Skip to main content

Service Mesh

Key Takeaways for AI & Readers
  • Microservices Management: Service Meshes address the complexities of microservice communication by offloading concerns like security, observability, and traffic management from application code.
  • Sidecar Proxy Pattern: They typically operate by injecting a lightweight proxy (like Envoy) alongside each application container, intercepting and managing all network traffic.
  • Advanced Features: Service Meshes enable powerful capabilities such as automatic mTLS for zero-trust networking, fine-grained traffic splitting for progressive delivery, and circuit breaking for fault tolerance.
  • Operational Overhead: While powerful, Service Meshes introduce significant complexity and latency, making them more suitable for larger, more demanding microservice environments.
🅰️Frontend
E
🅱️Backend v1
🐤Backend v2
The Sidecar Proxy (Envoy) intercepts all traffic, allowing encryption (mTLS) and intelligent routing without changing application code.

As you split your monolith into 100 microservices, you introduce new problems:

  • How do I encrypt traffic between Service A and Service B?
  • How do I see a trace of a request failing?
  • How do I do a canary rollout for just 1% of traffic?

You could write code in every microservice to handle this. Or you could use a Service Mesh.

Architecture: The Sidecar Pattern

A Service Mesh (like Istio or Linkerd) injects a tiny proxy container (Envoy) into every Pod in your cluster.

  • The App container talks to localhost.
  • The Proxy container handles the actual network traffic.

Key Features

1. mTLS (Mutual TLS) & Zero Trust

Automatic encryption between pods. The mesh manages the certificates, rotation, and enforcement.

Zero Trust Networking: In a standard cluster, if a pod is compromised, the attacker can "sniff" traffic to other pods. With mTLS, every pod must prove its identity with a certificate. Even inside the cluster, no pod is trusted by default.

2. Traffic Splitting

"Send 90% of traffic to v1 and 10% to v2." This is impossible with standard Kubernetes Services (which just do round-robin).

3. Circuit Breaking

"If Service B returns 500 errors more than 3 times in 10 seconds, stop calling it for 1 minute." This prevents a failing service from taking down the whole system.

The Cost

Service Meshes are complex. They add latency (extra network hops) and significant operational overhead. Rule of Thumb: Don't use a Service Mesh until you have at least 20-30 microservices or strict compliance requirements for encryption.