Skip to content

Introduction to Istio

Istio is an implementation of service mesh for observability, security in depth, and management that speeds deployment cycles.

It is an open source service mesh that layers transparently onto existing distributed applications.

Istio Architecture

Istio is logically splitted into a control plane and a data plane.

Architecture of Service Mesh

Control Plane

The control plane is the brain of the main network that manages, controls, and supervises the network of microservies.

The control plane manages and configures the proxies to route traffic. Additionally, the control plane configures Mixers to enforce policies and collect telemetry.

Data Plane

The data plane is composed of a set of intelligent proxies (Envoy) deployed as sidecars.

These proxies mediate and control all network communication between microservices along with Mixer, a general-purpose policy and telemetry hub.

The sidecars deployed within the services and acting as proxy form the service mesh network.

Building Blocks of Istio

Istio Components Interaction

Component Description Group
Pilot Responsible for service discovery and configuring envoy sidecar proxies Control plane
Galley Configuration ingestion for Istio components Control plane
Sidecar injector Inside envoy sidecar for enabled namespaces Control plane
Citadel Automated key and certificate management Control plane
Policy Policy enforcement Control plane
Telemetry Gather telemetry data Control plane
Ingresss Gateway Manage inbound connection to the service mesh Control plane
Egress Gateway Manage outbound connection from the service mesh Control plane
Istio CNI Network initialisation Control plane
Prometheus Metrics collections Control plane
Core DNS DNS resolution in a multicluster gateways deployment Control plane
Cert Manager Issuance and renewal of TLS certificates Control plane
Grafana Grafana Monitoring dashboard Dashboard
Jaeger Distributed tracing Dashboard
Kiali Observability dashboard Dashboard
Envoy proxy Proxy injected as a sidecar Data plane
  • The ingress controller is responsible for allowing and redirecting the inbound traffic to the services running inside the service mesh.

  • The egress controller is responsible for allowing outbound traffic from the service mesh. If an application should connect, for example, to an external database or service, such configuration should be explicitly defined for the egress controller.

  • Pilot and Galley are responsible for the mesh configuration. They pull data from Kubernetes API Server and mix it with the local configuration defined within the mesh then push the configuration to different proxies forming the mesh.

  • Citadel push tls certificate to services enabling mutual TLS.

  • Mixer has two roles: gather metrics from the different components and enforce policy by double checking each request. In a high level deployment scenario Telemetry and Policy check should be deployed separately.

  • Dashboards gather metrics from the telemetry service and display it in a user friendly format.

Upstream vs Downstream

Upstream connections are the service Envoy is initiating the connection to, while Downstream connections are the client that is initiating a request through Envoy.

Istio Upstream vs Downstream

What is Envoy?

Envoy is a high-performance, open-source proxy designed for cloud-native applications. It's built to be a universal data plane and is commonly used in Service Mesh architectures. Envoy acts as an intermediary for all network communication between microservices within a system.

It's highly configurable and excels at handling tasks like load balancing, routing, authentication, monitoring, and more. Envoy is known for its reliability, observability, and extensive features that help manage and secure communication between services in complex, distributed systems.

How Does Istio Work?

Istio uses a proxy to intercept all your network traffic, allowing a broad set of application-aware features based on configuration you set.

An Envoy proxy is deployed along with each service that you start in your cluster, or runs alongside services running on VMs.

The control plane takes your desired configuration, and its view of the services, and dynamically programs the proxy servers, updating them as the rules or the environment changes.

Working of Istio