Overview

A network service mesh is a tool that simplifies and manages service-to-service communications over a network (usually via proxies). It does it transparently to the applications, also providing additional features and advantages. This service mesh runs as an additional infrastructure layer, that makes it easier to optimize communication and avoid downtime, especially while your application grows.

How does it work?

A service mesh provides a way to control the data shared from the different components of an application. Unlike other systems, a service mesh is a dedicated infrastructure layer built right into an app. Modern applications are divided into “services”, each one with specific functions, based on its business function. The number of communication between these services will quickly explode while the amount of services grows in the application, as well as with the needs of each service to retrieve data from another one. A service mesh does not change the architecture of the application, but the networking logic. Requests can be routed from one service to the next, optimized and abstracted.

In a service mesh, requests are routed between microservices through proxies in their own infrastructure layer. The individual proxies run alongside each service, rather than within them. Taken together, these “sidecar” proxies (decoupled from each service) form a mesh network.

Istio open-source tool. What is a Service Mesh.

Where and Why use a Service Mesh

The more the distributed services in your application grow in size and complexity, the more likely it becomes that it is impossible to understand and manage them. The service mesh helps reduce this complexity and brings extra features in terms of security and functionalities. It also addresses other complex operational requirements, like A/B testing, canary deployments, rate limiting, access control, encryption, end-to-end authentication, etc.

Without a service mesh, each microservice needs to be coded with logic to govern service-to-service communication, which means developers are less focused on business goals. It also means communication failures are harder to diagnose because the logic that governs interservice communication is hidden within each service. The logic governing communication can be coded into each service without a service mesh layer, but as communication gets more complex, a service mesh becomes more valuable. For cloud-native apps, containerized applications, microservice architectures, etc., a service mesh is a way to comprise a large number of discrete services into a functional application.

RedHat microservices + service mesh. RedHat topics, microservices, what is a service mesh.

Service Mesh Advantages

Deploying a service mesh brings an additional set of features, some of them dependant on the service mesh used. What we describe here are the main advantages that all the service mesh tools(or most of them) provide:

  • Traffic management. A service mesh allows you to route and control traffic, within single clusters/networks, as well as across multiple ones. Easily control traffic flow and API calls between services. Configurations are at the service level, fine-grained and simplified, offering i.e. load-balancing capabilities, timeouts, retries, traffic splits, firewalling, etc.
  • Observability. The observability of the application is a fundamental aspect, which helps understand performances and behaviours. Providing detailed telemetry for all the communications within the service mesh, it becomes easier to troubleshoot, maintain, and optimize your applications. The telemetry usually includes metrics, traces, and full access logs.
  • Security capabilities. The introduction of a service mesh provides extra security functionalities, like protection against man-in-the-middle attacks, access controls, auditing, and mutual TLS. Built-in tools are dedicated to protecting services and the data exchanged, with components like policy controls, transparent TLS encryption, and authentication, authorization and audit (AAA). A security security-by-default model is defined, aiming for an in-depth defence and to deploy secure applications even across distrusted networks.
  • Automation. Key networking tasks, monitoring patterns, security aspects, etc., can be automated, improving the efficiency and the security of the entire ecosystem, especially with the growth of the applications. Automation is in direct relation with the other aspects and contributes to their improvement and adoption.

Popular Open-Source Service Mesh services

Linkerd (CNCF Graduated project)

Istio (CNCF Incubating project)

Open Service Mesh (CNCF Sandbox project)

Consul

Traefik Mesh