You are viewing documentation for Anthos Service Mesh 1.7. View the latest documentation or select another available version:

What is Anthos Service Mesh?

Anthos Service Mesh is a suite of tools that helps you monitor and manage a reliable service mesh on-premises or on Google Cloud.

What is a service mesh?

A service mesh is an infrastructure layer that enables managed, observable, and secure communication across your services, letting you create robust enterprise applications made up of many microservices on your chosen infrastructure. Service meshes factor out all the common concerns of running a service such as monitoring, networking, and security, with consistent, powerful tools, making it easier for service developers and operators to focus on creating and managing great applications for their users.

Anthos Service Mesh is powered by Istio, a highly configurable and powerful open source service mesh platform, with tools and features that enable industry best practices. Anthos Service Mesh is deployed as a uniform layer across your entire infrastructure. Service developers and operators can use its rich feature set without making a single change to application code.

To find out more about Istio and how to use it, see the Istio documentation.

How can Anthos Service Mesh help me?

With Anthos Service Mesh, you get an Anthos tested and supported distribution of Istio, letting you create and deploy a service mesh on Google Cloud or on Anthos clusters on VMware with full Google support. We also provide a configuration profile with recommended settings for using Anthos Service Mesh on Google Kubernetes Engine (GKE), and another profile designed for Anthos clusters on VMware.

To learn about the service mesh features we support, see Supported features.

Managed components

Anthos Service Mesh has a suite of additional features and tools that help you observe and manage secure, reliable services in a unified way.

Note: Managed components, including Anthos Service Mesh pages in Cloud Console, aren't supported on Anthos clusters on VMware, Anthos clusters on AWS, Amazon Elastic Kubernetes Service (Amazon EKS), or Microsoft Azure Kubernetes Service (Microsoft AKS).

Observability features

The Anthos Service Mesh pages in the Google Cloud Console provides the following insights into your service mesh:

  • Service metrics and logs for HTTP traffic within your mesh's GKE cluster are automatically ingested to Google Cloud.

  • Preconfigured service dashboards give you the information you need to understand your services.

  • In-depth telemetry lets you dig deep into your metrics and logs, filtering and slicing your data on a wide variety of attributes.

  • Service-to-service relationships at a glance help you understand who connects to each service and the services that each service depends on.

  • You can quickly see the communication security posture not only of your service, but its relationships to other services.

  • Cloud Monitoring lets you dig deeper into your service metrics and combine them with other metrics.

  • Service level objectives (SLOs) give you insight into the health of your services. You can easily define an SLO and alert on your own standards of service health.

Security benefits

  • Mitigates risk of replay or impersonation attacks that use stolen credentials. Anthos Service Mesh relies on mutual TLS (mTLS) certificates to authenticate peers, rather than bearer tokens such as JSON Web Tokens (JWT).

  • Ensures encryption in transit. Using mTLS for authentication also ensures that all TCP communications are encrypted in transit.

  • Ensures that only authorized clients can access a service with sensitive data, irrespective of the network location of the client and the application-level credentials.

  • Mitigates the risk of user data breach within your production network. You can ensure that insiders can only access sensitive data through authorized clients.

  • Identifies which clients accessed a service with sensitive data. Anthos Service Mesh access logging captures the mTLS identity of the client in addition to the IP address.

  • All in-cluster control plane components and proxies use FIPS 140-2 validated encryption modules.

What's next?