.png)
Service Mesh In Microservices
- Anand Nerurkar
- Apr 18
- 3 min read
Updated: Apr 30
🧩 What is a Service Mesh?
A service mesh is an infrastructure layer that handles service-to-service communication in a microservices architecture. It sits between services and manages how they discover, connect, secure, and observe each other — without changing the application code.
Popular tools: Istio, Linkerd, Consul Connect
🛠️ Key Responsibilities of a Service Mesh
Responsibility | Description |
🔄 Traffic Management | Controls routing, load balancing, retries, failovers (like A/B testing, canary) |
🔐 Security (Zero Trust) | mTLS (mutual TLS) encryption for all service-to-service communication |
🧪 Observability | Out-of-the-box metrics, distributed tracing, and logging (e.g., Prometheus, Grafana) |
✅ Policy Enforcement | Define and enforce policies for rate-limiting, access control, timeouts |
🔁 Resilience | Supports retries, circuit breakers, timeout policies at the mesh layer |
🧾 Auditing | Track and audit communication flow without modifying app code |
🧱 Service Mesh Components (e.g., Istio)
Component | Role |
Envoy Proxy (Sidecar) | Intercepts traffic to/from each microservice |
Control Plane | Manages and configures all proxies |
Mixer / Telemetry | Collects telemetry data |
Citadel | Manages certificates and identity for mTLS |
🧬 How It Works (Example Flow)
Microservices are deployed with sidecar proxies (e.g., Envoy).
A service (say PaymentService) wants to call another (KYCService).
The call is routed via the sidecar, which:
Handles service discovery
Applies security policies
Collects telemetry
Enforces routing rules
The request is encrypted and routed to the destination via its own proxy.
🧳 Why Use a Service Mesh?
Benefit | Explanation |
Consistency | Centralized control over distributed communications |
Security by default | Encrypted traffic + identity verification |
Observability | No code changes for tracing/logging/metrics |
Developer Velocity | Developers focus on business logic, not infra plumbing |
Traffic Control | Safer deployments with canary releases, blue-green, etc. |
🔐 In Azure Context
On Azure Kubernetes Service (AKS):
Use Istio as service mesh
Integrated with Azure AD, Key Vault, and Azure Monitor
Works well with Azure API Management for external APIs
Would you like me to show:
A diagram of service mesh flow?
A sample Istio config for Spring Boot services?
How to set up mTLS for AKS with Istio?
text-based explanation of the Service Mesh flow for microservices,
Absolutely! Here's a clear, step-by-step text-based explanation of how a Service Mesh flow works in a typical microservices architecture—using Istio as the example mesh and Spring Boot microservices on Kubernetes (AKS).
🧩 Service Mesh Flow in Microservices (with Istio)
🎯 Actors in the Flow
Spring Boot Microservices (e.g., Customer Service, Loan Service)
Istio Sidecar Proxies (Envoy) – one per service pod
Istio Control Plane – configures sidecars
Istio Ingress Gateway – handles incoming traffic
Istio egress rules / policy / security enforcement
🔁 End-to-End Service Flow
Let’s say:👉 CustomerService wants to call LoanService
1. Request Sent via Sidecar (Outbound Proxy)
The CustomerService pod doesn’t call LoanService directly.
Instead, the request is intercepted and sent through its sidecar Envoy proxy.
The outbound proxy applies:
Routing rules
Traffic policies (e.g., retry, timeout)
mTLS encryption
Telemetry hooks
2. Service Discovery + Routing (Istio Control Plane)
The Envoy sidecar queries the Istio control plane to discover:
Where is LoanService?
Are there multiple versions?
Is traffic splitting needed (e.g., canary, blue-green)?
Control plane returns service endpoints with routing instructions.
3. Encrypted Communication (mTLS)
The request is encrypted via mutual TLS (mTLS).
This ensures:
Zero-trust networking
No one can spoof identity between services
4. Request Received by LoanService’s Sidecar (Inbound Proxy)
LoanService's sidecar (Envoy) authenticates and decrypts the request.
It enforces policies:
Authentication/authorization (e.g., JWT tokens)
Rate limits
Access control
5. LoanService Processes the Request
The actual business logic inside LoanService is executed.
A response is returned to its own sidecar.
6. Response Travels Back through Sidecars
Inbound sidecar → mTLS encryption → routed through service mesh → outbound sidecar of CustomerService
🛡️ Additional Mesh Capabilities
Capability | Where it Happens | Description |
Retries/Timeouts | Outbound Envoy | Prevents hanging requests |
Circuit Breakers | Outbound Envoy | Avoids cascading failures |
Tracing | Both sidecars | Traces pushed to Jaeger/Zipkin |
Metrics | Sidecars → Prometheus | For dashboarding (Grafana) |
Rate Limiting / Quotas | Sidecar + Policy Engine | Prevents abuse of APIs |
Authorization | Istio + Azure AD/JWT | Fine-grained access control |
🌐 For Ingress/Egress Traffic
Istio Ingress Gateway handles external traffic (API requests from UI/mobile).
Policies and mTLS apply here too.
Egress traffic (e.g., calling 3rd-party APIs) goes via Istio Egress Gateway with similar controls.
✅ Summary (Service Mesh Flow):
csharp[CustomerService]
|
[Outbound Sidecar (Envoy)]
|
[Istio Control Plane -> Discovery + Policy]
|
[mTLS Tunnel]
|
[Inbound Sidecar (LoanService Envoy)]
|
[LoanService Business Logic]
|
[Inbound Sidecar → Encrypt]
|
[Outbound Sidecar (CustomerService) → Decrypt]
Comments