Managed control plane for continuing customers

This document is for you if you're a continuing Anthos Service Mesh customerusing the managed control plane or in-cluster control plane. This documentdiscusses your control plane implementation and the possible modernization of yourcontrol plane.

If you're a continuing Traffic Director customer or a new customer, you alreadyhave the modernized control plane and don't need to read this document or theothers in this section.

Control plane overview

In service meshes, the control plane provides traffic management, proxymanagement when the Envoy proxy is in use, and other networking capabilities.

Anthos Service Mesh offered two control planes: a managed control plane and anin-cluster control plane. Only Envoy proxies are used as the data plane.

New managed control plane

The new managed control plane is called the Traffic Director (TD)implementation. What does the new control plane mean for you?

One of the most significant changes from the Anthos Service Mesh product toCloud Service Mesh is the move to a multi-tenant, global control plane.

The managed control plane used in Anthos Service Mesh is dedicated to a singlecluster. Although the APIs (Istio CRDs) used for GKE are the same, and the xDSconfiguration sent to the sidecars is compatible with no behavioral differences,the control plane differences result in a few characteristics that arevisible to you, the end user.

• Configuration change response time. New service deployments, or changes toservice policies, take slightly longer with the new control plane.
  • The configuration pipeline performs a two-pass configuration commit forreliability purposes. The first pass performs validations to checkwhether the configuration is well formed. The subsequent phasepropagates the configuration globally to your service deployments. Toenable use of Google Cloud services, such as global cross-zonal or cross-region loadbalancing, centralized health checking, traffic-driven autoscaling, andmanaged rate limiting, the configuration is propagated to these systemsand independently validated for correctness. The configuration is alsostored internally in a manner that allows Google site reliabilityengineering to reliably and efficiently perform product operationsduring any production emergencies.
  • These operations provide better reliability, but they result in a configpush that is slower than the latency observed by current users of AnthosService Mesh.
  • The latency for any new Pod to fetch existing configuration ismeasured to be slightly better with the new control plane. The slowconfiguration push is for the first-time propagation of any new servicecreated or any new policies pushed for the service. Endpoint propagationlatencies are functionally similar.
• Speed of scaling events and other changes to the endpoints. These arehandled at least as quickly with the new control plane. These eventsinclude new Pods starting or stopping because of horizontal Pod autoscaling,and Pods restarting with new IP addresses because they were moved to a differentnode in the cluster.
• Scaling the number of endpoints. With the new global control plane, theendpoints of the mesh are sent directly from each cluster to the controlplane from across all clusters in the mesh. This is a simpler, faster, andmore scalable approach than the previous managed control plane uses. Inolder managed control plane (dedicated control plane) model, each Istiod mustcommunicate with every other cluster in the mesh to determine the endpointsavailable in every other cluster. With the global control plane, theendpoints are propagated directly to the global control plane. This resultsin better reliability and performance in meshes with large numbers ofendpoints and allows the meshes to scale to a larger number of endpoints.

How does the new control plane affect you?

How the new control plane affects you depends on the APIs and control plane thatyou are using.

• If you are a Traffic Director user, your control plane remains the same. Youdon't need to read the rest of this guide. Documentation for yourCloud Service Mesh implementation is underConfigure withGoogle Cloud APIs.
• If you are an Anthos Service Mesh user, the next steps for the control planein your existing deployment depend on whether you use the managed controlplane or the in-cluster control plane.
  • If you use the managed control plane, with some exceptions your existingfleets will be migrated to the new control plane, referred to in theCloud Service Mesh as managed control plane (Traffic Director,or TD, implementation). Read the following section,Control planemodernization for existing meshes and fleets. Ifyou are using a feature that isn't supported by the Traffic Directorcontrol plane implementation, you remain temporarily on the previouscontrol plane. You should continue reading this guide.
  • If you use the in-cluster control plane, your control plane remains thesame. You don't need to read the rest of this guide.
  • If you don't have a Google Cloud Organization, and you use themanaged control plane on an organization-less project, you will receivethe TD control plane.
• If you are an Anthos Service Mesh customer and you are creating new fleets,you will receive the Traffic Director control plane implementation. Youshould continue reading this guide.
  • You will be notified aboutthe date whennew fleets receive the TD control plane.

Control plane modernization for existing meshes and fleets

Seemanaged control plane modernization.

Check control plane compatibility

Reviewdifferences in supported features between managed control planeimplementations to determinewhether your current usage of Cloud Service Mesh will require changes.

Control plane for new meshes

Starting on July 1, 2024, most existing users of the managedistiod controlplane implementation began to receive the updated managed control planewith Google's globally available implementation - the Traffic Director (TD)control plane, innew fleets.

Users whose existing usage of managed Cloud Service Mesh with theistiodcontrol plane implementation was not compatible with the Traffic Directorimplementation without changes continued to get theistiod implementationuntil September 8, 2024.

A small number of users were further snowflaked to get continue getting theistiod control plane implementation in new fleets. If this applies to yourorganization then you received a Service Announcement.

If you onboard a new fleet to managed Cloud Service Mesh, and this fleet is notin a Google Cloud Organization or it is in a new Google Cloud Organization,then you will get the new managed control plane with the TD implementation fromthe Cloud Service Mesh launch date.

What's next

• If you're a continuing Anthos Service Mesh customer, your documentation is in the left-hand table of contents underConfigure service mesh with Istio APIs.
• If you're a continuing Traffic Director customer, your documentation is underConfigure service mesh with Google Cloud APIs.