Introduction to Istio Architecture and Benefits

December 05, 2018 

Introduction to Istio Architecture and Benefits

What is Istio?

Istio is an open source tool written in Go which helps in creating an abstraction layer above various Microservices running in Kubernetes. Although it is available for other platforms as well, it’s battle-tested in production on Kubernetes. It’s installed using manifest yaml files as well as using Helm Chart, which bootstraps all Istio components on the cluster. Istio adds a layer of transparency between distributed applications. Istio has own APIs to integrate with other open-source logging or telemetry tools, such as Prometheus, Grafana.


Why Istio Matters?

Although there are couple other Service Mesh tools such a Linkerd, Istio is stable, has more features, provides more granular level security. Istio helps in tracing all calls a request and whole path response. It helps in tracing Root Cause Analysis of issues.

Istio helps to -

  • Connect Microservices.
  • Control various API calls between services & traffic flow between them.
  • Secure Microservices.
  • Provides security by default - No modifications required in app code & infrastructure.
  • Ultra Defense: Provides multiple layers of security by integrating with another security system.
  • Allow traffic encryption, helps against MITM attacks.
  • Control Microservices.
  • Applies enforcement policies.
  • Observe services Microservices.
  • Provide Auto-tracing, logging, and monitoring of all Microservices visualizes what's happening under the hood.

Features of Istio

Traffic management - All traffic managed through Istio side-cars, deployed in parallel to service.

Security - Istio takes security from the application layer to the network layer. Developers focus on domain logic only. Istio manages all security mechanisms using its components.

Observability - Istio provides Tracing, Log management, Monitoring through patterns depicting failures.Performance of request and response on upstream and downstream determined. Load testing done on services to see performance bottlenecks.

Support for platforms - Istio available for Kubernetes, Nomad, Mesos, and more. Istio is testing in production on Kubernetes.

Customization and Integration - Policies enforced customized and integrated with ACLs, logging, monitoring solutions.


Istio Architecture

Istio mesh divided into a data plane and a control plane -

The data plane consists of an intelligent proxy (Envoy) deployed as sidecars in parallel to app containers. These proxies control all network communication between Microservices. The mixer used as a policy and telemetry central hub.

The control plane deploys and configures proxies to route inbound and outbound traffic. Control plane configures Mixers to enforce policies on apps and collect telemetry info to be sent to monitoring systems.


How Istio Works?

A Service Mesh provides a collection of lightweight proxies alongside containers in a Kubernetes pod. Each proxy acts as a gateway to interactions that occur between containers. The proxy forwards the request to load across the Service Mesh to the appropriate downstream service containers which serve the request.

The controller in the control plane orchestrates the connections between proxies. Control plane knows about each request/response, even though the service/application traffic flows directly between proxies. The controller provides access control policies and collects metrics from containers for telemetry and observation. The controller tightly integrates with Kubernetes, which is an open-source system for automating the deployment and orchestration of containerized applications.

Let's understand significant components of Istio -

Guide to Using Envoy

Istio uses Envoy proxy for -

  • Load balancing
  • Fault injection
  • Service Discovery
  • Health checks
  • Envoy deployed as a sidecar in parallel to the container.

Pilot Applications

  • Enables dynamic service discovery for sidecars.
  • Manages traffic for routing.
  • Provide resiliency.
  • Pilot converts the routing rule to sidecars at runtime.
  • Every application has its own service proxy. Application instances access their own service proxy.

Galley Properties

  • Provides top level API configuration.
  • It processes and distributes various components of Istio.

Citadel Overview

Citadel provides app service-to-service and authentication for end users with a built-in Identity and User Credential Management.

Istio Deployment on Kubernetes

Istio available for many platforms but tested in production by many companies. Istio available as Kubernetes manifest files or Helm chart used to deploy it.

All components deployed in a namespace `istio-system`. Grafana deployed along with the stack to visualize various metrics. Grafana uses Prometheus as backend.


curl -L https://git.io/getLatestIstio | sh -
cd istio-1.0.3

The installation folder contains -

  • Installation .yaml files for Kubernetes in install/
  • Sample applications in samples/
  • The istioctl client binary in the bin/ directory.

Istioctl used while manually injecting Envoy as a sidecar proxy and for creating routing rules and policies.

The istio.VERSION configuration file


export PATH=$PWD/bin:$PATH

Deploy using HELM and Tiller via helm install -


kubectl apply -f install/kubernetes/helm/helm-service-account.yaml
helm init --service-account tiller
kubectl delete -f install/kubernetes/helm/istio/templates/crds.yaml -n istio-system

Sidecar installation

Each pod in the mesh must run an Istio sidecar using Envoy.

