Istio
Service mesh platform. Comprehensive microservices management including API Gateway functionality. Integrates traffic management, security, and observability.
Server
Istio
Overview
Istio is a comprehensive service mesh platform that provides a unified approach to secure, connect, and monitor microservices, including powerful API Gateway functionality through its ingress gateway capabilities. As a CNCF graduated project, Istio has become the de facto standard for service mesh implementations in Kubernetes environments, offering advanced traffic management, security policies, and observability features. Built on Envoy Proxy, Istio creates a dedicated infrastructure layer that handles service-to-service communication, while its ingress gateway component serves as a sophisticated API Gateway for external traffic, providing features like traffic routing, load balancing, authentication, and rate limiting at the edge of the mesh.
Details
Istio 2025 edition continues to lead the service mesh landscape with its mature, production-ready platform that combines service mesh and API Gateway capabilities in a unified solution. The platform operates through a control plane (istiod) and data plane (Envoy proxies) architecture, providing comprehensive traffic management across both north-south (ingress/egress) and east-west (service-to-service) communication patterns. Istio's API Gateway functionality is implemented through ingress gateways that leverage the same Envoy proxy technology used throughout the mesh, ensuring consistent behavior and policies. The platform supports both Istio's native APIs (VirtualService, Gateway, DestinationRule) and the standard Kubernetes Gateway API, providing flexibility for different deployment scenarios and migration paths.
Key Features
- Unified Service Mesh and API Gateway: Single platform for both internal and external traffic management
- Advanced Traffic Management: Sophisticated routing, load balancing, and traffic splitting capabilities
- Zero-Trust Security: mTLS, authentication, authorization, and policy enforcement
- Comprehensive Observability: Built-in metrics, distributed tracing, and access logging
- Multi-Protocol Support: HTTP/HTTPS, gRPC, TCP, and WebSocket protocol handling
- Kubernetes Gateway API: Support for standard Gateway API alongside Istio APIs
Advantages and Disadvantages
Advantages
- Comprehensive solution combining service mesh and API Gateway functionality in a single platform
- Production-proven at scale with extensive enterprise adoption and CNCF graduated project status
- Advanced security features with automatic mTLS, fine-grained access control, and security policies
- Rich observability capabilities providing deep insights into traffic patterns and service behavior
- Kubernetes-native design with strong ecosystem integration and vendor-neutral approach
- Active development and strong community support with regular updates and feature enhancements
Disadvantages
- Complexity and learning curve requiring significant expertise in service mesh concepts and configuration
- Resource overhead with sidecar proxy deployment increasing memory and CPU usage per service
- Kubernetes dependency limiting deployment options to container orchestration environments
- Configuration complexity for advanced use cases requiring deep understanding of Envoy and Istio internals
- Potential performance impact from proxy chain and additional network hops in service communication
- Operational overhead for monitoring, upgrading, and troubleshooting the mesh infrastructure
Reference Links
Code Examples
Installation and Basic Setup
# Download and install Istio
curl -L https://istio.io/downloadIstio | sh -
cd istio-1.24.0
export PATH=$PWD/bin:$PATH
# Install Istio with default configuration
istioctl install --set values.defaultRevision=default
# Verify installation
kubectl get pods -n istio-system
# Enable automatic sidecar injection
kubectl label namespace default istio-injection=enabled
# Install sample applications for testing
kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml
kubectl apply -f samples/bookinfo/networking/bookinfo-gateway.yaml
Gateway Configuration (Istio APIs)
# Istio Gateway - Entry point for external traffic
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
name: bookinfo-gateway
namespace: default
spec:
selector:
istio: ingressgateway # Use Istio default ingress gateway
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "bookinfo.example.com"
- port:
number: 443
name: https
protocol: HTTPS
tls:
mode: SIMPLE
credentialName: bookinfo-tls-secret
hosts:
- "bookinfo.example.com"
---
# VirtualService - Traffic routing configuration
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: bookinfo
namespace: default
spec:
hosts:
- "bookinfo.example.com"
gateways:
- bookinfo-gateway
http:
- match:
- uri:
exact: /productpage
- uri:
prefix: /static
- uri:
exact: /login
- uri:
exact: /logout
- uri:
prefix: /api/v1/products
route:
- destination:
host: productpage
port:
number: 9080
Kubernetes Gateway API Configuration
# Kubernetes Gateway API - Alternative to Istio Gateway
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: bookinfo-gateway
namespace: default
spec:
gatewayClassName: istio
listeners:
- name: http
hostname: "bookinfo.example.com"
port: 80
protocol: HTTP
- name: https
hostname: "bookinfo.example.com"
port: 443
protocol: HTTPS
tls:
mode: Terminate
certificateRefs:
- name: bookinfo-tls-secret
---
# HTTPRoute - Traffic routing with Gateway API
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: bookinfo-route
namespace: default
spec:
parentRefs:
- name: bookinfo-gateway
hostnames:
- "bookinfo.example.com"
rules:
- matches:
- path:
type: Exact
value: /productpage
backendRefs:
- name: productpage
port: 9080
- matches:
- path:
type: PathPrefix
value: /api/v1/products
backendRefs:
- name: productpage
port: 9080
Advanced Traffic Management
