Istio is a service mesh and it is a collection of different tools, frameworks and packages that helps us to manage micro-services in a more sophisticated way. Istio is a widely used service mesh platform that identifies the amount of traffic coming into a particular micro-service and controls the traffic flow between each micro-services.
Istio is not a replacement for kubernetes actually istio is an extra layer of software that is deployed along with kubernetes cluster.
Istio provides visibility and can control the network connection between containers in a micro-service cluster. Every request must go through the istio service mesh control plane, so istio can perform some operation on the request by checking its header information then it will get routed to required micro-service. Istio injects its own component called proxy in each micro-service that will set a communication between micro-service and istio control plane.
Istio provides telemetry features which means gathering metrics from individual network requests to check the health of the cluster. Istio traces each request so that it gets a chain of particular requests and has control over it.
Istio also implements security under traffic management that allows us re-routing requests depending on the requirements we have.
Istio Service Mesh Architecture
- Envoy proxy is deployed as a sidecar container in each micro-service and it is a platform istio data plane.
- Pilot is an orchestration tool that instructs what needs to be done with running micro-service and it’s a part of istio control plane.
- Mixer is a part of istio control plane and it is used to check access control and telemetry operations. This component manages scalability, resource usage, reliability and isolation.
- Auth helps to identify certification, authentication and authorization of processes requesting an micro-service application and it’s a part of the control plane.

By introducing envoy proxy into micro-services it gives monitoring and refined activity controls we can use kiali web interface for monitoring and tracing.
If you want to use isto you first need to install istio on kubernetes cluster then you will get all above components. Request directly hits to the envoy proxy running on each micro-service through ingress and envoy proxy will communicate with the application container and send response back through Egress.
Istion runs on every platform and eases the deployment process which helps the development and production team.
Where is Istio Service Mesh useful?
Services
As the number of micro-services increases in the cluster it becomes difficult to monitor and control the micro-services. Istio gives you the ability to monitor the running micro-services and you can also check the health status of each micro-service.
It is also easy to detect and replace faulty services using istio.

Reliability
Istio also provides telemetry service which tells you how much time it takes to process requests, how much resources are used, what is the response rate and how often resources are used. This helps to developer to spot and resolve issues.
Authenticating Traffic
Istio provides a security system that can be used to restrict access that can be accomplished by deploying sidecar proxy in each microservices.
Protected communication
Istio provides secure universal service identification system and organization can use a mutually integrated TLS for service–to-service communications. We can use TLS or JSON web token for authentication.
Measures for Drastic Times
Istio service mesh has the function that inject fault tolerance procedures in running micro-services.
Features
Traffic management
Istio controls the flow of traffic entering into micro-service cluster. Istio also provides canary and rolling deployments. You can also move traffic from one version of micro-service to another version of micro-service or you can also test a new version of service with few amounts of traffic.
Security
Istio frees developers to provide security at the application level. Istio provides the secure communication channel, and manages authentication, authorization, and encryption of service communication at scale. Using Istio, service communications are secured by default without making any changes in the application level.
Istio with kubernetes has more advantage to secure pod-to-pod communications.
Monitoring
You can use prometheus, grafana or kiali web interface to get insights of istio service mesh.Istio has different services for monitoring, tracing and logging. You can check the health status of each micro-services using custom dashboards.
Platform support
Istio mainly supports service deployments on kubernetes.
How to deploy it on Google cloud
1. Create a new project on google cloud and click on cloud shell.
2. Once connected to cloud shell you can see you are already authenticated and check project is set to PROJECT_ID
3. Run following command on cloud shell and you can see your authenticated account details
>> gcloud auth list
4. Check the PROJECT_ID using command:
>> echo $GOOGLE_CLOUD_PROJECT
5. If project is not set run the following command:
>> gcloud config set project <project_id>
>> gcloud config set compute/zone us-central1-f
6. Create kubernetes GKE cluster with istio. Now enable kubernetes engine api:
>> gcloud services enable container googleapis.com
Select a region for your cluster:
>> gcloud compute regions list
Set your region
>> REGION=us-central1
Run below command:
> gcloud beta container clusters create hello-istio --project=ace-study-276206 \
--addons=Istio --istio-config=auth=MTLS_STRICT \
--cluster-version=1.14.10-gke.27 \
--machine-type=n1-standard-2 \
--num-nodes=2 \
--region=us-central1
After a few minutes it will be visible in the Kubernetes Engine section of the google cloud platform console.
7. Verify installation done successfully. Run the below command:
>> kubectl get svc -n istio-system
You should see istio-pilot, istio gateways and telemetry running.
Next make sure that kubernetes pods are up and running
>> kubectl get pods -n istio-system
8. Deploy an application. To deploy sample book info application, run the below command:
>> curl -L https://git.io/getLatestIstio | ISTIO_VERSION=1.0.0 sh -
Enable istio-injection
>> kubectl label namespace default istio-injection=enabled
You can verify that the label was successfully applied.
>> kubectl get namespace -L istio-injection
Next deploy the services to default namespace
>> kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml
Next create a gateway and virtual service to allow ingress traffic to reach the mesh.
>> kubectl apply -f samples/bookinfo/networking/bookinfo-gateway.yaml
>> kubectl get services
>> kubectl get pods
9. Accessing the application:
First get the external IP address:
>> kubectl get svc istio-ingressgateway -n istio-system
>> export GATWAY_URL=<gateway ip>
To access the application ht URL: http://<your gateway IP>/productpage
>> kubectl get pods -n istio-system
Check if all service are up and running.
10. Kiali web Interface
Install kiali on google cloud. Kiali is a web interface for monitoring and tracing micro-services. Click on Service & Ingress menu. You can see the Kiali service is running by clicking on it.

Click on kiali.
Now you will see the service details and its port number.

Click on port forwarding
Next, click on port forwarding and run the command given in console
Ex:
gcloud container clusters get-credentials hello-istio
-- region us-central1 --project ace-study-276206 \
&& kubectl port-forward --namespace istio-system
$(kubectl get pod --namespace istio-system --selector="app=kiali"
--output jsonpath='{.items[0].metadata.name}') 8080:20001
Next click on web preview,you will get kiali login page.

Enter username and password and click on login.

Here you change the graph setting and traffic animation and the refresh time. You can see from above image the traffic is divided into v1 and v3 version of review service. If you want to move all traffic to v1 version of review service.
Add below code
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: reviews
spec:
hosts:
- reviews
http:
- route:
- destination:
host: reviews
subset: v1
Run below command:
kubectl apply -f samples/bookinfo/networking/virtual-service-all-v1.yaml
Now you can see:

In the same way you can manage your traffic coming towards each service without interrupting the services.
Also you can manage your traffic on the basis of request header information.
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: reviews
spec:
hosts:
- reviews
http:
- match:
- headers:
end-user:
exact: jason
route:
- destination:
host: reviews
subset: v2
- route:
- destination:
host: reviews
subset: v3
If in header information we get “jason” then the traffic will be moved towards V2 version else it will go to v3 version.
References:
https://www.redhat.com/en/topics/microservices/what-is-istio
https://dzone.com/articles/metadata-management-in-big-data-systems-a-complete-1
https://codelabs.developers.google.com/codelabs/cloud-hello-istio/index.html?index=..%2F..index#0