The following sections describe ways of injecting sidecar inside a pod - manually using the istioctl CLI tool or automatically using the Istio sidecar injector.

Manual sidecar injection


kubectl apply -f <(istioctl kube-inject -f ./samples/sleep/sleep.yaml)
kubectl get configmap istio-sidecar-injector -o=jsonpath='{.data.config}'  -n istio-system > inject-config.yaml
kubectl get configmap istio -o=jsonpath='{.data.mesh}'-n istio-system > mesh-config.yaml
istioctl kube-inject \

--injectConfigFile inject-config.yaml \
--meshConfigFile mesh-config.yaml \
--filename samples/sleep/sleep.yaml \
--output sleep-injected.yaml

kubectl apply -f sleep-injected.yaml

Automatic sidecar injection


kubectl api-versions | grep admissionregistration
helm template --namespace=istio-system --set sidecarInjectorWebhook.enabled=false install/kubernetes/helm/istio > istio.yaml
kubectl create ns istio-system
kubectl apply -n istio-system -f istio.yaml
kubectl apply -f samples/sleep/sleep.yaml
kubectl get deployment -o wide
kubectl get pod
kubectl label namespace default istio-injection=enabled
kubectl get namespace -L istio-injection
kubectl delete pod sleep-776b7bcdcd-7hpnk
kubectl get pod
kubectl describe pod sleep-776b7bcdcd-bhn9m
kubectl label namespace default istio-injection-
kubectl delete pod sleep-776b7bcdcd-bhn9m
kubectl get pod

Running demo app - Bookinfo Application


kubectl apply -f <(istioctl kube-inject -f samples/bookinfo/platform/kube/bookinfo.yaml)
kubectl label namespace default istio-injection=enabled
kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml
kubectl get services
kubectl get pods
kubectl apply -f samples/bookinfo/networking/bookinfo-gateway.yaml
kubectl get gateway
export GATEWAY_URL=$INGRESS_HOST:$INGRESS_PORT

Confirm application running


curl -o /dev/null -s -w "%{http_code}\n"  http://${GATEWAY_URL}/productpage


Best Practices for Adopting Istio

Enable a service layer adds an extra abstraction layer over existing infrastructure, follow some best practices so that it doesn't create overhead and reap the benefits of it instead of dealing with its complexity.

Use only when Microservices more than 15 or so, otherwise, for less number of services will add operational complexity.

Always try to inject sidecars automatically instead of manually, as in this way, CI/CD pipeline run efficiently without affecting deployments downtime.

Use Dynamic request routing for shifting traffic in modern deployment use cases such as blue-green deploys, Canary, A/B testing, etc. It will help to make the transition smooth in Real-Time.

Customize Grafana dashboards to gain more insight into the Microservices communication.

Add horizontal pod auto-scaler for all deployments in the cluster.

Try to leverage most of the features of Istio, but one feature at a time as it might get complicated if you try to use all features at once.


Benefits of Istio

Istio has a lot of benefits for modern Cloud Native applications. Practical benefits discussed above, the benefits listed below are mostly on the business side of technology -

  • Provides transparent communication layer between independent applications running inside the cluster.
  • Istio allows management of all Micro-services, as and when they grow in a number of sizes.
  • Istio provides Traffic Management between all Microservices.
  • Istio Abstracts the layer of reliably delivering requests between services through a proxy.
  • Istio increases performance and reliability of infrastructure.
  • Istio’s Traffic Management decouples traffic flow and scaling of infrastructure.
  • Extract telemetry data from proxy containers and send them to monitoring dashboard.
  • Istio capable of handling ambiguous network failures and allow self-healing infrastructure.

Tools for Enabling Service Mesh on Istio

Following tools come under the umbrella of Istio, which help in the successful creation of a Service Mesh -

Istio itself deployed on cluster-wide in its own namespace.

istioctl - Command line utility to manage Istio resources inside the cluster.

Istio can be deployed on - Kubernetes - Supported the most by Istio. Platform Setup. Ex - kops cluster running on AWS.Nomad & Consul.


Concluding Istio

Service mesh is an excellent addition to infrastructure to ease the operations managing 50-100s of Microservices. Architect and implement new solutions using modern Cloud-Native Microservices without worrying about breakage of applications due to all the network calls. Service Mesh handles all these networks calls & detect the failures and tries to prevent them.

Service Mesh-like Istio enables client-side load balancing and performs all the functions at the application layer. Istio detects where the calls to other services failing, slowing down, or only partially succeeding and show all telemetry info on the dashboard such as Grafana, troubleshooting and tracking down the root causes of problems.

Istio enhances security layer as well for all the communications happening in service mesh. Istio provides the tools needed to run Microservices architectures. It provides resilience, routing, observability.