Service meshes solve the traffic management, security, and observability challenges introduced by microservices and distributed architecture. Istio, Linkerd, and Consul are three matured tools with highly customizable and advanced features. At the same time, other tools highlighted in this article also offer lightweight and efficient capabilities to manage traffic management in microservices.
Microservice, Kubernetes, and distributed architecture have become a norm for scalable applications and enterprise business solutions. With distributed services, managing the communication and networking between each service is difficult—and service meshes prove to help solve it.
Service Meshes uses a proxy to provide a dedicated infrastructure layer for facilitating and securing service-to-service communication between microservices.
Service meshes' typical architecture uses a sidecar container in each service to provide seamless communication, configuration, and security. To achieve this, many of the service meshes use an open source sidecar proxy, Envoy, while some others use custom-built proxies or monolithic architecture.
Let's explore some of the top open source and commercial service mesh implementations available in the service mesh tooling market.
Open-sourced in 2017, Istio is a highly extensible and widely used service mesh developed by Google, IBM, and Lyft. Using Envoy as the sidecar proxy, Istio simplifies traffic management, security, connection, and observability in distributed systems.
Being a collaborative project from three tech giants, Istio is a rich-featured service mesh with advanced capabilities, including load balancing, policy creation, traffic routing, and service-to-service authentication.
Istio offers a comprehensive traffic management ability with easy control and routing of ingress and egress traffic to the service mesh. It has various error handling abilities such as timeouts, circuit-breaking, traffic shifting, and retries.
In addition to the standard mutual TLS, Istio can be configured to accept or reject unencrypted traffic to preserve security. It also can enforce different policies for specific workloads, namespace, or mesh-wide through the AuthorizationPolicy or PeerAuthentication security resource management CRDs.
Istio provides latency, traffic, errors, and saturation signal types and also provides metrics for the control plane. To provide easy visibility of insights and observability metrics collected by the service mesh, Istio offers official integration with the Kiali management console.
Accompanied with these excellent features, however, is a steep learning curve. Istio is a more mature service mesh compared to others available, but it requires a considerable knowledge gap and work hours to get it running. It may also not be easily configurable and developer-friendly compared to other less sophisticated service meshes on this list.
Trailing after Istio in terms of popularity is Linkerd—even though it has been in the service mesh market before Istio. The Linkerd 2.x version is a simple, lightweight, and open source Kubernetes-native service mesh. It is an Apache V2 licensed project built by Buoyant and now incubated as a project of the CNCF.
Instead of Envoy, Linkerd uses a custom-built proxy written in Rust, making it more flexible and scalable.
Linkerd offers a CLI and a GUI with a preinstalled integration with Grafana to provide observability into the activities of the service mesh. It also supports integration with Prometheus for further collection of metrics.
Linkerd also integrates with ingress controllers such as Traefik, Kong, and Gloo for easy and comprehensive traffic management.
Linkerd service mesh reduces latency in interservice connection and provides reliability in the system.
AWS App Mesh
Like many other service meshes, AWS App Mesh uses the Envoy sidecar proxy to provide application-level networking and management of ingress and egress traffic to services. It is a fully managed service mesh built for the AWS-managed Kubernetes platform, EKS, integrated with other AWS services, including Amazon EC2 and AWS Fargate.
Compared to a more matured service mesh like Linkerd, AWS Mesh is more complex, and it has a relatively small online community to help with the process. However, AWS offers free support to help you implement the service in its Kubernetes platform.
An in-built key/value store is what sets Consul apart. Built by HashiCorp, Consul provides a networking layer that connects, secures, and configures service-to-service communication in distributed systems.
Consul started as a suite of service tools before containers and microservices became mainstream and has since grown into a complete suite with service mesh built on top of the foundational components.
Consul offers an in-built proxy layer for testing and also supports the Envoy sidecar proxy to serve networking needs in runtime platforms.
It provides connectivity features, including path-based routing, traffic shifting, and load balancing. Consul prioritizes security with support for standard mTLS and integration with HashiCorp Vault, which helps in signing and managing certificates in a cluster. You can configure its UI to observe mesh-wide and service-specific metrics with integration with Prometheus and Grafana.
