The two main challenges posed by service mesh are complexity and performance. Service mesh introduces an additional control plane, which causes increased deployment complexity and significant operational overhead. These four pillars represent a really powerful feature set however, this power comes at a cost. Lastly, the observe pillar covers observability features, including sidecar proxies being able to collect telemetry and logs around how services within a mesh communicate with one another. This is where a mesh provides facilities to secure traffic with mutual TLS authentication, and enforce policies on that traffic in terms of service-to-service communication. The next two pillars, secure and control, are sometimes simply referred to as security. In the connect pillar, also referred to as traffic management, you get some of the advanced capabilities you might need if you’re versioning microservices and need to be able to handle various failure scenarios. One of the most popular open-source service meshes breaks these features down into four pillars: features to connect, secure, control, and observe. Service mesh provides a powerful but complex set of features. Service mesh architecture Service mesh features While Kubernetes has its own control plane that schedules pods and handles auto-scaling of deployments, service mesh introduces another control plane to manage what these proxies are doing in order to enable service-to-service communication. The control plane manages and configures proxies to route traffic, and collects and consolidates data plane telemetry. All application-layer traffic is routed through the data plane. This means that every pod includes an instance of this proxy to mediate and control communication between microservices, and observe, collect, and report mesh traffic telemetry. The data plane is implemented as proxies, such as Envoy, deployed as sidecars. While this design pattern of a sidecar proxy makes up the data plane of a service mesh, most meshes introduce an additional control plane to configure and operate the data plane. Envoy is one of the most popular proxies and is being used within service meshes for its performance, extensibility, and API facilities. Services communicate and handle requests via a proxy, which is dynamically injected into each pod. One of the key aspects of how a service mesh works is that it leverages a sidecar design pattern. The service mesh architecture leverages design patterns to enable communication between services without requiring microservices to rewrite applications. It provides capabilities around service discovery, load balancing traffic across services, security features around encryption and authentication, tracing observability, and more. Service mesh provides some of the middleware and some of the components that enable service-to-service communication, such as dynamic discovery.
What is a service mesh?Ī service mesh is a software infrastructure layer for controlling and monitoring internal, service-to-service traffic in microservices applications. While a service mesh is intended to help developers and SREs with a number of use cases related to service-to-service communication within Kubernetes clusters, a service mesh also adds operational complexity and introduces an additional control plane for security teams to manage.
The challenges involved in deploying and managing microservices have led to the creation of the service mesh, a tool for adding observability, security, and traffic management capabilities at the application layer. Kubernetes Security and Observability Summit.Application-Level Security and Observability.Full-Stack Observability powered by eBPF.Workload-based IDS/IPS, DDoS, DPI, and WAF.Multi-Cloud, Multi-cluster Networking, Security, Observability and Distros.Compare Products Open source, Cloud and Enterprise.Calico Enterprise Self-Managed Platform.