + credentials management
enforce policy based on service identity

5. Citadel

A centralized component responsible for certificate issuance and rotation.

6. Node Agent

A per-node component responsible for certificate issuance and rotation.

7. Galley

Central component for validating, ingesting, aggregating, transforming and distributing config within Istio.

In nut-shell istio is all about just configuring Envoy proxy 


Manish Panchmatia said...

Manish Panchmatia said...

Manish Panchmatia said...

Manish Panchmatia said...

Post a Comment