Understanding the Istio architecture – Implementing Traffic Management, Security, and Observability with Istio

Istio simplifies    microservices management through two fundamental components:

• Data plane: Thiscomprises the sidecar envoy proxies that Istio injects into your microservices. These proxies take on the essential role of routing traffic between various services, and they also collect crucial telemetry data to facilitate monitoring and insights.

• Control plane: The control plane serves as the command center, instructing the data plane on how to route traffic effectively. It also handles the storage and management of configuration details, making it easier for administrators to interact with the sidecar proxy and take control of the Istio service mesh. In essence, the control plane functions as the intelligence and decision-making hub of Istio.

Similarly, Istio manages two types of traffic:

• Data plane traffic: Thistype of traffic consists of the core business-related data exchanged between your microservices. It encompasses the actual interactions and transactions that your application handles.

• Control plane traffic: In contrast, the control plane traffic consists of messages and communications between Istio components, and it is chiefly responsible for governing the behavior of the service mesh. It acts as the control mechanism that orchestrates the routing, security, and overall functioning of the microservices architecture.

The following diagram describes the Istio architecture in detail:

Figure 15.3 – Istio architecture

As we can see two distinct parts in the preceding diagram, the control plane and the data plane, let’s go ahead and understand them.

The control plane architecture

Istio ships the control plane as a single istiod component. The Istio control plane, or istiod, comprises several critical components, each playing a distinct role in managing your service mesh.

Pilot

Pilot serves as the central control hub of the service mesh. It communicates with the envoy sidecars using the Envoy API and translates the high-level rules specified in Istio manifests into envoy configurations. Pilot enables service discovery, intelligent traffic management, and routing capabilities. It empowers you to implement practices such as A/B testing, Blue/Green deployments, canary rollouts, and more. Additionally, Pilot enhances the resiliency of your service mesh by configuring sidecars to handle tasks such as timeouts, retries, and circuit breaking. One of its notable features is providing a bridge between Istio configuration and the underlying infrastructure, allowing Istio to run on diverse platforms such as Kubernetes, Nomad, and Consul. Regardless of the platform, Pilot ensures consistent traffic management.

Citadel

Citadel focuses on identity and access management within your service mesh, fostering secure communication between Kubernetes pods. It safeguards your pods by ensuring encrypted communication, even if your developers have designed components with insecure TCP connections. Citadel simplifies the implementation of mutual TLS by managing the complexities of certificates. It offers user authentication, credential management, certificate handling, and traffic encryption, ensuring pods can securely validate one another when necessary.

Galley

Galley is responsible for essential configuration tasks within your service mesh. It validates, processes, and distributes configuration changes throughout the Istio control plane. For example, when you apply a new policy, Galley ingests the configuration, validates its accuracy, processes it for the intended components, and seamlessly disseminates it within the service mesh. In essence, Galley serves as the interface through which the Istio control plane interacts with the underlying APIs, facilitating the smooth management of your service mesh.

Now, let’s dive deep into understanding the data plane architecture.

The data plane architecture

The data plane component of Istio is composed of envoy proxies, ingress gateways, and egress gateways.