Cloud Service Mesh overview

Cloud Service Mesh is a service mesh available on Google Cloudand across supported GKE platforms. It supports services running on a range ofcomputing infrastructures. Cloud Service Mesh is controlled by APIsdesigned for Google Cloud, for open source, or for both.

This document is for you if you're a new Cloud Service Mesh user or a continuing Anthos Service Mesh or Traffic Director customer.

What is a service mesh?

A service mesh is an architecture that enables managed, observable, and securecommunication among your services, making it easier for you to create robustenterprise applications made up of many microservices on your choseninfrastructure. Service meshes manage the common requirements of running aservice, such as monitoring, networking, and security, with consistent, powerfultools, making it easier for service developers and operators to focus oncreating and managing great applications for their users.

Architecturally, a service mesh consists of one or more control planes and adata plane. The service mesh monitors all traffic into and out of your services.On Kubernetes, a proxy is deployed by asidecar patternto the microservices in the mesh. On Compute Engine, you can deploy proxies on VMsor use proxyless gRPC for the data plane.

This pattern decouples application or businesslogic from network functions, and enables developers to focus on the featuresthat the business needs. Service meshes also let operations teams anddevelopment teams decouple their work from one another.

Architecting your applications as microservices provides many benefits. However,your workloads can become more complex and fragmented as they scale. Servicemesh helps solve the fragmentation problem and makes it easier to manage yourmicroservices.

What is Cloud Service Mesh?

Cloud Service Mesh is Google's solution for both Google Cloudand supported GKE Enterprise environments.

• On Google Cloud: Cloud Service Mesh provides APIs that arespecific to the computing infrastructure on which your workloads run.
  • For Compute Engine workloads, Cloud Service Mesh usesGoogle Cloud-specific service routing APIs.
  • For Google Kubernetes Engine (GKE) workloads, Cloud Service Mesh usesthe open source Istio APIs.
• Off Google Cloud: With Distributed Cloud or GKE multicloud,Cloud Service Mesh supports the Istio APIs for Kubernetesworkloads.

Whether on or off Google Cloud, Cloud Service Mesh lets youmanage, observe, and secure your services without having to change yourapplication code.

Cloud Service Mesh reduces the toil for your operations and developmentteams by simplifying service delivery, from traffic management and meshtelemetry to securing communications between services. Google's fully managedservice mesh lets you manage complex environments and enjoy the benefits theypromise.

Features

Cloud Service Mesh has a suite of features for traffic management,observability and telemetry, and security.

Traffic management

Cloud Service Mesh controls the flow of traffic among services in themesh, into the mesh (ingress), and to outside services (egress). You configureand deploy resources to manage this traffic at the application (L7) layer. Forexample, you can do the following:

• Use service discovery.
• Configure load balancing among services.
• Create canary and blue-green deployments.
• Finely control routing for your services.
• Set up circuit breakers.

Cloud Service Mesh maintains a list of all services in the mesh by nameand by their respective endpoints. It maintains this list to manage the flow oftraffic (for example, Kubernetes Pod IP addresses or the IP addresses ofCompute Engine VMs in aManaged instance group).By using this service registry, and by running the proxies side-by-side with theservices, the mesh can direct traffic to the appropriate endpoint.Proxyless gRPC workloadscan also be used in parallel with workloads using Envoy proxies.

Observability insights

The Cloud Service Mesh user interface in the Google Cloud consoleprovides insights into your service mesh. These metrics are automaticallygenerated for workloads configured through the Istio APIs.

• Service metrics and logs for HTTP traffic within your mesh's GKE cluster are automatically ingested to Google Cloud.
• Preconfigured service dashboards give you the information you need tounderstand your services.
• In-depth telemetry—powered byCloud Monitoring,Cloud Logging, andCloud Trace—lets youdig deep into your service metrics and logs. You can filter and segment yourdata on a wide variety of attributes.
• Service-to-service relationships help you understand at a glance inter-servicedependences and who connects to each service.
• You can quickly see the communication security posture not only of yourservice, but its relationships to other services.
• Service level objectives (SLOs) give you insight into the health of yourservices. You can define an SLO and alert on your own standards of servicehealth.

Learn more about Cloud Service Meshs observability features in ourObservability guide.

Security benefits

Cloud Service Mesh provides you with many security benefits.

