Modern applications are typically architected as distributed collections of microservices, with each collection of microservices performing some discrete business function. This distributed microservices architecture allows multiple teams within large organizations to operate independently of each other and release new versions of their microservices at their own cadence. However, this requires an additional level of supervision to address observability, traffic management, and security use cases for service-to-service communication across these distributed workloads. This can be done by embedding logic directly within the application code of each microservice. Or it can be done in a transparent way using service mesh which deploys sidecars to application pods to achieve the same use cases.
As the deployment of distributed services, such as in a Kubernetes-based system, grows in size and complexity, it can become harder to understand and manage. You may need to implement capabilities such as discovery, load balancing, failure recovery, metrics, and monitoring. A service mesh can also address more complex operational requirements like A/B testing, canary deployments, rate limiting, access control, encryption, and end-to-end authentication.
Istio has been the de facto service mesh of choice in the open-source cloud-native service mesh landscape for most organizations. It was also recently accepted into Cloud Native Computing Foundation as an incubating project.
To address the service mesh requirements of customers, and to align ourselves with the most popular service mesh choice of the cloud-native customers, we are excited to announce a major step forward in Azure’s Kubernetes service mesh space. We introduce the public preview of the Istio add-on for Azure Kubernetes Service!
How is the add-on different from open-source Istio?
This service mesh add-on uses and builds on top of the open-source Istio project. This AKS add-on provides the following extra benefits:
- Istio versions are tested and verified to be compatible with supported versions of Azure Kubernetes Service.
- Microsoft handles scaling and configuration of Istio control plane.
- Microsoft adjusts scaling of AKS components like `CoreDNS` when Istio is enabled.
- Microsoft provides managed lifecycle (upgrades) for Istio components when triggered by user.
- Verified external and internal ingress set-up.
- Verified to work with Azure Monitor managed service for Prometheus and Azure Managed Grafana.
- Official Azure support provided for the add-on.
Get Started and Next Steps
You can get started with Istio-based service mesh add-on for Azure Kubernetes Service using the Azure CLI. Visit this how-to guide for more details.
What’s next on the service mesh roadmap?
Now that the foundational building block of the Istio-based service mesh add-on for AKS is in place, we have a rich roadmap that we will be working on in the coming months:
Lifecycle management of Istio: keeping Istio up-to-date and simultaneously within the supported version matrix of AKS versions can be a challenging task over time. We plan to provide the ability to trigger minor version upgrades for Istio and to choose between in-place or canary upgrades for Istio components (istiod, ingresses, etc.). Later, we plan to provide auto-upgrades and release channels as further enhancements on top of the basic upgrade building blocks.
Mesh CA: the Istio-based service mesh add-on preview currently ships with an in-cluster self-signed certificate authority. We plan to augment and enhance the certificate management experience of the add-on with a Microsoft-managed private certificate authority for issuing certificates for mTLS. With Mesh CA, Microsoft will manage the hosting and availability of the CA.
Multi-cluster mesh: the Istio add-on announcement covers single cluster AKS deployments of Istio. We plan to provide multi-cluster experiences integrated with Azure Kubernetes Fleet Manager to set up Istio in different multi-cluster deployment models, while still providing the same richness of experience.
Observability: we are currently working on the Azure Portal experience for Istio, including the ability to visualize the key metrics for your services such as latency and error rates. These informational views will be augmented by topological traffic visualization views for the mesh. In addition to Azure Monitor managed service for Prometheus that can be used to collect your mesh metrics in a hosted way today, we plan to provide pre-built Istio dashboards in Grafana. We are also planning an integration with Application Insights to provide a hosted storage and querying experience for your mesh-generated traces.
The full roadmap for the service mesh space of Azure Kubernetes ecosystem can be found here. We are excited to see how you will use service mesh. We are also looking forward to hearing more about your scenarios and feature asks!