Version 1.11

About Anthos Service Mesh

Anthos Service Mesh is a suite of tools that helps you monitor and manage a reliable service mesh on-premises or on Google Cloud.

What is a service mesh?

A service mesh is an architecture that enables managed, observable, and secure communication across your services, letting you create robust enterprise applications made up of many microservices on your chosen infrastructure. Service meshes factor out all the common concerns of running a service such as monitoring, networking, and security, with consistent, powerful tools, making it easier for service developers and operators to focus on creating and managing great applications for their users.

Anthos Service Mesh is powered by Istio, a highly configurable and powerful open source service mesh platform, with tools and features that enable industry best practices. Anthos Service Mesh is deployed as a uniform layer across your entire infrastructure. Service developers and operators can use its rich feature set without making changes to application code.

Architecturally, a service mesh consists of one or more control planes and a data plane. The service mesh monitors all traffic through a proxy. On Kubernetes, the proxy is deployed by a sidecar pattern to the microservices in the mesh. On Virtual Machines (VMs), the proxy is installed on the VM. This pattern decouples application or business logic from network functions, and enables developers to focus on the features that the business needs. Service meshes also let operations teams and development teams decouple their work from one another.

How can Anthos Service Mesh help me?

With Anthos Service Mesh, you get an Anthos tested and supported distribution of Istio, letting you create and deploy a service mesh on GKE on Google Cloud and other platforms with full Google support.

Features

Anthos Service Mesh has a suite of features and tools that help you observe and manage secure, reliable services in a unified way.

Note: Some features, including Anthos Service Mesh pages in Cloud Console, are only available on GKE on Google Cloud. To learn about the service mesh features supported on each platform, see Supported features.

Traffic management

Anthos Service Mesh controls the flow of traffic between services, into the mesh (ingress), and to outside services (egress). You configure and deploy Istio-compatible custom resources to manage this traffic at the application (L7) layer. For example, with the custom resources, you can:

Anthos Service Mesh maintains a service registry of all services in the mesh by name and by their respective endpoints. It maintains the registry to manage the flow of traffic (for example, Kubernetes Pod IP addresses). By using this service registry, and by running the proxies side-by-side with the services, the mesh can direct traffic to the appropriate endpoint.

Observability insights

The Anthos Service Mesh pages in the Google Cloud Console provide the following insights into your service mesh:

  • Service metrics and logs for HTTP traffic within your mesh's GKE cluster are automatically ingested to Google Cloud.

  • Preconfigured service dashboards give you the information you need to understand your services.

  • In-depth telemetry—powered by Cloud Monitoring, Cloud Logging, and Cloud Trace—lets you dig deep into your service metrics and logs. You can filter and slice your data on a wide variety of attributes.

  • Service-to-service relationships at a glance help you understand who connects to each service and the services that each service depends on.

  • You can quickly see the communication security posture not only of your service, but its relationships to other services.

  • Service level objectives (SLOs) give you insight into the health of your services. You can easily define an SLO and alert on your own standards of service health.

Learn more about Anthos Service Mesh's observability features in our Observability guide.

Security benefits

  • Mitigates risk of replay or impersonation attacks that use stolen credentials. Anthos Service Mesh relies on mutual TLS (mTLS) certificates to authenticate peers, rather than bearer tokens such as JSON Web Tokens (JWT).

  • Ensures encryption in transit. Using mTLS for authentication also ensures that all TCP communications are encrypted in transit.

  • Ensures that only authorized clients can access a service with sensitive data, irrespective of the network location of the client and the application-level credentials.

  • Mitigates the risk of user data breach within your production network. You can ensure that insiders can only access sensitive data through authorized clients.

  • Identifies which clients accessed a service with sensitive data. Anthos Service Mesh access logging captures the mTLS identity of the client in addition to the IP address.

  • All in-cluster control plane components and proxies use FIPS 140-2 validated encryption modules.

Learn more about Anthos Service Mesh's security benefits and features in our Security guide.

Deployment options

In Anthos Service Mesh 10.3 and later, you have the following deployment options:

  • In-cluster control plane
  • Managed Anthos Service Mesh
  • Include Compute Engine VMs in the service mesh.

In-cluster control plane

The following diagram shows the Anthos Service Mesh components and features for the in-cluster control plane and sidecar proxies.

service mesh architecture with in-cluster control plane

Managed Anthos Service Mesh

Managed Anthos Service Mesh consists of the Google-managed control plane, and in Anthos Service Mesh 1.10.4 and later, you can optionally enable the Google-managed data plane. With managed Anthos Service Mesh, Google handles upgrades, scaling, and security for you minimizing manual user maintenance. When you enable the Google-managed data plane, you add an annotation to your namespaces which installs an in-cluster controller that manages the sidecar proxies for you.

The following diagram shows the Anthos Service Mesh components and features for managed Anthos Service Mesh:

Managed Anthos Service Mesh

For information on setting up or migrating to a managed Anthos Service Mesh, see Configuring managed Anthos Service Mesh.

Anthos Service Mesh for Compute Engine VMs

Anthos Service Mesh for Compute Engine VMs is available as a preview feature. You can manage, observe, and secure services running on both Compute Engine Managed Instance Groups (MIGs) and GKE on Google Cloud clusters in the same mesh. You can mix and choose the best environment to run your services while enjoying the benefits of Anthos Service Mesh. The following diagram shows a MIG in the same service mesh as a GKE cluster:

service mesh architecture with compute engine VMs

For more information, see Add Compute Engine VMs to Anthos Service Mesh.

What's next?