What is a service mesh?
A service mesh is a dedicated infrastructure layer that controls service-to-service communication over a network. This method enables separate parts of an application to communicate with each other. Service meshes appear commonly in concert with cloud-based applications, containers and microservices.
A service mesh controls the delivery of service requests in an application. Common features provided by a service mesh include service discovery, load balancing, encryption and failure recovery. High availability is also common through the use of software controlled by APIs rather than through hardware. Service meshes can make service-to-service communication fast, reliable and secure.
An organization may choose an API gateway, which handles protocol transactions, instead of a service mesh. However, developers must update the API gateway every time a microservice is added or removed. Service mesh typically offers network management scalability and flexibility that exceeds the capabilities of traditional API gateways.
How a service mesh works
A service mesh architecture uses a proxy instance called a sidecar in whichever development paradigm is in use, typically containers and/or microservices. In a microservice application, a sidecar attaches to each service. In a container, the sidecar attaches to each application container, VM or container orchestration unit, such as a Kubernetes pod.
Sidecars can handle tasks abstracted from the service itself, such as monitoring and security.
Service instances, sidecars and their interactions make up what is called the data plane in a service mesh. A different layer called the control plane manages tasks such as creating instances, monitoring and implementing policies for network management and security. Control planes can connect to a CLI or a GUI interface for application management.
Why adopt a service mesh?
An application structured in a microservices architecture might comprise dozens or hundreds of services, all with their own instances that operate in a live environment. It’s a big challenge for developers to keep track of which components must interact, monitor their health and performance and make changes to a service or component if something goes wrong.
A service mesh enables developers to separate and manage service-to-service communications in a dedicated infrastructure layer. As the number of microservices involved with an application increases, so do the benefits of using a service mesh to manage and monitor them.
Key features of a service mesh
A service mesh framework typically provides many capabilities that make containerized and microservices communications more reliable, secure and observable.
Reliability. Managing communications through sidecar proxies and the control plane improves efficiency and reliability of service requests, policies and configurations. Specific capabilities include load balancing and fault injection.
Observability. Service mesh frameworks can provide insights into the behavior and health of services. The control plane can collect and aggregate telemetry data from component interactions to determine service health, such as traffic and latency, distributed tracing and access logs. Third-party integration with tools, such as Prometheus, Elasticsearch and Grafana, enables further monitoring and visualization.
Security. Service mesh can automatically encrypt communications and distribute security policies, including authentication and authorization, from the network to the application and individual microservices. Centrally managing security policies through the control plane and sidecar proxies helps keep up with increasingly complex connections within and between distributed applications.
Service mesh benefits and drawbacks
A service mesh addresses some large issues with managing service-to-service communication, but not all. Some advantages of a service mesh are as follows:
- Simplifies communication between services in both microservices and containers.
- Easier to diagnose communication errors, because they would occur on their own infrastructure layer.
- Supports security features such as encryption, authentication and authorization.
- Allows for faster development, testing and deployment of an application.
- Sidecars placed next to a container cluster is effective in managing network services.
Some downsides to service mesh are as follows:
- Runtime instances increase through use of a service mesh.
- Each service call must first run through the sidecar proxy, which adds a step.
- Service meshes do not address integration with other services or systems, and routing type or transformation mapping.
- Network management complexity is abstracted and centralized, but not eliminated — someone must integrate service mesh into workflows and manage its configuration.
The service mesh market
Service mesh enterprise adoption is still nascent and lags far behind that of containers, according to a survey conducted in mid-2020. Istio, Linkerd and HashiCorp Consul are the service meshes most used in production, according to those survey respondents.
Istio, an open source service mesh provided by Google, IBM and Lyft, is a universal control plane originally targeted for Kubernetes deployments, but architects can use it on multiple platforms. Its data plane relies on proxies called Envoy sidecars.
Linkerd, another open source, multiplatform service mesh, was developed by Buoyant and is built on Twitter’s Finagle library. This service mesh supports platforms such as Kubernetes, Docker and Amazon ECS.
HashiCorp’s Consul offers service discovery and service mesh capabilities to handle network management in distributed environments. It works with AWS and Microsoft Azure and is also available as a SaaS product.
The following is an alphabetical list of many service mesh products and services available today. Some are open source or based in part on open source technology; some are tied to other service mesh platforms (Solo.io and Tetrate are based on Istio; Buoyant is a managed version of Linkerd). Many are available as SaaS products. The major cloud providers, and Kubernetes platform providers, offer packaged and hosted service mesh products.
- AWS App Mesh
- Azure Service Fabric Mesh (currently in preview)
- Buoyant Conduit
- F5 Nginx Service Mesh
- Google Anthos Service Mesh
- HashiCorp Consul
- Kong Mesh
- Red Hat OpenShift Service Mesh
- Solo.io Gloo Mesh
- Tigera Calico Cloud
- Traefik Labs
- VMware Tanzu Service Mesh