Istio is an open source independent service mesh that provides the fundamentals you need to successfully run a distributed microservice architecture. As organizations increasingly adopt cloud platforms, developers have to architect for portability using microservices, while operators have to manage large distributed deployments that span hybrid and multi-cloud deployments. Istio reduces complexity of managing microservice deployments by providing a uniform way to secure, connect, and monitor microservices.
Istio enhances the security of microservices and their communication — both service-to-service and end-user-to-service — without requiring service code changes. It gives each service a strong identity based on its role to enable interoperability across clusters and clouds.
Defense in depth
When you use Istio with Kubernetes (or infrastructure) network policies, pod-to-pod or service-to-service communication is secured at both the network and application layers. Build on Google’s defense-in-depth strategy to secure microservice communications, and when you use Istio in Google Cloud, Google’s infrastructure lets you build a truly secure application deployment.
Secure by default
With little or no application changes, Istio ensures service communications are secured by default and that you can enforce these policies consistently across diverse protocols and runtimes.
Istio’s custom dashboards give you high-level views of your services’ behavior, letting you detect issues quickly and triage them effectively.
Understand service performance
Istio’s monitoring capabilities let you understand how service performance impacts things upstream and downstream, letting you more effectively set, monitor, and enforce SLOs on services.
The metrics you need, when you need them
Get uniform metrics and traces from any running applications without requiring developers to manually instrument their applications.
Easy rules configuration
Istio lets you configure service-level properties like circuit breakers, timeouts, and retries, and set up common continuous deployment tasks such as canary rollouts, A/B testing, and staged rollouts with %-based traffic splits.
Steer content where you want it
You specify the rules you want traffic to follow, letting you route traffic to service versions independent of the number of instances supporting that version. For example, you can specify that five percent of all traffic goes to a particular canary version, or route traffic to a specific version based on the request’s content.
Out-of-box failure recovery
Robust out-of-box failure recovery, including timeouts, retries with timeout budgets and variable jitter, concurrent connection and requests to upstream services limits, periodic active health checks on each member of the load balancing pool, and passive health checks like fine-grained circuit breakers.
Strong service authentication
Istio Auth ensures that services with sensitive data can only be accessed from strongly authenticated and authorized clients.
Istio’s configuration policy configures the server side for platform authentication, but doesn’t enforce the policy on the client side, and lets you specify authentication requirements for services.
Role-based access control (RBAC)
Istio RBAC provides namespace-level, service-level, and method-level access control for services in the Istio Mesh. It includes easy-to-use role-based semantics, service-to-service and end-user-to-service authorization, and provides flexibility with custom properties support in roles and role-bindings.
Mutual TLS authentication
Istio enhances the security of microservices and their communication — both service-to-service and end-user-to-service — without requiring service code changes. It gives each service a strong, role-based identity to enable interoperability across clusters and clouds.
Istio’s key management system automates key and certificate generation, distribution, rotation, and revocation.
Mixer — the Istio component that provides policy controls and telemetry collection — insulates the rest of Istio from the implementation details of individual infrastructure backends.
Mixer gives you fine-grained control over all interactions between the mesh and infrastructure backends.
Mixer lives independently — unlike sidecar proxies that sit next to each service instance in the mesh and have to consume memory frugally — so it can use considerably larger caches and output buffers, acting as a highly scaled and highly available second-level cache for the sidecars.
Mixer is designed to deliver high availability for each individual Mixer instance. Its local caches and buffers reduce latency but also help mask infrastructure backend failures operating even when a backend has become unresponsive.
Decouple traffic management and infrastructure scaling
Decoupling traffic management from infrastructure scaling provides features that live outside the application code, like dynamic request routing for A/B testing, gradual rollouts, and canary releases, it also handles failure recovery using timeouts, retries, and circuit breakers, and fault injection to test the compatibility of failure recovery policies across services.
Since misconfigured failure recovery policies can lead to continued unavailability of critical services in an application, end-to-end failure recovery testing is critical. Istio enables protocol-specific fault injection into the network, instead of killing pods, delaying or corrupting packets at the TCP layer.
Istio currently allows three of the load balancing modes that Envoy supports: round robin (each healthy upstream host is selected in round robin order), random (the random load balancer selects a random healthy host), and weighted least request.
Istio on Kubernetes Engine
Install Istio on Kubernetes Engine and deploy an Istio-enabled application.
Istio with Compute Engine
Integrate Compute Engine VMs into an Istio mesh deployed on Kubernetes Engine.
Help make Istio better by contributing to the OSS codebase.
Explore tutorials, launch quickstarts, and reviews.
Download the latest Istio release
Istio quickstarts for Kubernetes, Nomad and Consul, and Eureka
See how to set up Istio for Google Cloud Endpoints services
Deploy a sample app to learn more about the Istio service mesh
Stay up to date with the latest Istio features
Detailed info on command-line and configuration options
Enterprise Support for Istio
Google Cloud offers Enterprise Support for Istio for on-premise and non-GCP cloud deployments. Support levels vary, providing flexibility of choice. Support offerings feature Google-certified images to test Kubernetes configurations, installation of VMs, maintenance, and more. Additional options include professional services delivered by Google Cloud experts.
Apigee API Management for Istio
Once microservices need to communicate outside with partners or customers, or internally with other groups, they become APIs. Google Cloud offers Apigee API Management for Istio to provide native integration of API management with microservices. With Apigee, organizations can securely manage and monitor APIs whether they reside in the cloud or on premise.