Istio

• Greek word for "sail"
• Istio is an open platform-independent service mesh that provides traffic management, policy enforcement, and telemetry collection
• Layer 7 firewall + loadbalancer, ingress, blocking outgoing traffic, tracing, monitoring, logging
• Policies and Telemetry: Prometheus, StatsD, FluentD and many others...

Istio overview

Istio architecture

• Envoy - is a high-performance proxy to mediate all inbound and outbound traffic for all services in the service mesh.

• Pilot - provides service discovery for the Envoy sidecars, traffic management capabilities for intelligent routing.

• Mixer - enforces access control and usage policies across the service mesh, and collects telemetry data from the Envoy proxy and other services.

• Citadel - provides strong service-to-service and end-user authentication with built-in identity and credential/certificate management.

• Galley - is Istio's configuration validation, ingestion, processing and distribution component

Istio components

https://istio.io/docs/reference/config/networking/

Traffic Management with Istio

Istio security overview

Istio Security Architecture

Istio Multicluster

Multiple k8s clusters managed by single Istio instance

Istio multicluster service mesh - Gateway

Istio mesh spanning multiple Kubernetes clusters using Istio Gateway to reach remote pods

Istio multicluster service mesh - VPN

Istio mesh spanning multiple Kubernetes clusters with direct network access to remote pods over VPN

Demo

• Amazon EKS Cluster

• awscli, eksctl, helm, kubectl, siege or docker

• 2 Worker instances

• Install Helm

• Install Istio

• Generate + Use SSL certificates

• Install Bookinfo demo application consist of multiple microservices

• Configure Istio Request Routing based on user identity

• Configure Istio Injecting an HTTP delay fault

• Configure Istio Injecting an HTTP abort fault

• Configure Istio - Weight-based routing (Canary Deployments)

Istio in AWS