Service_mesh
Chapter 52: Service Mesh
Section titled “Chapter 52: Service Mesh”A Service Mesh is a dedicated infrastructure layer for handling service-to-service communication in microservices architectures.
What is a Service Mesh?
Section titled “What is a Service Mesh?”┌─────────────────────────────────────────────────────────────────────────────┐│ Service Mesh Overview │├─────────────────────────────────────────────────────────────────────────────┤│ ││ ┌───────────────────────────────────────────────────────────────────┐ ││ │ Without Service Mesh │ ││ │ │ ││ │ Service A ────── Service B ────── Service C │ ││ │ │ │ │ │ ││ │ └───────────────┴───────────────┘ │ ││ │ │ │ ││ │ ▼ │ ││ │ Each service handles: │ ││ │ - Load balancing │ ││ │ - Circuit breaking │ ││ │ - Authentication │ ││ │ - Observability │ ││ └───────────────────────────────────────────────────────────────────┘ ││ ││ ┌───────────────────────────────────────────────────────────────────┐ ││ │ With Service Mesh │ ││ │ │ ││ │ ┌─────────┐ ┌─────────┐ │ ││ │ │Service A│ │Service B│ │ ││ │ └────┬────┘ └────┬────┘ │ ││ │ │ │ │ ││ │ ▼ ▼ │ ││ │ ┌───────────────────────────────┐ │ ││ │ │ Sidecar Proxies │ (Envoy) │ ││ │ │ (data plane) │ │ ││ │ └───────────────────────────────┘ │ ││ │ │ │ ││ │ ▼ │ ││ │ ┌───────────────────────────────────────────────┐ │ ││ │ │ Control Plane │ │ ││ │ │ (Istiod, Control Tower, Navigator) │ │ ││ │ └───────────────────────────────────────────────┘ │ ││ └───────────────────────────────────────────────────────────────────┘ ││ │└─────────────────────────────────────────────────────────────────────────────┘Service Mesh Components
Section titled “Service Mesh Components”┌─────────────────────────────────────────────────────────────────────────────┐│ Service Mesh Components │├─────────────────────────────────────────────────────────────────────────────┤│ ││ ┌───────────────────────────────────────────────────────────────────┐ ││ │ Data Plane │ ││ │ │ ││ │ - Sidecar proxies (Envoy) │ ││ │ - Transparent traffic interception │ ││ │ - L3/L4 and L7 processing │ ││ │ - TLS termination │ ││ │ - Load balancing │ ││ │ - Circuit breaking │ ││ │ │ ││ └───────────────────────────────────────────────────────────────────┘ ││ ││ ┌───────────────────────────────────────────────────────────────────┐ ││ │ Control Plane │ ││ │ │ ││ │ - Service discovery │ ││ │ - Configuration management │ ││ │ - Certificate management │ ││ │ - Traffic routing rules │ ││ │ - Policy enforcement │ ││ │ │ ││ └───────────────────────────────────────────────────────────────────┘ ││ │└─────────────────────────────────────────────────────────────────────────────┘Popular Service Meshes
Section titled “Popular Service Meshes”┌─────────────────────────────────────────────────────────────────────────────┐│ Service Mesh Comparison │├─────────────────────────────────────────────────────────────────────────────┤│ ││ ┌────────────────┐ ┌────────────────┐ ┌────────────────┐ ││ │ Istio │ │ Linkerd │ │ Consul │ ││ │ │ │ │ │ Connect │ ││ ├────────────────┼ ├────────────────┼ ├────────────────┤ ││ │ Feature-rich │ │ Simpler │ │ Consul-native │ ││ │ Complex │ │ Lightweight │ │ HashiCorp │ ││ │ Strong community│ │ CNCF project │ │ Good for │ ││ │ │ │ │ │ microservices │ ││ └────────────────┘ └────────────────┘ └────────────────┘ ││ ││ ┌────────────────┐ ┌────────────────┐ ││ │ AWS App │ │ OpenShift │ ││ │ Mesh │ │ Service Mesh │ ││ ├────────────────┼ ├────────────────┤ ││ │ AWS-native │ │ Red Hat │ ││ │ AWS integration│ │ Istio-based │ ││ │ Good for AWS │ │ Enterprise │ ││ └────────────────┘ └────────────────┘ ││ │└─────────────────────────────────────────────────────────────────────────────┘Istio Configuration
Section titled “Istio Configuration”Virtual Services
Section titled “Virtual Services”apiVersion: networking.istio.io/v1beta1kind: VirtualServicemetadata: name: myappspec: hosts: - myapp http: - match: - headers: x-canary: exact: "true" route: - destination: host: myapp subset: v2 weight: 100 - route: - destination: host: myapp subset: v1 weight: 100Destination Rules
