The document discusses the role of Istio as an open-source service mesh, emphasizing its benefits for application modernization, such as reducing costs and improving development speed. It addresses challenges associated with microservices, including security, traffic management, and observability, while highlighting the importance of zero trust security and resiliency strategies. Furthermore, it explains different architectures for deploying Istio, including sidecar and sidecar-less models, and their impact on performance and operational simplicity.

1. Sai, Field Engineer @ Solo.io
Istio Service Mesh
For
Developers & Platform Engineers

2. Home Lab
BEFORE

3. Home Lab
NOW

4. Business Drivers for Application Modernization
Reduce Costs
/ Shift Capex
to Opex
Access to
Innovation
Increase flexibility
and Capacity
of Infrastructure
Increase Velocity of
Development
Reduce Risk
Monolithic Microservices

5. The Way We Build Applications
Monolithic
On-Prem
Built on
a VM+OS
Large Teams
Microservices
Cloud
Built on
Kubernetes
Agile Teams

6. Challenges with Microservices
● How to observe interactions among
services?
● How to secure service to service
communication?
● How to manage transient failures?
● How to control traffic?

7. Online Boutique Microservices Demo
Source: https://github.com/GoogleCloudPlatform/microservices-demo

8. Application Networking Challenges
● Service discovery
● Load balancing
● Timeouts
● Retry / Budgets
● Circuit breaking
● Tracing, observability
● Secure transport
● Extension
Challenges

9. Application Networking

10. Data Plane & Control Plane

11. Why Envoy for Service Mesh Data Plane
● Neutral Foundation (CNCF)
● Large, diverse, vibrant community
● Built ground up for dynamic services
environment
● Dynamic configuration, driven by API
● Highly extensible
● L7 filters (HTTP/1, HTTP/2, gRPC,
redis, mysql, Kafka, etc)
● Deep signals telemetry out of the box
● Versatile deployment options

12. Istio - Open Source Service Mesh
2017
Istio Launched
Data Plane
Enhancements
2019-20
7 New Community Releases
1000s Production Users
~ 1000 Community Contributors
2022
CNCF
2019-2022

13. Case Studies
https://istio.io/latest/about/case-studies/

14. Istio Service Mesh Architecture

15. Istio Deployment (Sidecar Architecture)

16. Use Cases

17. Too Much TRUST!

18. Zero Trust Security

19. Secure Networking - Server Side TLS

20. Secure Networking - mTLS

21. Network Security in Kubernetes
Default State
!!!
Desired State
“Zero Trust Security”

22. DIY … Whoops !
○ 81% of companies experienced a certificate-related outage in the
past two years
○ 65% are concerned about the increased workload and risk of outages
caused by shorter SSL/TLS certificate lifespans.
○ Human error was a major contributing factor in 95% of breaches

23. Istio to the Rescue !

24. Resiliency - There will be Failures
Common Mitigations
● Waiting indefinitely is bad
● Trying again is good
● Degrade gracefully when services are
overwhelmed

25. Timeout - Don’t wait Indefinitely

26. Retry - Trying Again is Good
👍

27. Circuit Breaker - Degrade gracefully

28. Observability - Insights for Competitive Advantage
Building a Uniform Approach
● Understand traffic patterns
● Determine service health
● Anticipate outages
● Detect dangerous activity
● Audit access

29. Observability - Metrics and Access Logging
[2020-11-25T21:26:18.409Z] "GET /status/418 HTTP/1.1" 418 - via_upstream
- "-" 0 135 3 1 "-" "curl/7.73.0-DEV"
"84961386-6d84-929d-98bd-c5aee93b5c88" "httpbin:8000" "127.0.0.1:80"
inbound|8000|| 127.0.0.1:41854 10.44.1.27:80 10.44.1.23:37652
outbound_.8000_._.httpbin.foo.svc.cluster.local default
[2020-11-25T21:26:18.409Z] "GET /status/418 HTTP/1.1" 418 - via_upstream
- "-" 0 135 3 1 "-" "curl/7.73.0-DEV"
"84961386-6d84-929d-98bd-c5aee93b5c88" "httpbin:8000" "127.0.0.1:80"
inbound|8000|| 127.0.0.1:41854 10.44.1.27:80 10.44.1.23:37652
outbound_.8000_._.httpbin.foo.svc.cluster.local default
[2020-11-25T21:26:18.409Z] "GET /status/418 HTTP/1.1" 418 - via_upstream
- "-" 0 135 3 1 "-" "curl/7.73.0-DEV"
"84961386-6d84-929d-98bd-c5aee93b5c88" "httpbin:8000" "127.0.0.1:80"
inbound|8000|| 127.0.0.1:41854 10.44.1.27:80 10.44.1.23:37652
outbound_.8000_._.httpbin.foo.svc.cluster.local default
metrics

30. RECAP

31. Business Drivers for Adopting Istio

32. Life without ServiceMesh `vs` Life with ServiceMesh
Business Logic
Security Logic
Traffic Management Logic
Golden Metrics/
Observability Logic
Resiliency Logic
Managed by
Developer
- Multiple Tasks
- Multiple Frameworks
- Language Specific
- Poor Dev Experience
- 100s of Manual Steps
Business Logic
Security Logic
Traffic Management Logic
Golden Metrics/
Observability Logic
Resiliency Logic
Managed by
Developer
- Focus on Biz Logic
- Developer Productivity
Managed by
ServiceMesh
- Automated Workflow
- Deploy Consistent
Infrastructure Layer
- Eliminate Language
Specific Libraries
- Consistent Security &
Observability across LOBs
Before Service Mesh After Service Mesh
Microservice App Microservice App

33. Istio Deployment (Sidecar Architecture)

34. Istio Ambient Mesh (Sidecar-less Architecture)
A recent, open source contribution to the Istio project,
that defines a new sidecar-less data plane.
Improve
Performance
Simplify
Operations
Cost
Reduction
https://istio.io/latest/blog/2022/introducing-ambient-mesh/

35. Istio Deployment (Sidecar-less Architecture)

36. Something to think about …

37. Something to think about …

38. ● the Istio Ingress Gateway doesn’t provide the capabilities of an enterprise API
gateway
● It’s complex to use and to manage, especially in a multi-cloud context
● mTLS across the clusters
● Lifecycle management for control planes and istio gateways
● Global Observability (centralized metrics and access logging)
● Long term support
Something to think about …

39. Learn More …

40. Learn More …
10,000+ students have
attended hands-on workshops
1,800+ engineers have
achieved certifications
NPS
Score
75
https://academy.solo.io

41. Istio User Group
SINGAPORE

42. Thanks for attending!
@_hellosai_
sai.linnthu@solo.io
https://www.linkedin.com/in/sailinnthu/
https://www.youtube.com/@SaiLinnThu
Field Engineer - APAC @ Solo.io