Service Mesh - service-to-service communication

Service Mesh's Control Plane


  • Greek word for "sail"
  • Istio is an open platform-independent service mesh that provides traffic management, policy enforcement, and telemetry collection
  • Layer 7 firewall + loadbalancer, ingress, blocking outgoing traffic, tracing, monitoring, logging
  • Policies and Telemetry: Prometheus, StatsD, FluentD and many others...


Istio architecture

  • Envoy - is a high-performance proxy to mediate all inbound and outbound traffic for all services in the service mesh.


  • Pilot - provides service discovery for the Envoy sidecars, traffic management capabilities for intelligent routing.


  • Mixer - enforces access control and usage policies across the service mesh, and collects telemetry data from the Envoy proxy and other services.


  • Citadel - provides strong service-to-service and end-user authentication with built-in identity and credential management.

Istio types

  • DestinationRule configures the set of policies to be applied to a request after VirtualService routing has occurred. (Circuit Breaker, Load Balancers, TLS settings, Subset defintion)  


  • VirtualService defines the rules that control how requests for a service are routed within an Istio service mesh.


  • ServiceEntry is commonly used to enable requests to services outside of an Istio service mesh.


  • Gateway configures a load balancer for HTTP/TCP traffic, most commonly operating at the edge of the mesh to enable ingress traffic for an application.

Traffic Management with Istio

Istio Security Architecture

Istio Multicluster

Multiple k8s clusters managed by single Istio instance


  • K8S OpenStack / Minikube

  • Terrafrom, Helm, kubectl, Siege or Docker

  • 3 VMs (one master + 2 nodes)

  • Central loggin -> ELK Operator + rook.io Operator (as shared storage)

Kubernetes and Istio demo

By Petr Ruzicka

Kubernetes and Istio demo

  • 2,384