Service mesh: A primer on Istio

Antonio, DevOps Engineer

April 22, 2022

Does the term ‘distributed systems’ give you chills? Do you feel like you’re flying without a cockpit when observing your production environment? We’ve all experienced all that to some extent. Distributed systems are hard to tame, and having full visibility into what’s happening within them is no easy task.

One of the many layers to monitor is the network. We need to be able to answer questions like:

  • Where are my services sending requests?
  • Which applications are communicating?
  • Is there latency in any link?
  • There’s been an unexpected response from our service. From all the events it chained, where did it begin?

Service mesh is an additional infrastructure layer that allows us to have further control over the network by extending its features. Let’s first define the base concepts, so that we understand where we are and where we want to go.

Let’s first remember that a reverse proxy (Nginx, HAproxy… you name it) is software that intercepts traffic and provides TLS termination, caching, metrics etc.

These are frequent features worth decoupling from our applications for a better operation of both the environment and the business logic. Now, let’s imagine that we have a set of microservices, and we want to have the aforementioned features for each one of them. We may end up with another set of reverse proxies, each one with a different configuration:

We can all agree that that is an architecture that will soon be difficult to scale and maintain. What if we place some logic that can help us operate them?

Now it looks easier to handle, right? Well, in fact, that’s what a service mesh looks like.

A service mesh is composed of 2 main components:

  • A control plane, i.e., a logic that computes the configuration of all the proxies and is in charge of updating all of them.
  • A data plane that does all the heavy lifting by intercepting and managing all incoming and outgoing traffic of the services.

This is the architecture; however, we’re not going to reinvent the wheel because (lucky us) there are already several solutions in the market that provide those types of features, such as: Linkerd, Consul Service Mesh or Istio. Each one of them has its pros and cons, so unfortunately for us, there’s no so-called ‘holy grail.’

Given our requirements at The Workshop, we chose Istio, which is an open-source project developed by Google and IBM. It uses Envoy as a proxy, which is developed by Lyft.

These are the feature we are currently using:

  • Enforcing mutual TLS (mTLS) between our microservices i.e., both parties are authenticating each other and encrypting the traffic.
  • Limiting outgoing traffic to a set of domains, discarding any other destination.
  • TLS termination and HTTP to HTTPS redirection for incoming traffic.
  • Custom load balancing for a specific set of applications.

This technology offers an exciting and wide range of possibilities, and we’re still studying how to improve both the security and performance of our infrastructure by taking full advantage of it.

Share this article

Next Articles

February 12, 2024

Elevating teams and products: The unseen value of UX research

User Experience (UX) research is more than a standalone part of the UX design process. It serves as a foundational approach that informs and enhances the product development cycle from

February 18, 2022

How can you spice up your retrospectives?

How can you spice up your retrospectives? I’ve noticed that since the start of the pandemic, and even before, many teams have been struggling to make retrospectives interesting, to the

April 15, 2020

How to improve the stakeholder engagement based on the VAK learning models

Have you ever thought about how to better approach or sell your ideas to your stakeholders? Or, to look at it another way, have you ever thought about how your

Our Locations

Málaga

Explore the City

View Open Positions

London

Explore the City

View Open Positions

Madrid

View Open Positions

Keep in Touch

Instagram Linkedin Youtube Envelope
Licence Info
The Workshop Technologies Limited (‘The Workshop’) is licensed and regulated by the UK Gambling Commission, licence number 51265.
The Workshop Technologies Limited (‘The Workshop’) is licensed and regulated by the UK Gambling Commission, licence number 51265.

Legal Info

Privacy Policy, Terms and Conditions, Modern Slavery Policy, and how we handle cookies.

© Copyright The Workshop 2024. All rights reserved.

Contact Us

If you have any questions, just fill in the form and we’ll get back to you.

Controller: The Workshop Technologies Ltd. Purpose: To provide the services offered through the website or to handle other types of relationships that may arise with The Workshop Technologies Ltd as a result of the requests, procedures, or formalities performed by the user through the website. Legal basis: Consent of the data subject as provided in Regulation (EU) 2016/679 and the LOPDGDD 3/2018. Recipients: Internal automated file of The Workshop Technologies Ltd and third parties for the development, maintenance, and control of the legal relationship established when there is legal authorization by the user to do so. Rights: Access, rectification, transfer, opposition, and deletion. Additional information: You can obtain all the additional and detailed information you need about the processing and protection of your personal data at the link Privacy Policy.

We Come From

  • Argentina
  • Australia
  • Belguim
  • Bulgaria
  • Canada
  • China
  • Croatia
  • Cuba
  • Czech Republic
  • Estonia
  • Finland
  • France
  • Germany
  • Hungary
  • India
  • Ireland
  • Israel
  • Italy
  • Latvia
  • Lithuania
  • Morocco
  • Netherlands
  • Nicaragua
  • Norway
  • Philippines
  • Poland
  • Portugal
  • Romania
  • Spain
  • Sweden
  • United Kingdom
  • USA
  • Uzbekistan
  • Venezuela

Like what you see?

Join your comrades or add a new flag!

View Careers Page

Thanks!

Your message was sent. We will get back to you shortly.

Got it