About Cloud Service Mesh

Cloud Service Mesh is a suite of tools that helps you monitor and manage a reliableservice mesh on-premises or on Google Cloud.

What is a service mesh?

A service mesh is an architecture that enables managed, observable, and securecommunication across your services, letting you create robust enterpriseapplications made up of many microservices on your chosen infrastructure.Service meshes factor out all the common concerns of running a service such asmonitoring, networking, and security, with consistent, powerful tools, making iteasier for service developers and operators to focus on creating and managinggreat applications for their users.

Cloud Service Mesh is powered byIstio,a highly configurable and powerful open source service mesh platform, withtools and features that enable industry best practices. Cloud Service Mesh isdeployed as a uniform layer across your entire infrastructure. Servicedevelopers and operators can use its rich feature set without making changes toapplication code.

Architecturally, a service mesh consists of one or more control planes and adata plane. The service mesh monitors all traffic through a proxy. On Kubernetes,the proxy is deployed by asidecar pattern to the microservices in the mesh. This pattern decouples application or businesslogic from network functions, and enables developers to focus on the featuresthat the business needs. Service meshes also let operations teams anddevelopment teams decouple their work from one another.

How can Cloud Service Mesh help me?

With Cloud Service Mesh, you get an GKE Enterprise tested and supporteddistribution of Istio, letting you create and deploy a service mesh onGKE on Google Cloud and otherplatformswith full Google support.

Features

Cloud Service Mesh has a suite of features and tools that help you observe andmanage secure, reliable services in a unified way.

Note: Some features, such as Cloud Service Mesh certificate authority and theCloud Service Mesh dashboards in the Google Cloud console aren't available onall GKE Enterprise environments. To learn about the service mesh featuressupported on each environment, seeIn-cluster control plane supported features.

Traffic management

Cloud Service Mesh controls the flow of traffic between services, into the mesh(ingress), and to outside services (egress). You configure and deployIstio-compatible custom resources to manage this traffic at the application (L7) layer. For example, with thecustom resources, you can:

• Createcanary andblue-green deployments.
• Provide fine-grained control over specific routes for services.
• Configureload balancingbetween services.
• Set upcircuit breakers.

Cloud Service Mesh maintains a service registry of all services in the mesh byname and by their respective endpoints. It maintains the registry to manage theflow of traffic (for example, Kubernetes Pod IP addresses). By using thisservice registry, and by running the proxies side-by-side with the services, themesh can direct traffic to the appropriate endpoint.

Observability insights

The Cloud Service Mesh pages in the Google Cloud console provide the followinginsights into your service mesh:

• Service metrics and logs for HTTP traffic within your mesh'sGKE cluster are automatically ingested to Google Cloud.

• Preconfigured service dashboards give you the information you need to understandyour services.

• In-depth telemetry—powered byCloud Monitoring,Cloud Logging, andCloud Trace—lets youdig deep into your service metrics and logs. You can filter and slice yourdata on a wide variety of attributes.

• Service-to-service relationships at a glance help you understand who connects toeach service and the services that each service depends on.

• You can quickly see the communication security posture not only of your service,but its relationships to other services.

• Service level objectives (SLOs) give you insight into the health of yourservices. You can easily define an SLO and alert on your own standards ofservice health.

Learn more about Cloud Service Mesh's observability features in ourObservability guide.

Security benefits

• Mitigates risk of replay or impersonation attacks that use stolen credentials.Cloud Service Mesh relies on mutual TLS (mTLS) certificates to authenticatepeers, rather than bearer tokens such asJSON Web Tokens (JWT).

• Ensures encryption in transit. Using mTLS for authentication also ensures thatall TCP communications are encrypted in transit.

• Ensures that only authorized clients can access a service with sensitive data,irrespective of the network location of the client and the application-levelcredentials.

• Mitigates the risk of user data breach within your production network.You can ensure that insiders can only access sensitive data throughauthorized clients.

• Identifies which clients accessed a service with sensitive data.Cloud Service Mesh access logging captures the mTLS identity of the client inaddition to the IP address.

• All in-cluster control plane components and proxies useFIPS 140-2 validated encryptionmodules.

Learn more about Cloud Service Mesh's security benefits and features in ourSecurity guide.

Deployment options

You have the following deployment options in Cloud Service Mesh:

• Managed Cloud Service Mesh
• In-cluster control plane

Managed Anthos Service Mesh

Managed Cloud Service Mesh consists of the managed control plane and the managed dataplane. With managed Cloud Service Mesh, Google handles upgrades, scaling, andsecurity for you, minimizing manual user maintenance. With themanaged data plane enabled, Google installs an in-cluster controller that managesthe sidecar proxies for you.

The following diagram shows the Cloud Service Mesh components and features formanaged Cloud Service Mesh:

For information on setting up or migratingto a managed Cloud Service Mesh, seeProvision managed Cloud Service Mesh.

In-cluster control plane

The following diagram shows the Cloud Service Mesh components and featuresfor the in-cluster control plane and sidecar proxies.

For information on installing an in-cluster Cloud Service Mesh, seeInstall Cloud Service Mesh.

What's next?

• Install Cloud Service Mesh
• Configure transport security