.png)
IStio & Service Discovery
- Anand Nerurkar
- Sep 6
- 2 min read
.
šÆ First, the Context: Service Discovery Problem
In a microservices architecture, services are dynamic ā pods get created/destroyed, IPs change.We need:
A way to register servicesĀ (so they are discoverable).
A way for clients to discover them reliablyĀ (even if pods move).
A way to secure & observeĀ that communication.
Traditionally, weād use Eureka, Consul, or API Gateway for this.With Istio service mesh, this is handled differently.
ā Solution with Istio
1ļøā£ Service Registration
Istio relies on Kubernetes service registryĀ (or VM registration if hybrid).Hereās how it works in production:
Every microservice is deployed as a Kubernetes ServiceĀ + Deployment (or StatefulSet).
apiVersion: v1 kind: Service metadata: name: loan-service namespace: lending spec: selector: app: loan-service ports: - port: 8080 targetPort: 8080
When this Service is created, Kubernetes automatically registers it in the kube-apiserverĀ as a service endpoint.
Istioās PilotĀ component watches the Kubernetes API and updates the service registryĀ inside Istioās control plane (xDS).This registry is then pushed to all Envoy sidecars.
ā So, you donāt manually register services with Istio.You just deploy them as K8s Services ā Istio auto-discovers them.
2ļøā£ Service Discovery (how other services find it)
When another microservice (say, kyc-service) wants to call loan-service:
It resolves loan-service.lending.svc.cluster.localĀ using Kubernetes DNS.
The request is intercepted by the Envoy sidecarĀ injected by Istio.
Envoy consults its config (pushed by Istio Pilot) to know:
Service endpoints (load-balanced).
Policies (mTLS, retries, timeouts).
Routing rules (canary, traffic split).
Envoy then:
Establishes mTLS connectionĀ (service identity via Istio Citadel certs).
Routes to the correct pod (load balanced).
Collects telemetry (metrics, tracing).
3ļøā£ Service-to-Service Security (mTLS)
Istio issues SPIFFE identitiesĀ to each service (spiffe://cluster.local/ns/lending/sa/loan-sa).
Envoy uses these to encrypt and authenticate traffic ā no need to handle TLS inside microservice code.
4ļøā£ Advanced Discovery & Routing (Istio Features)
You can create Istio VirtualServicesĀ & DestinationRulesĀ for:
Canary deployments (route 10% to v2, 90% to v1).
Failover (if region A is down, route to region B).
Timeouts/retries/circuit breakers.
Fault injection for chaos testing.
Example VirtualServiceĀ for loan-service:
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: loan-service
spec:
hosts:
- loan-service.lending.svc.cluster.local
http:
- route:
- destination:
host: loan-service.lending.svc.cluster.local
subset: v1
weight: 90
- destination:
host: loan-service.lending.svc.cluster.local
subset: v2
weight: 10
š¦ BFSI Production Considerations
Zero-trust network:Ā Istio + mTLS ensures even internal service calls are encrypted ā critical for SEBI/RBI compliance.
Audit:Ā Envoy sidecars produce logs for every request ā integrate with ELK/Prometheus for compliance evidence.
Service discovery across regions:Ā If multi-cluster, use Istio multi-clusterĀ or service mesh federationĀ (shared root CA).
š” Interview-ready Answer
āWith Istio, we donāt manually register services ā registration is automatic via Kubernetes service registry. Istio Pilot keeps a dynamic service registry and pushes it to Envoy sidecars.For discovery, services simply call each other by DNS name (<service>.<namespace>.svc.cluster.local), Envoy sidecar resolves endpoints, applies load balancing, security (mTLS), and routing policies.This gives us zero-trust communication, observability, retries, and advanced traffic management out-of-the-box ā which is critical in BFSI workloads for compliance and resilience.ā
Comments