A service mesh is a dedicated infrastructure layer that controls service-to-service communication over a network. It provides a method in which separate parts of an application can communicate with each other. Service meshes appear commonly in concert with cloud-based applications, containers and microservices.
A service mesh is in control of delivering service requests in an application. Common features provided by a service mesh include service discovery, load balancing, encryption and failure recovery. High availability is also common through utilizing software controlled by APIs rather than utilizing hardware. Service meshes can make service-to-service communication fast, reliable and secure.
As an example, an application structured in a microservices architecture might be composed of hundreds of services, all with their own instances operating in a live environment. This could make it challenging for developers to keep track of which components must interact, and make changes to their application if something goes wrong. Including communication protocols in a service rather than in a separate and dedicated layer would make the process of keeping track and making changes to an application fairly complex. Utilizing a service mesh allows developers the ability to separate service-to-service communication into a dedicated layer.
An organization may choose to utilize an API gateway, which handles protocol transactions, over a service mesh. However, developers must update the API gateway every time a microservice is added or removed.
How a service mesh works
A service mesh architecture uses a proxy instance called a sidecar in whichever development paradigm is in use, commonly containers and/or microservices. In a microservice application, a sidecar will attach to each service. In a container, the sidecar is attached to each application container, VM or container orchestration unit, such as a Kubernetes pod.
Sidecars can handle tasks abstracted from the service itself, such as monitoring and security.
Service instances, sidecars and their interactions make up what is called the data plane in a service mesh. A layer called the control plane manages tasks such as creating instances, monitoring and implanting policies, such as network management or network security policies. Control planes can connect to a CLI or a GUI interface for application management.
Service mesh benefits and drawbacks
A service mesh addresses some large issues with managing service-to-service communication, but not all. Some advantages of a service mesh include:
Simplifies communication between services in both microservices and containers.
Easier to diagnose communication errors, since they would occur on their own infrastructure layer.
Supports security features such as encryption, authentication and authorization.
Allows for faster development, testing and deployment of an application.
Sidecars placed next to a container cluster is effective in managing network services.
Some downsides to service meshes include:
Runtime instances increase by utilizing a service mesh.
Adds an extra step where each service call must first run through the sidecar proxy.
Service meshes do not address issues such as integrating with other services or systems and routing type or transformation mapping.
The service mesh market
A service mesh is commonly available as an open source technology from diverse creators. It can also be consumed as a service from major cloud providers.
Istio is an open source service mesh provided by Google, IBM and Lyft. Istio is designed as a universal control plane first targeted for Kubernetes deployments, but can be used on multiple platforms. Its data plane relies on proxies called Envoy sidecars. This service mesh features security measures such as identity and key management. It also supports fault injection and hybrid deployment.
Istio service mesh
The Istio service mesh architecture is one of the major designs available.
Linkerd is another open source, multiplatform service mesh. Linkerd was developed by Buoyant and is built on Twitter’s Finagle library. This service mesh supports platforms such as Kubernetes, Docker and Amazon ECS. Features include built-in service discovery and control plane, Namerd.