Embracing Microservices With Istio
Istio is Google’s open source project for containerised application management which after rapid development lead to the release of version 1.0 earlier this year in the summer.
In this blog post, we will be taking a look at what Istio is, how it works and how it can help you adopt microservices.
What is Istio?
Istio is a service mesh and serves as a dedicated infrastructure layer for making service-to-service communication safe, efficient, performance and reliable.
In addition to being a service mesh, Istio also provides service identity. This works in the same way users are authenticated against a system before being granted access; services can also have identities which can be authenticated by other services in the form of role based access control (RBAC) enforcing control over what services can do in our network.
Internals of Istio
Istio is made up of several management components that make up the control plane. The control plane is made up of the following components:
- Pilot: Manages and configures all the proxy sidecars providing service discovery for the Envoy sidecars, traffic management capabilities for intelligent routing, and resiliency.
- Mixer: Collects telemetry and handles policy decisions for your traffic.
- Citadel: Is a Certificate Authority (CA) that issues and rotates TLS certificates.
- Galley: Validates user authored Istio API configuration on behalf of the other Istio control plane components.
- Proxy: Istio uses an extended version of the Envoy proxy as a sidecar to every Kubernetes pod, providing dynamic service discovery, load balancing, TLS termination, RBAC, HTTP and gRPC proxying, circuit breaking, health checks, dynamic rollouts, fault injection and rich metrics.
What does Istio provide?
Istio allows you to dynamically direct traffic using route rules. In addition to handling common use cases such as canary deployments where a percentage of traffic is routed to one version of the applications, Istio allows you to set fine grained traffic percentages and a multitude of other criteria for a vast array of use cases.
Istio abstracts the underlying service discovery mechanisms of Kubernetes and conforms them into a standard format consumable by the envoy sidecars.
Istio uses istio-auth which provides strong service-to-service and end-user authentication using mutual TLS, with built-in identity and credential management.
Istio provides a Layer 7 (application) level network policy to help you deliver your application securely. Operating at this layer gives Istio the ability to apply policies based on virtual host, URL, or other HTTP headers with support for TCP and UDP transport coming in the future. This provides an extra level of security on top of the default network policy that comes with Kubernetes.
Audit Logging & Monitoring
Istio by default exposes the telemetry of all your services giving you a unified view of application metrics and traces without having to do any instrumentation.
It makes use of Prometheus for logging and monitoring with Grafana for visualisation and also allows you to generate a service graph configuration which gives you a graphical representation of your service mesh.
A great fit for Microservices
Building a great microservices system – with many small services built by multiple teams – requires a level of organizational and operational transformation that is too often left out of the discussion.
Istio provides great features out of the box which can help to untangle a problematic microservices design without having to change application code to understand the problems.
Bear in mind, however, that adding any new component, including Istio, into a system will increase operational complexity. The Istio team had this in mind an built Istio to be consumed without introducing huge risks by making it modular such that you can choose which feature you want to use right now and adopt the rest at a later stage.
Istio’s modularity and approach to service mesh design makes adoption and maintenance easier. At its core, Istio has a the potential to transform operations and security for your microservices deployment and servers as an enabler.
At AltoStack, our mission is to help organisations accelerate their time to value from the cloud by designing, building, and optimising their infrastructures in the public cloud.
We are a team of DevOps fanatics and a core part of our work is helping organisations leverage the cloud to increase the speed and success of cultural transformation.