White Paper
Understanding Service Mesh
Once user traffic has arrived at your Kubernetes cluster, there are two directions in which communication needs to be managed: into and out of the cluster (north/south) via an API Gateway like Ambassador Edge Stack and between microservices within the cluster (east/west), managed by a service mesh.
What is service mesh?
A service mesh is an infrastructure layer that allows microservices, or pods, to communicate with, and sometimes across, each other.
The service mesh architecture enables pods within a cluster to coordinate to optimize the user experience. For example, suppose the personalized recommendations feature in a video-sharing app fails. In that case, it makes it possible for a list of generic recommendations to pop up for the user to click on without affecting other functionality.
API Gateway vs Service Mesh video
What is the difference between both explained by Richard Li
Why Do You Need a Service Mesh?
In Kubernetes, service mesh architecture can be customized and configured to handle a wide range of devops needs
Data planes & control planes
The data plane consists of one or more service proxies within a cluster, each of which typically runs next to a single service or microservice of an app, and is responsible for service discovery, resilience, observability, and security for the microservices. The control plane is responsible for defining policy and ensuring the data plane follows that policy.
Resilience
Resilience can be added to the distributed system in more than one way. For example, having each microservice’s code include calls to code libraries with resilience functions, or having special network proxies handle microservice requests and replies. The ultimate goal of resilience is to ensure that failures or degradations of particular microservice instances don’t cause cascading failures that cause downtime for the entire distributed system.
Observability & Security
Observability is being able to monitor an app’s state and to determine at a high level what’s happened when something goes wrong with the app. Service meshes can provide security by protecting the communications between pods by using Transport Layer Security (TLS), a cryptographic protocol. TLS uses cryptography to ensure that the information being communicated can’t be monitored or altered by others.
Service Mesh Products
Envoy Proxy service mesh is a popular choice for use as a data plane. Originally developed by Lyft, Envoy Proxy is now a Cloud-Native Computing Foundation project, with hundreds of contributors from many companies such as AirBnb, Amazon, Microsoft, Google, Pinterest, and Salesforce.
What Else Should You Know About Service Mesh?
There's more to explore, from basic fundamentals to traffic API examples.
Cloud-native apps
- Common cloud-native app architectures
- Cloud-native app benefits
- Fallacies of distributed computing
- Common challenges
Resilience for distributed systems
- Resilience strategies
- Load balancing
- Timeouts and automatic retries
- Deadlines and circuit breakers
Introduction to service mesh interface (SMI)
- Traffic specs API
- Traffic split API
- Traffic access control API
- Traffic metrics API
Using service mesh to debug and mitigate app failures
- Status checks
- Service proxy status checks
- Service route metrics
- Service route configuration for issue mitigation
Learn more about Service Mesh
Article
Resilience for distributed systems
Article
Learn more about cloud-native apps
Article
Using Service Mesh to Debug and Mitigate Against App Failures
Article
Observability and Security with Service Mesh
Article
Introduction to Service Mesh Interface
Article
Ambassador and Istio: Edge proxy and service mesh
Article
Ambassador Edge Stack to Consul Connect
Article