A service mesh handles the communication between microservices, providing traffic management, security, and observability without changing application code.
What is a Service Mesh?#
Without service mesh:
┌─────────────┐ ┌─────────────┐
│ Service A │─────────│ Service B │
│ │ │ │
│ (handles │ │ (handles │
│ retries, │ │ auth, │
│ timeouts, │ │ logging, │
│ tracing) │ │ etc.) │
└─────────────┘ └─────────────┘
Every service implements networking concerns.
With service mesh:
┌─────────────┐ ┌─────────────┐
│ Service A │ │ Service B │
├─────────────┤ ├─────────────┤
│ Sidecar │────────│ Sidecar │
│ Proxy │ │ Proxy │
└─────────────┘ └─────────────┘
Networking handled by sidecar proxies.
Application code stays simple.
Core Components#
Data Plane (Sidecar Proxies)#
Loading code block...
Control Plane#
Control plane components:
- Pilot: Traffic management
- Citadel: Security (mTLS, certificates)
- Galley: Configuration validation
- Mixer: Policy and telemetry (deprecated in Istio 1.5+)
┌─────────────────────┐
│ Control Plane │
│ (Istiod in Istio) │
└──────────┬──────────┘
│ Configuration
┌───────────────┼───────────────┐
▼ ▼ ▼
┌─────────┐ ┌─────────┐ ┌─────────┐
│ Sidecar │ │ Sidecar │ │ Sidecar │
└─────────┘ └─────────┘ └─────────┘
Traffic Management#
Request Routing#
Loading code block...
Traffic Splitting#
Loading code block...
Retries and Timeouts#
Loading code block...
Circuit Breaking#
Loading code block...
Security#
Mutual TLS (mTLS)#
Loading code block...
Authorization Policies#
Loading code block...
JWT Authentication#
Loading code block...
Observability#
Distributed Tracing#
Loading code block...
Loading code block...
Metrics (Prometheus)#
Loading code block...
Access Logs#
Loading code block...
When to Use a Service Mesh#
Good fit:
✓ Many microservices
✓ Need mTLS between services
✓ Complex traffic management
✓ Require observability across services
✓ Zero-trust security model
Consider alternatives:
✗ Simple architectures (< 10 services)
✗ Performance-critical, low-latency systems
✗ Teams without Kubernetes experience
✗ Resource-constrained environments
Trade-offs#
Pros:
+ Consistent security and observability
+ Traffic management without code changes
+ Centralized policy enforcement
+ Automatic mTLS
Cons:
- Added latency (proxy hop)
- Increased resource usage
- Operational complexity
- Learning curve
Conclusion#
Service meshes solve real problems in microservices architectures: security, observability, and traffic management. But they add complexity and resource overhead.
Start without a service mesh. Add one when you have enough services that manual management becomes unsustainable, typically around 10-20 services. Istio is feature-rich, while Linkerd is simpler to operate.