I’m going to explain why you might want to use a service mesh, how the Istio service mesh works, and some core concepts to help you get started quickly.

In this lightboarding video, I cover the four reasons why you want to use a service mesh, some of the main components, and the three main resources that you need to learn about to get started with and configure Istio.

I hope you enjoy this overview, and make sure to subscribe to the YouTube channel and check out our other lightboarding features!

Learn more

Video Transcript

Istio Service Mesh Explained

Hi, I’m Ram Vennam, I’m from the IBM Cloud team, and today I want to talk to you about why you might want to use a service mesh, how the Istio service mesh works, and some core concepts for you to get started quickly.

Four reasons to use a service mesh

Let’s use this example application. I have a UI microservice talking to two versions of catalog, which talk to inventory.

All of these are services deployed inside of a Kubernetes cluster. 


The number one reason why someone uses a service mesh is because they want to secure their workload. So they want mutual TLS (mTLS) when one service is talking to another.


Next, they want to dynamically configure how the services are connected to one another. So, in this example, there’s version 1 and version 2, so I might want to send 90% of the traffic to version 1 and then 10% of the traffic to version 2 while I do testing and incremental rollouts.

I might also want to try adding retry policies and circuit braking to harden my system.


Three, I want to observe how my application is doing end-to-end; not just if a service is up or down, but see where the bottlenecks are in the system and how traffic is flowing.


And four, I want to control who has access to talk to what. In this example, UI is allowed to talk to catalog, and catalog is allowed to talk to inventory. But, UI is not allowed to talk to inventory directly, and rogue containers cannot talk to inventory service.

You can get more granular than that and say that UI is allowed to make an HTTP Git request and catalog is a lot to make a post request to inventory.

Istio components and benefits 

In the past, we used to have our developers program all of these features directly into their application code. That slowed down the dev cycle, it made these microservices bigger, and just generally made everything less flexible. 

But now there’s a better way, and that’s the service mesh. You keep your application small and business-focused, and instead, you dynamically program the intelligence into the network, and that’s exactly what Istio does.

Envoy proxies 

So when you have Istio installed, first thing you’ll do is it’ll automatically inject proxies next to each one of your containers and these proxies are envoy proxies, and the proxy itself runs in a container next to your application container, but it runs inside the same Kubernetes pod.

Now, when UI wants to talk to the catalog, the proxy will actually intercept that request, apply any policies and then route traffic to the proxy on the other side and then the catalog proxy will receive that request and then forward it down to a catalog.

Istio will configure each one of these proxies with your desired configuration. Istio extends Kubernetes using CRDs, so to apply an Istio configuration, you just write your YAML and then apply it to Kubernetes.

Galley and Pilot

The Istio Galley component will receive that YAML, validate it, and then hand it over to Istio Pilot. 

Pilot will convert that configuration to envoy configuration and distribute it to each one of the proxies.


If you want the proxies to add additional policies and roles, there is a Policy component. 


And then, these proxies constantly report telemetry information about what’s going on into your system to the Istio Telemetry component.


And last but not least there is Citadel.

Citadel is responsible for providing strong identity to each one of the services in your system. It also generates certificates and rolls it out to each one of the proxies so that the proxies can do mutual TLS when they’re talking to one another.

Three important Istio resources

To get started with Istio and to configure Istio, there’s three main resources that you need to learn about.


First there’s the Gateway.

Gateway is like a load balancer that sits at the edge of your mesh and accepts incoming and outgoing HTTP and TCP connections.

Virtual service

Next, to direct traffic from Gateway to your services, you create a Virtual Service.

And a Virtual Service can be bound to a Gateway and direct traffic to UI, or it could be bound to a service and then direct traffic to your other services, where you can apply policies like 90% and 10% traffic split rules.

Destination rules

Once traffic is routed, you can apply rules on top of that traffic such as TLS settings or circuit braking and those are done using destination rules.

And those are the three main resources you need to know about Istio.

I’m actually going to put Policy and Telemetry in asterisks because there’s some refactoring that’s going on with these components.

The logic is being moved outside of this control plane and into the proxies themselves to avoid the additional network hop. This translates to improved performance.


More from compute

Mainframe Application Modernization Beyond Banking

4 min read - Looking at mainframe modernization in industries like insurance, automotive and retail. This is part one in a five-part series on mainframe modernization. When you think of the world’s biggest modernization challenges, you immediately think of banking, and for good reason. Banks were among the first to roll out advanced mobile apps some 15 years ago, and they had already started offering online services in the mid-1990s. Well before that, banks were interacting through massive electronic payment gateways and operating mainframe…

IBM Tech Now: April 17, 2023

< 1 min read - Envizi + Turbonomic, IBM Power Updates and the IBM CIS Standard Next Plan  Welcome IBM Tech Now, our video web series featuring the latest and greatest news and announcements in the world of technology. Make sure you subscribe to our YouTube channel to be notified every time a new IBM Tech Now video is published. IBM Tech Now: Episode 74 Watch the video This week, we're focusing on the following topics: IBM Envizi + IBM Turbonomic IBM Power Updates IBM…

Focusing on Increasing Our Clients’ Profitability and Performance When They Need It Most

4 min read - Exciting updates from IBM Power. As we noted last quarter when we announced this year’s strategic direction for IBM Power, one of the most common questions we hear from our clients is how they can trim their IT spending without compromising performance and data protection. A short time later, these concerns are even more prevalent as the global economic market continues to fluctuate and perpetuate uncertainty amidst rising interest rates and inflation. As the demand on IT services continues to…

Securing the Boot Process for IBM Cloud Bare Metal Servers for VPC

4 min read - IBM Cloud Bare Metal Servers for VPC have been available for almost a year, and we continue the steady rollout of additional features to ensure bare metal servers meet our customers’ requirements. The latest IBM Cloud Bare Metal Servers for VPC features are focused squarely on security by providing customers with the ability to enable Secure Boot and to use a Trusted Platform Module (TPM 2.0). Secure Boot and TPM are software- and hardware-based mechanisms used to validate and enforce…