This page describes frequently asked questions and related answers about migrating from Istio 1.7 or later to Anthos Service Mesh and Anthos Service Mesh certificate authority (Mesh CA).
Why should I migrate from Istio to Anthos Service Mesh?
Anthos Service Mesh is Google's managed and supported service mesh product powered by Istio APIs. Anthos Service Mesh is to Istio what Google Kubernetes Engine (GKE) is to Kubernetes. Because Anthos Service Mesh is based on Istio APIs, you can continue to use your Istio configurations when you migrate to Anthos Service Mesh. In addition, there is no proprietary vendor lock-in.
Anthos Service Mesh provides the following benefits:
- A Google-managed and Google-supported service mesh.
- Istio APIs with no vendor lock-in.
- Out-of-the-box telemetry dashboards and SLO management without a requirement to manage additional third-party solutions.
- Google-hosted certificate authority options.
- Integration with Google Cloud networking and Identity-Aware Proxy (IAP).
- Hybrid and multi-cloud platform support.
To learn more about Anthos Service Mesh features and capabilities, see In-cluster control plane supported features.
Anthos Service Mesh with Google-managed control plane lets Google automatically handle upgrades, scaling and security in a backward-compatible manner.
To learn more about Anthos Service Mesh Google-managed control plane features and capabilities, see Google-managed control plane supported features.
Is there any downtime associated with this migration?
The script installs Anthos Service Mesh as a
canary control plane
alongside your existing Istio control plane. The istio-ingressgateway
and any other gateways are upgraded in place by using your custom
IstioOperator
resource file. You then relabel the Istio-enabled namespaces to start using
Anthos Service Mesh with Mesh CA.
Ensure that you have PodDisruptionBudgets properly configured for your applications so that you do not experience any application downtime.
If applications need to communicate across different namespaces, we recommend that you migrate all dependent applications and workloads at the same time. Applications that use Anthos Service Mesh and those on the Istio operating system cannot communicate with each other (through mTLS) because Istio uses Citadel (with a different root certificate), while Anthos Service Mesh uses the Google-managed Mesh CA service.
Even though you might be able to avoid downtime, we recommend that you perform this migration during a scheduled maintenance window.
Is there any cost associated with migrating to Anthos Service Mesh?
There are two ways to use Anthos Service Mesh on GKE:
If you are an GKE Enterprise subscriber, Anthos Service Mesh is included as part of your GKE Enterprise subscription.
If you are not an GKE Enterprise subscriber, you can use Anthos Service Mesh as a standalone product on GKE (on Google Cloud). For more information, see Anthos Service Mesh pricing details.
After I migrate to Anthos Service Mesh, can I migrate back to Istio?
Yes, there is no commitment to use Anthos Service Mesh. You can uninstall Anthos Service Mesh and reinstall Istio at any time.
If the migration fails, is it possible to roll back?
Yes, the script lets you roll back to your previous Istio version.
Does migrating change my current Istio configurations?
No, your Istio configurations work on Anthos Service Mesh without requiring any changes. No default parameters are changed.
Are there any Istio features that are not supported in Anthos Service Mesh?
Yes, you can learn about Anthos Service Mesh features at In-cluster control plane supported features or Google-managed control plane supported features.
If you are using any features not listed in Istio, contact the Anthos Service Mesh product team through your Google Cloud account representative.
Why did the tool install an in-cluster control plane?
To migrate to Google-managed control plane, your GKE cluster must be in a supported region and be compatible with Anthos Service Mesh 1.10. For a complete list of limitations, see Google-managed control plane supported features.
Will this migration work with my multi-cluster setup?
The script lets you migrate one cluster at a time to Anthos Service Mesh. If you have a multi-cluster architecture, follow the instructions in the multi-cluster setup documentation.
Anthos Service Mesh supports multi-primary mode for a multi-cluster architecture. This means that you must deploy the Anthos Service Mesh control plane on all clusters participating in a multi-cluster architecture.
Which version of Istio can I migrate by using this script?
You can migrate any Istio version 1.7 through 1.10. The script validates your Istio version during the pre-migration stage, and informs you whether your Istio version can be migrated.
How can I get additional help with this migration?
Our Support TSEs are glad to help. You can open a support case from the Google Cloud console. To learn more, see Managing support cases.
What's next
- To migrate to Anthos Service Mesh, see Migrating from Istio 1.7 or later to Anthos Service Mesh and Mesh CA.