Istio OverviewConnect, secure and monitor services on GCP and in hybrid environments

Confidential & Proprietary

Istio: An open services platform to manage service interactions across container and VM-based workloads

The trends of containerization, microservices and hybrid/multi-cloud deployments have created more distributed applications than ever.

Developers, devops and secops need modern tools to secure, manage and monitor distributed applications.

Distributed world

Confidential & Proprietary

Everybody got all fired up about Kubernetes and microservices and then were like ‘Oh, s--t, what’s going on?’ Istio gives us a view of our entire system and lets us find trouble spots.

– An early adopter, who will remain nameless

Confidential & Proprietary

We bring up a new version, flip all traffic to it, and if there’s something wrong we roll the whole thing back.

– Anonymous customer

A service mesh provides a transparent and language-independent way to flexibly and easily automate application network functions: control, configure, monitor application-level requests,ensure resilience, routing, observability, fault-injection and more.

What is a service mesh?

A service mesh provides a transparent and language-independent way to flexibly and easily automate application network functions: control, configure, monitor application-level requests,ensure resilience, routing, observability, fault-injection and more.

What is a service mesh?

A service mesh provides a transparent and language-independent way to flexibly and easily automate application network functions: control, configure, monitor application-level requests,ensure resilience, routing, observability, fault-injection and more.

What is a service mesh?

A service mesh provides a transparent and language-independent way to flexibly and easily automate application network functions: control, configure, monitor application-level requests,ensure resilience, routing, observability, fault-injection and more.

What is a service mesh?

Separate applications from infrastructure

Change service behavior and

traffic flow without

changing code

Decouple operation from development

Increase agility and let developers add business value

Confidential & Proprietary

●

●

●

●

●

Composable services based on Istio Containers

Confidential & Proprietary

Securing service communications

Uniform service-level observability

Traffic management and operational agility

Istio Value Proposition

Confidential & Proprietary

Securing service communications

Uniform service-level observability

Traffic management and operational agility

Monitor the “golden signals” (traffic, error rates and latency) for all services, and collect logs on all calls. Use distributed tracing for in-depth performance analysis. Service dependency graphs make it easy to debug and to understand latency and hotspots.

Strongly authenticate services (not hosts) across heterogeneous deployment environments. Limit access of sensitive data to authorized services without relying on L3 controls. Understand security posture of production environment through service dependency graphs.

Send inter-cluster and inter- environment without manually provisioning ingress, egress, edge layers or hardware LBs. Change service behavior and traffic flow without redeploying or change of code. Control which services can talk to whom via policy and routing rules.

Istio Value Proposition

Confidential & Proprietary

Securing Service Communications

● Secure by default - new and existing applications.

● Meet compliance obligations by encrypting data in transit.

● mTLS assures a secure, proven service-based identity for every call

● All data encrypted in transit

● With strong identity, authorization can be explicitly required

Confidential & Proprietary

Uniform application level observability

1. Understanding services and their dependencies.

2. Set, monitor and enforce SLOs on services

3. Understanding upstream and downstream impacts of service performance

4. Bird’s eye view of service behavior for issue triage, reduce time to detect, triage

Confidential & Proprietary

Traffic management and operational agility1. Direct traffic away from

starving instances

2. Scale by directing traffic to multiple versions

3. Roll out new versions without worrying about ops challenges

4. Apply access control, rate limiting policies to protect services from bad behavior

The more capability that can be built into a platform, the more secure and stable your applications will be. Strong service identity enables proper authorization. Traffic control ensures safe rollouts.

What we learned running 2B containers a week

Enable customers to secure, monitor and manage services everywhere. Kubernetes first, but not Kubernetes only.

Confidential & Proprietary

istio.iogithub.com/istio

cloud.google.com/istioistio-users@googlegroups.com

Twitter: @IstioMesh

@danciruli

Confidential & Proprietary

Architectural components

● Pilot: Control plane to configure and push service communication policies.

● Envoy: Network proxy to intercept communication and apply policies.

● Mixer: Policy enforcement with a flexible plugin model for providers for a policy.

● Istio Auth: Service-to-service auth[n,z] using mutual TLS, with built-in identity and credential management. Control Plane API

Mixer

Service A Service B

proxy proxy

Pilot Istio Auth

Config data to Envoys

TLS certs to Envoys

Policy checks, telemetry

Pilot: Configuring the data plane

● Observe service topology○ Kubernetes pods, services & ingress rules○ Aware of VM based services in mesh via Consul integration

● Routing rules○ Merge with routing rules from config○ Roll out routing policies with no downtime/redeployment

● Push configuration to sidecars● Can act as look-aside LB● Can integrate/read state from registries like Consul, Eureka

Envoy: High performance proxy

● API driven config updates → no reloads● Zone-aware load balancing w/ failover● Traffic routing and splitting● Health checks, circuit breakers,

timeouts, retry budgets, fault injection, …

● HTTP/2 & gRPC● Transparent proxying● Designed for observability

● A C++ based L4/L7 proxy● Low memory footprint● Battle-tested @ Lyft

○ 100+ services ○ 10,000+ VMs ○ 2M req/s

Mixer: Operator control plane

● Called by Envoy to gate traffic & report telemetry○ Response caching in Envoy for performance

● Pluggable component for integrating monitoring & logging systems, policy and more○ Metrics and logs can be sent to a variety of

backend collection systems with a well known API

○ Policy

Mixer

frontend pictures

proxy proxy

API: /picturesLatency: 10msStatus Code: 503src: 10.0.0.1dst: 10.0.0.2

Influ

xDB 

 

Prom

ethe

us  

Cust

om  

Istio Auth: certs & more

● Certificate management● Service-level

Authorization● Understand access

patterns: Security analytics, ACL recommendations, path analysis, production lockdown

Service A

proxy

Container / VM / Bare-metal Container / VM / Bare-metal

Secure data transmission

Client

Control flow

Data flow

AuthZ++ flow

mTLS

Service Discovery Service

Mixer

Service B

proxy

Secure naming info

Authz plugin

Server