Istio

An open platform to connect, monitor, and secure microservices.

Overview

Istio is an open source independent service mesh that provides the fundamentals you need to successfully run a distributed microservice architecture. As organizations increasingly adopt cloud platforms, developers have to architect for portability using microservices, while operators have to manage large distributed deployments that span hybrid and multi-cloud deployments. Istio reduces complexity of managing microservice deployments by providing a uniform way to secure, connect, and monitor microservices.

Istio Security

Ease the burden of security, freeing your developers to focus on other critical tasks.

Istio Monitoring

Detect and fix issues quickly and effectively with robust, easy-to-use monitoring.

Istio Connect

Istio simplifies traffic management as your deployment scales.

Secure service communications

Securing service communications

Istio scalably manages authentication, authorization, and encryption of communication between microservices. Istio provides the underlying secure communication channel, freeing developers to focus on application level security.

Service communications

Secure communications

Istio enhances the security of microservices and their communication — both service-to-service and end-user-to-service — without requiring service code changes. It gives each service a strong identity based on its role to enable interoperability across clusters and clouds.

Defense in depth

Defense in depth

When you use Istio with Kubernetes (or infrastructure) network policies, pod-to-pod or service-to-service communication is secured at both the network and application layers. Build on Google’s defense-in-depth strategy to secure microservice communications, and when you use Istio in Google Cloud, Google’s infrastructure lets you build a truly secure application deployment.

Secure by default

Secure by default

With little or no application changes, Istio ensures service communications are secured by default and that you can enforce these policies consistently across diverse protocols and runtimes.

Logging

Logging, monitoring, and keeping services operational

Istio delivers deep insights into your service mesh deployment through tracing, monitoring, and logging. See how your services are performing, how that performance affects other processes, and detect and triage issues quickly and effectively.

Birds eye visibility

Bird’s-Eye Visibility

Istio’s custom dashboards give you high-level views of your services’ behavior, letting you detect issues quickly and triage them effectively.

Understand service

Understand service performance

Istio’s monitoring capabilities let you understand how service performance impacts things upstream and downstream, letting you more effectively set, monitor, and enforce SLOs on services.

Matrics

The metrics you need, when you need them

Get uniform metrics and traces from any running applications without requiring developers to manually instrument their applications.

Traffic management

Traffic management and policy control

Istio traffic management lets you control the flow of traffic and API calls between services and gives you better visibility into your traffic, helping you catch issues before they cause problems. This makes calls more reliable, and makes your network more robust, even in the face of adverse conditions.

Easy rules configuration

Easy rules configuration

Istio lets you configure service-level properties like circuit breakers, timeouts, and retries, and set up common continuous deployment tasks such as canary rollouts, A/B testing, and staged rollouts with %-based traffic splits.

Steer content

Steer content where you want it

You specify the rules you want traffic to follow, letting you route traffic to service versions independent of the number of instances supporting that version. For example, you can specify that five percent of all traffic goes to a particular canary version, or route traffic to a specific version based on the request’s content.

Failure recovery

Out-of-box failure recovery

Robust out-of-box failure recovery, including timeouts, retries with timeout budgets and variable jitter, concurrent connection and requests to upstream services limits, periodic active health checks on each member of the load balancing pool, and passive health checks like fine-grained circuit breakers.

Istio security features

Strong service authentication

Istio Auth ensures that services with sensitive data can only be accessed from strongly authenticated and authorized clients.

Authentication policy

Istio’s configuration policy configures the server side for platform authentication, but doesn’t enforce the policy on the client side, and lets you specify authentication requirements for services.

Role-based access control (RBAC)

Istio RBAC provides namespace-level, service-level, and method-level access control for services in the Istio Mesh. It includes easy-to-use role-based semantics, service-to-service and end-user-to-service authorization, and provides flexibility with custom properties support in roles and role-bindings.

Mutual TLS authentication

Istio enhances the security of microservices and their communication — both service-to-service and end-user-to-service — without requiring service code changes. It gives each service a strong, role-based identity to enable interoperability across clusters and clouds.

Key management

Istio’s key management system automates key and certificate generation, distribution, rotation, and revocation.

Istio monitoring features

Backend abstraction

Mixer — the Istio component that provides policy controls and telemetry collection — insulates the rest of Istio from the implementation details of individual infrastructure backends.

Intermediation

Mixer gives you fine-grained control over all interactions between the mesh and infrastructure backends.

Low latency

Mixer lives independently — unlike sidecar proxies that sit next to each service instance in the mesh and have to consume memory frugally — so it can use considerably larger caches and output buffers, acting as a highly scaled and highly available second-level cache for the sidecars.

High reliability

Mixer is designed to deliver high availability for each individual Mixer instance. Its local caches and buffers reduce latency but also help mask infrastructure backend failures operating even when a backend has become unresponsive.

Istio connect features

Decouple traffic management and infrastructure scaling

Decoupling traffic management from infrastructure scaling provides features that live outside the application code, like dynamic request routing for A/B testing, gradual rollouts, and canary releases, it also handles failure recovery using timeouts, retries, and circuit breakers, and fault injection to test the compatibility of failure recovery policies across services.

Fault injection

Since misconfigured failure recovery policies can lead to continued unavailability of critical services in an application, end-to-end failure recovery testing is critical. Istio enables protocol-specific fault injection into the network, instead of killing pods, delaying or corrupting packets at the TCP layer.

Load balancing

Istio currently allows three of the load balancing modes that Envoy supports: round robin (each healthy upstream host is selected in round robin order), random (the random load balancer selects a random healthy host), and weighted least request.

Documentation

Istio with Compute Engine

Integrate Compute Engine VMs into an Istio mesh deployed on Kubernetes Engine.

Istio Repository

Help make Istio better by contributing to the OSS codebase.

Resources

Explore tutorials, launch quickstarts, and reviews.

Download the latest Istio release

Istio quickstarts for Kubernetes, Nomad and Consul, and Eureka

See how to set up Istio for Google Cloud Endpoints services

Deploy a sample app to learn more about the Istio service mesh

Stay up to date with the latest Istio features

Detailed info on command-line and configuration options

Integrations

Enterprise Support for Istio

Google Cloud offers Enterprise Support for Istio for on-premise and non-GCP cloud deployments. Support levels vary, providing flexibility of choice. Support offerings feature Google-certified images to test Kubernetes configurations, installation of VMs, maintenance, and more. Additional options include professional services delivered by Google Cloud experts.

Apigee API Management for Istio

Once microservices need to communicate outside with partners or customers, or internally with other groups, they become APIs. Google Cloud offers Apigee API Management for Istio to provide native integration of API management with microservices. With Apigee, organizations can securely manage and monitor APIs whether they reside in the cloud or on premise.