Kuma is an open source platform-agnostic service mesh created by Kong. It was designed to augment the usability and ease of operation of already existing service meshes. Kuma supports Kubernetes and virtual machines and provides networking needs with enhanced security, observability, and inter-service connectivity.
Kuma is an easy-to-implement service mesh that comes with pre-bundled policies such as routing, mTLS, fault injections, traffic control, and other helpful networking and security features.
It is an enterprise-friendly solution that makes it easy to operate and control multiple isolated meshes from a unified control plane.
Traefik Mesh is an easily configurable service mesh that allows observability and easy management of traffic flow inside a Kubernetes cluster. Initially named Maesh, Traefik mesh offers advanced traffic management features, including circuit breaking and rate-limiting. It uses an open source reverse proxy and load balancer, Traefik, in place of the commonly used Envoy sidecar proxy. It also supports the service mesh interface (SMI)—the industry standard for service mesh implementations.
Apache ServiceComb is an open source out-of-the-box service mesh for microservices and distributed systems. It is a Go-written, high-performance service mesh built on the GoChassis microservices framework with extensive features such as load balancing, service discovery, fault tolerance, route management, and distributed tracing.
It implements a dedicated Mesher sidecar proxy that enables interaction with developers to provide observability of the runtime API through an Admin API. It is compatible with Kubernetes, Docker, VMs, and bare-metal environments supporting HTTP and gRPC.
Network Service Mesh (NSM)
Network Service Mesh offers low-level heterogeneous network configurations for Kubernetes. NSM is described as a “connection-centric service mesh” ideal for use in advanced systems such as edge computing, 5G networks, and IoT devices. It is a sandbox project with the CNCF.
Kiali is a service mesh observability, visualization, and management console implemented by many service meshes, including Istio. It allows you to configure Istio and provides detailed metrics, validation, topology, and integration with Grafana and distributed tracing with Jaeger.
NGINX Service Mesh
NGINX Service Mesh is a simple, lightweight service-to-service networking service that provides scalable, secure, and unified ingress and egress traffic management for Kubernetes clusters. It uses its homegrown ingress controller and NGINX Plus as the sidecar proxy and provides observability through integration with Prometheus, Grafana, and Open tracing. It is a developer-friendly tool that is suitable for small and enterprise-scale Kubernetes environments. Its unique traffic-handling features include service throttling, rate shaping, A/B testing, and canary releases.
Aspen Mesh markets itself as a "better version of Istio." The service mesh is built on Istio, but it offers more ease of use, manageability, and security. Aspen mesh is an enterprise-ready service mesh solution that introduces agility, stability, and easy observability into distributed systems communication. It iterates on Istio and provides a more efficient service-to-service service management for Kubernetes.
Open Service Mesh (OSM)
Open Service Mesh is an open source, lightweight, and straightforward service mesh solution for cloud-native environments. It is a Kubernetes-native service mesh that uses the popular Envoy proxy as a sidecar container to provide easily configured, uniformly managed, and secure traffic management and observability for dynamic distributed and microservices environments.
Its notable features include traffic shifting, access control policies, mTLS support, easy debugging and monitoring, and support for the SMI standard. It also integrates with other service meshes and cloud-native tools, including Linkerd, Consul, and Helm, to provide extensibility to the features offered by the platform.
Grey Matter is an Envoy-based hybrid service mesh; compatible with Istio and provides insights, secure and easy control of data for microservice environments. It is an end-to-end network management platform with flexibility, compliance, and easy configuration that provides visibility into the microservice environment's network, application, and API parameters.
OpenShift Service Mesh
Like Grey Matter, OpenShift Service Mesh builds on top of Istio with significant improvements in tracing and visibility of the service-to-service traffic in a microservices environment. It integrates with Jaeger and Kiali to enhance observability into the configuration, traffic monitoring, and analysis of microservices.
Get similar stories in your inbox weekly, for free
Share this story with your friends
The improved AWS feature allows users to trigger Lambda functions from an SQS queue.
United States Defense Department Asks Amazon, Google, Microsoft, and Oracle to Bid on the JWCC Program
DoD looking to entrust cloud security to multiple vendors.
Google makes fuzzing easier and faster with ClusterFuzzLite
HTTP-based autoscaling and scale to zero capability on a serverless platform