• Mitigates risk of replay or impersonation attacks that use stolen credentials.Cloud Service Mesh relies on mutual TLS (mTLS) certificates toauthenticate peers, rather than bearer tokens such asJSON Web Tokens (JWT).
• Ensures encryption in transit. Using mTLS for authentication also ensures thatall TCP communications are encrypted in transit.
• Mitigates the risk that unauthorized clients can access a service with sensitive data,irrespective of the network location of the client and the application-levelcredentials.
• Mitigates the risk of user data breach within your production network. You canensure that insiders can only access sensitive data through authorized clients.
• Identifies which clients accessed a service with sensitive data. Cloud Service Meshaccess logging captures the mTLS identity of the client in addition to theIP address.
• All in-cluster control plane components and proxies are built withFIPS 140-2 validated encryption modules.

Learn more about Service Mesh's security benefits and features in theSecurity guide.

Deployment options

You have the following deployment options in Cloud Service Mesh:

• On Google Cloud
  • Managed Cloud Service Mesh - managed control and data planefor GKE (recommended)
  • Managed Cloud Service Mesh - managed control and data plane forCompute Engine with VMs (recommended)
  • In-cluster control plane for GKE with Istio APIs (Discouraged)
• Off Google Cloud
  • In-cluster control plane for Kubernetes with Istio APIs

Managed Cloud Service Mesh

Managed Cloud Service Mesh consists of the managed control plane forall infrastructures and the managed data plane for GKE. WithManaged Cloud Service Mesh, Google handles upgrades, scaling, andsecurity for you, minimizing manual user maintenance. This covers the controlplane, data plane, and related resources.

Data plane implementation

If you use Google Cloud APIs, your data plane can be provided by Envoyproxies or by proxyless gRPC applications. If you are updating an existingapplication, the sidecar-based approach allows for integration into the meshwithout changing your application. If you want to avoid the overhead of runninga sidecar, you can update your application to use gRPC.

Envoy proxies and proxyless gRPC both use the xDS API to connect to the controlplane. If you use proxyless gRPC, you have a choice of supported languages foryour applications, including Go, C++, Java, and Python.

If you use open source Istio APIs, your data plane is provided by Envoy proxies.

Control plane implementation

Your Cloud Service Mesh control plane depends on whether yourconfiguration is on or off Google Cloud and whether you are a newcustomer.

Control plane implementation for existing users

• If your configuration is off Google Cloud, you are usingCloud Service Mesh's in-cluster, unmanaged control plane. For moreinformation, seeIn-cluster control plane supported features.
• If you were an Anthos Service Mesh user on Google Cloud, you are usingIstio APIs. For more information, seeSupported features using Istio APIs (managed control plane).
• If you were a Traffic Director user, you are using Cloud Service Mesh'smanaged control plane with Google Cloud APIs. For more information,seeCloud Service Mesh with Google Cloud APIs supportedfeatures.

To determine your current control plane, readIdentify control plane implementation. For moreinformation on control planes and control plane migration, seeManaged control plane overview for continuing customers.

Control plane implementation for new users

• If you are planning an off-Google Cloud configuration, you arechoosing Cloud Service Mesh's in-cluster, unmanaged control plane.For more information, seeIn-cluster control plane supported features.
• If you are planning an on-Google Cloud configuration on Kubernetes,you are choosing Istio APIs, but your control plane uses the TrafficDirector implementation, except in certain cases that are detailed inWhat determines control plane implementation.SeeSupported features using Istio APIs (managed control plane) for more details.
• If you are planning an on-Google Cloud configuration onCompute Engine VMs, your control plane uses the global, multi-tenantcontrol plane, known as the Traffic Director implementation. For moreinformation, seeCloud Service Mesh with Google Cloud APIs supported features.

Control plane migration

If you are a continuing Anthos Service Mesh customer and you use the Istio APIs, yourclusters will start migrating to the Traffic Director control plane. You cancontinue to use the Istio APIs for configuration.

To determine whether your clusters still use the Istio control plane or havemigrated to the new global control plane, readIdentify control plane implementation.

What's next

• If you're a continuing user, readManaged control plane for continuing customers.
• If you plan to set up with GKE, readProvision a control plane.
• If you plan to set up with Compute Engine and VMs, readPrepare to set up on service routing APIs with Envoy and proxyless workloads.