Section titled “Destination Rules”apiVersion: networking.istio.io/v1beta1kind: DestinationRulemetadata: name: myappspec: host: myapp trafficPolicy: connectionPool: tcp: maxConnections: 100 http: h2UpgradePolicy: UPGRADE http1MaxPendingRequests: 100 http2MaxRequests: 1000 loadBalancer: simple: LEAST_CONN outlierDetection: consecutive5xxErrors: 5 interval: 30s baseEjectionTime: 30s subsets: - name: v1 labels: version: v1 - name: v2 labels: version: v2Authorization Policies
Section titled “Authorization Policies”apiVersion: security.istio.io/v1beta1kind: AuthorizationPolicymetadata: name: myapp-authspec: selector: matchLabels: app: myapp rules: - from: - source: principals: - "cluster.local/ns/default/sa/frontend" to: - operation: methods: ["GET"] paths: ["/api/*"]Traffic Management
Section titled “Traffic Management”Canary Deployments
Section titled “Canary Deployments”apiVersion: networking.istio.io/v1beta1kind: VirtualServicemetadata: name: myapp-canaryspec: hosts: - myapp.example.com http: - match: - headers: Cookie: regex: "^(.*?;)?(user=premium)(;.*)?$" route: - destination: host: myapp subset: premium weight: 100 - route: - destination: host: myapp subset: stable weight: 90 - destination: host: myapp subset: canary weight: 10Circuit Breaking
Section titled “Circuit Breaking”apiVersion: networking.istio.io/v1beta1kind: DestinationRulemetadata: name: myapp-cbspec: host: myapp trafficPolicy: connectionPool: tcp: maxConnections: 10 http: http2MaxRequests: 10 maxRequestsPerConnection: 10 outlierDetection: consecutive5xxErrors: 5 interval: 10s baseEjectionTime: 30s maxEjectionPercent: 50Observability
Section titled “Observability”┌─────────────────────────────────────────────────────────────────────────────┐│ Service Mesh Observability │├─────────────────────────────────────────────────────────────────────────────┤│ ││ ┌───────────────────────────────────────────────────────────────────┐ ││ │ Metrics (Prometheus + Grafana) │ ││ │ │ ││ │ - Request volume │ ││ │ - Success rates │ ││ │ - Latency distributions │ ││ │ - Circuit breaker status │ ││ │ │ ││ └───────────────────────────────────────────────────────────────────┘ ││ ││ ┌───────────────────────────────────────────────────────────────────┐ ││ │ Distributed Tracing (Jaeger) │ ││ │ │ ││ │ - Request path across services │ ││ │ - Service dependencies │ ││ │ - Performance bottlenecks │ ││ │ │ ││ └───────────────────────────────────────────────────────────────────┘ ││ ││ ┌───────────────────────────────────────────────────────────────────┐ ││ │ Logging (Fluentd + Kibana) │ ││ │ │ ││ │ - Access logs │ ││ │ - Error logs │ ││ │ - Audit logs │ ││ │ │ ││ └───────────────────────────────────────────────────────────────────┘ ││ │└─────────────────────────────────────────────────────────────────────────────┘Telemetry Configuration
Section titled “Telemetry Configuration”apiVersion: telemetry.istio.io/v1alpha1kind: Telemetrymetadata: name: mesh-defaultspec: tracing: - providers: - name: jaeger randomSamplingSample: 10.0 metrics: - providers: - name: prometheus logging: - providers: - name: fluentdmTLS Configuration
Section titled “mTLS Configuration”apiVersion: security.istio.io/v1beta1kind: PeerAuthenticationmetadata: name: defaultspec: mtls: mode: STRICT
# Destination rule for TLSapiVersion: networking.istio.io/v1beta1kind: DestinationRulemetadata: name: myapp-tlsspec: host: myapp trafficPolicy: tls: mode: ISTIO_MUTUALSummary
Section titled “Summary”In this chapter, you learned:
- Service Mesh: What it is and why use it
- Components: Data plane vs Control plane
- Tools: Istio, Linkerd, Consul, AWS App Mesh
- Traffic Management: Virtual services, routing, canary
- Resilience: Circuit breaking, retries, timeouts
- Security: mTLS, authorization policies
- Observability: Metrics, tracing, logging