# Weighted routing for canary deployments
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: reviews-canary
spec:
hosts:
- reviews
http:
- match:
- headers:
end-user:
exact: jason
route:
- destination:
host: reviews
subset: v2
- route:
- destination:
host: reviews
subset: v1
weight: 80
- destination:
host: reviews
subset: v2
weight: 20
---
# DestinationRule - Service versions and load balancing
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
name: reviews
spec:
host: reviews
trafficPolicy:
loadBalancer:
simple: LEAST_CONN
connectionPool:
tcp:
maxConnections: 100
http:
http1MaxPendingRequests: 10
maxRequestsPerConnection: 2
circuitBreaker:
consecutiveErrors: 3
interval: 30s
baseEjectionTime: 30s
maxEjectionPercent: 50
subsets:
- name: v1
labels:
version: v1
- name: v2
labels:
version: v2
trafficPolicy:
loadBalancer:
simple: ROUND_ROBIN
Security Configuration
# PeerAuthentication - mTLS configuration
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: default
namespace: default
spec:
mtls:
mode: STRICT
---
# AuthorizationPolicy - Access control
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: productpage-auth
namespace: default
spec:
selector:
matchLabels:
app: productpage
rules:
- from:
- source:
principals: ["cluster.local/ns/default/sa/bookinfo-productpage"]
- to:
- operation:
methods: ["GET"]
- when:
- key: request.headers[user-agent]
values: ["Mozilla/*"]
---
# RequestAuthentication - JWT validation
apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
name: jwt-auth
namespace: default
spec:
selector:
matchLabels:
app: productpage
jwtRules:
- issuer: "https://auth.example.com"
jwksUri: "https://auth.example.com/.well-known/jwks.json"
audiences:
- "bookinfo-api"
Rate Limiting and Traffic Policies
# EnvoyFilter - Rate limiting configuration
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: filter-ratelimit
namespace: istio-system
spec:
configPatches:
- applyTo: HTTP_FILTER
match:
context: GATEWAY
listener:
filterChain:
filter:
name: "envoy.filters.network.http_connection_manager"
patch:
operation: INSERT_BEFORE
value:
name: envoy.filters.http.local_ratelimit
typed_config:
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.http.local_ratelimit.v3.LocalRateLimit
value:
stat_prefix: http_local_rate_limiter
token_bucket:
max_tokens: 100
tokens_per_fill: 100
fill_interval: 60s
filter_enabled:
runtime_key: local_rate_limit_enabled
default_value:
numerator: 100
denominator: HUNDRED
filter_enforced:
runtime_key: local_rate_limit_enforced
default_value:
numerator: 100
denominator: HUNDRED
---
# ServiceMonitor for Prometheus metrics
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: istio-proxy
namespace: istio-system
spec:
selector:
matchLabels:
app: istiod
endpoints:
- port: http-monitoring
interval: 15s
path: /stats/prometheus
Observability Configuration
# Telemetry configuration for metrics and tracing
apiVersion: telemetry.istio.io/v1alpha1
kind: Telemetry
metadata:
name: default
namespace: istio-system
spec:
metrics:
- providers:
- name: prometheus
- overrides:
- match:
metric: ALL_METRICS
tagOverrides:
request_protocol:
value: "http"
tracing:
- providers:
- name: jaeger
accessLogging:
- providers:
- name: otel
---
# Jaeger tracing configuration
apiVersion: v1
kind: ConfigMap
metadata:
name: istio
namespace: istio-system
data:
mesh: |
defaultConfig:
proxyStatsMatcher:
inclusionRegexps:
- ".*outlier_detection.*"
- ".*circuit_breakers.*"
- ".*upstream_rq_retry.*"
- ".*_cx_.*"
tracing:
zipkin:
address: jaeger-collector.istio-system:9411
sampling: 1.0
Egress Gateway Configuration
# ServiceEntry - External service registration
apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
name: httpbin-ext
spec:
hosts:
- httpbin.org
ports:
- number: 80
name: http
protocol: HTTP
location: MESH_EXTERNAL
resolution: DNS
---
# Gateway for egress traffic
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
name: istio-egressgateway
spec:
selector:
istio: egressgateway
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- httpbin.org
---
# VirtualService for egress routing
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: direct-httpbin-through-egress-gateway
spec:
hosts:
- httpbin.org
gateways:
- mesh
- istio-egressgateway
http:
- match:
- gateways:
- mesh
port: 80
route:
- destination:
host: istio-egressgateway.istio-system.svc.cluster.local
port:
number: 80
weight: 100
- match:
- gateways:
- istio-egressgateway
port: 80
route:
- destination:
host: httpbin.org
port:
number: 80
weight: 100
Multi-Cluster Configuration
# Cross-cluster service discovery
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: cross-network-gateway
namespace: istio-system
spec:
selector:
istio: eastwestgateway
servers:
- port:
number: 15443
name: tls
protocol: TLS
tls:
mode: ISTIO_MUTUAL
hosts:
- "*.local"
---
# Multi-cluster mesh configuration
apiVersion: v1
kind: ConfigMap
metadata:
name: istio
namespace: istio-system
data:
mesh: |
defaultConfig:
meshId: mesh1
clusterName: cluster1
defaultProviders:
metrics:
- prometheus
extensionProviders:
- name: prometheus
prometheus: {}
Production Deployment Configuration
# IstioOperator for production installation
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
name: control-plane
spec:
values:
global:
meshID: mesh1
multiCluster:
clusterName: cluster1
network: network1
components:
pilot:
k8s:
resources:
requests:
cpu: 500m
memory: 2048Mi
limits:
cpu: 1000m
memory: 4096Mi
hpaSpec:
maxReplicas: 5
minReplicas: 2
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: istiod
metrics:
- type: Resource
resource:
name: cpu
target:
type: Utilization
averageUtilization: 80
ingressGateways:
- name: istio-ingressgateway
enabled: true
k8s:
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 2000m
memory: 1024Mi
hpaSpec:
maxReplicas: 10
minReplicas: 3
service:
type: LoadBalancer
annotations:
service.beta.kubernetes.io/aws-load-balancer-type: "nlb"