An open platform to connect, monitor, and secure microservices.


Istio is an open source independent service mesh that provides the fundamentals you need to successfully run a distributed microservice architecture. As organizations increasingly adopt cloud platforms, developers have to architect for portability using microservices, while operators have to manage large distributed deployments that span hybrid and multi-cloud deployments. Istio reduces complexity of managing microservice deployments by providing a uniform way to secure, connect, and monitor microservices.

Istio Security

Ease the burden of security, freeing your developers to focus on other critical tasks.

Istio Monitoring

Detect and fix issues quickly and effectively with robust, easy-to-use monitoring.

Istio Connect

Istio simplifies traffic management as your deployment scales.

Because of the increased visibility into our applications, when problems arise, the time taken to resolve them has been significantly reduced. Using Istio on K8 has given us the confidence that we can safely migrate our applications to the public cloud and increase the reliability, stability and performance of our platform.

Russell Warman, Head of Infrastructure, Autotrader
Secure service communications

Securing service communications

Istio scalably manages authentication, authorization, and encryption of communication between microservices. Istio provides the underlying secure communication channel, freeing developers to focus on application level security.

Service communications

Secure communications

Istio enhances the security of microservices and their communication — both service-to-service and end-user-to-service — without requiring service code changes. It gives each service a strong identity based on its role to enable interoperability across clusters and clouds.

Defense in depth

Defense in depth

When you use Istio with Kubernetes (or infrastructure) network policies, pod-to-pod or service-to-service communication is secured at both the network and application layers. Build on Google’s defense-in-depth strategy to secure microservice communications, and when you use Istio in Google Cloud, Google’s infrastructure lets you build a truly secure application deployment.

Secure by default

Secure by default

With little or no application changes, Istio ensures service communications are secured by default and that you can enforce these policies consistently across diverse protocols and runtimes.


Logging, monitoring, and keeping services operational

Istio delivers deep insights into your service mesh deployment through tracing, monitoring, and logging. See how your services are performing, how that performance affects other processes, and detect and triage issues quickly and effectively.

Birds eye visibility

Bird’s-Eye Visibility

Istio’s custom dashboards give you high-level views of your services’ behavior, letting you detect issues quickly and triage them effectively.

Understand service

Understand service performance

Istio’s monitoring capabilities let you understand how service performance impacts things upstream and downstream, letting you more effectively set, monitor, and enforce SLOs on services.


The metrics you need, when you need them

Get uniform metrics and traces from any running applications without requiring developers to manually instrument their applications.

Traffic management

Traffic management and policy control

Istio traffic management lets you control the flow of traffic and API calls between services and gives you better visibility into your traffic, helping you catch issues before they cause problems. This makes calls more reliable, and makes your network more robust, even in the face of adverse conditions.

Easy rules configuration

Easy rules configuration

Istio lets you configure service-level properties like circuit breakers, timeouts, and retries, and set up common continuous deployment tasks such as canary rollouts, A/B testing, and staged rollouts with %-based traffic splits.

Steer content

Steer content where you want it

You specify the rules you want traffic to follow, letting you route traffic to service versions independent of the number of instances supporting that version. For example, you can specify that five percent of all traffic goes to a particular canary version, or route traffic to a specific version based on the request’s content.

Failure recovery

Out-of-box failure recovery

Robust out-of-box failure recovery, including timeouts, retries with timeout budgets and variable jitter, concurrent connection and requests to upstream services limits, periodic active health checks on each member of the load balancing pool, and passive health checks like fine-grained circuit breakers.

Istio security features

Strong service authentication

Istio Auth ensures that services with sensitive data can only be accessed from strongly authenticated and authorized clients.

Authentication policy

Istio’s configuration policy configures the server side for platform authentication, but doesn’t enforce the policy on the client side, and lets you specify authentication requirements for services.

Role-based access control (RBAC)

Istio RBAC provides namespace-level, service-level, and method-level access control for services in the Istio Mesh. It includes easy-to-use role-based semantics, service-to-service and end-user-to-service authorization, and provides flexibility with custom properties support in roles and role-bindings.

Mutual TLS authentication

Istio enhances the security of microservices and their communication — both service-to-service and end-user-to-service — without requiring service code changes. It gives each service a strong, role-based identity to enable interoperability across clusters and clouds.

Key management

Istio’s key management system automates key and certificate generation, distribution, rotation, and revocation.

Istio monitoring features

Backend abstraction

Mixer — the Istio component that provides policy controls and telemetry collection — insulates the rest of Istio from the implementation details of individual infrastructure backends.


Mixer gives you fine-grained control over all interactions between the mesh and infrastructure backends.

Low latency

Mixer lives independently — unlike sidecar proxies that sit next to each service instance in the mesh and have to consume memory frugally — so it can use considerably larger caches and output buffers, acting as a highly scaled and highly available second-level cache for the sidecars.

High reliability

Mixer is designed to deliver high availability for each individual Mixer instance. Its local caches and buffers reduce latency but also help mask infrastructure backend failures operating even when a backend has become unresponsive.

Istio connect features

Decouple traffic management and infrastructure scaling

Decoupling traffic management from infrastructure scaling provides features that live outside the application code, like dynamic request routing for A/B testing, gradual rollouts, and canary releases, it also handles failure recovery using timeouts, retries, and circuit breakers, and fault injection to test the compatibility of failure recovery policies across services.

Fault injection

Since misconfigured failure recovery policies can lead to continued unavailability of critical services in an application, end-to-end failure recovery testing is critical. Istio enables protocol-specific fault injection into the network, instead of killing pods, delaying or corrupting packets at the TCP layer.

Load balancing

Istio currently allows three of the load balancing modes that Envoy supports: round robin (each healthy upstream host is selected in round robin order), random (the random load balancer selects a random healthy host), and weighted least request.

Getting consistent visibility into who runs which micro services has become increasingly challenging with their growing success and broader adoption across workloads. Deploying Istio immediately provides deep visibility and insights into our services in real-time in a uniform manner, regardless of which language our services are built in. This consistent visibility helps us resolve issues quicker and improve the robustness of our services.

Tim Kelton, Co-Founder, Descartes Labs



Explore tutorials, launch quickstarts, and reviews.


Apigee API Management for Istio

Just as organizations need services management for microservices, they need API management for their APIs. Apigee API management platform complements Istio by extending API management natively into the microservices stack.