As organizations increasingly move toward using containers and microservices for application deployment, networking complexity has increased. One of the emerging approaches for dealing with that complexity is the Istio service mesh project, led by Google, which announced its 1.0 release on July 31.
Istio disaggregates microservices networking connectivity, enabling services to be connected in a mesh. With Istio, service-to-service networking can be offloaded from individual microservices in a way that could help to expedite development.
Kubernetes is a container orchestration system and has its own networking abstraction known as the Container Networking Interface (CNI) with policies defined via the Network Policy API. Istio can be deployed on top of an existing Kubernetes CNI deployment.
“Just as Kubernetes provides orchestration of containers, Istio might best be viewed as providing orchestration of service-to-service networking yielding, a much better way to develop and deploy microservice-based applications in a multicloud world,” Lew Tucker, CTO for Cloud Computing at Cisco, wrote in a blog post.
Tucker explained that sidecar proxies, sitting next to each service instance, manage traffic, setup secure connections and work in concert with control plane elements operating across the entire mesh.
Red Hat engineer Brian “Redbeard” Harrington commented that Istio is helpful for intelligent routing and load balancing, as well as for enforcing organizational policy between services and applications.
“The goal of the service mesh layer is to simplify the cloud native application development and management process,” Harrington wrote in a blog post. “A service mesh can aid in testing how applications perform and how they behave when components within the environment fail.”
IBM has also been a leading backer of Istio and will be supporting it across its Kubernetes efforts in the IBM cloud. Jason McGee, VP of IBM Cloud, also noted that managing all of the different element in a microservices architecture can be complex.
“By connecting and routing these pieces together, Istio gives control back to developers over how their app is operating and where data is routed in the cloud,” McGee wrote in a blog post.
Among the core features that are implemented and fully supported in the Istio 1.0 release are traffic management capabilities for HTTP and gRPC based traffic. The system also provides integration with the Prometheus cloud native monitoring project as well as local logging capabilities.
On the security front, Istio 1.0 implements a service-to-service mutual TLS layer for encrypted data communication. The mutual TLS functionality is enabled in part via the Envoy cloud native project for proxies.
“Istio tunnels service-to-service communication through the client side and server side Envoy proxies,” the Istio project documentation states.
Istio 1.0 also supports a deny checker to block certain actions based on policy, as well as a list checker to perform simple whitelist and blacklist checks..
Sean Michael Kerner is a senior editor at EnterpriseNetworkingPlanet and InternetNews.com. Follow him on Twitter @TechJournalist.