What is a Service Mesh
Key idea:
Service Mesh — infrastructure layer managing communication between microservices. Sidecar proxies (Envoy) intercept all traffic → handle: mTLS encryption, retries, circuit breakers, traffic shaping, observability (metrics/traces). Examples: Istio (most featured), Linkerd (lightweight), Consul Connect, AWS App Mesh. Overhead: +2-5 ms latency per hop, more memory.
Below: details, example, related terms, FAQ.
Details
- Sidecar pattern: every pod has an Envoy proxy container
- Control plane: manages all sidecars (Istio istiod, Linkerd control plane)
- mTLS by default: zero-trust networking inside cluster
- Traffic management: weighted routing, canary, A/B without app code
- Observability: auto-generated traces, metrics, mTLS cert rotation
Example
# Istio VirtualService — 10% traffic to v2
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
spec:
http:
- route:
- destination: { host: my-service, subset: v1 }
weight: 90
- destination: { host: my-service, subset: v2 }
weight: 10Related Terms
Learn more
Frequently Asked Questions
Service mesh or API gateway?
Gateway — north-south (ingress). Mesh — east-west (service-to-service). Complementary.
Overkill for a small cluster?
For < 10 services — yes. Complexity doesn't pay off. For 50+ services + mTLS requirement — worth it.
Istio or Linkerd?
Istio: feature-rich, steep learning curve. Linkerd: lightweight Rust, simpler UX. For starters — Linkerd.