Service mesh is not a new concept, but its implementation for connecting microservices running on top of Kubernetes as a containerization platform makes the idea of having a service mesh more popular. Without a service mesh, each microservice needs to be configured to accept (and send) connections to other microservices it needs to communicate with. Service mesh changes that completely.
Instead of dealing with manual configurations and having to invest a lot of time and energy maintaining connections between microservices, developers can now create a mesh that enables microservices to communicate with each other in a reliable, secure, and controllable way. Kubernetes and service mesh are made for each other, mainly because the use of a service mesh allows for a more complex containerization architecture without the added workload.
There is also a wealth of ways to establish a service mesh as a layer on top of Kubernetes. In this article, we are going to compare some of the tools you can use to establish a service mesh to see which one is best.
AWS App Mesh
Since a lot of Kubernetes-powered apps and microservices now run within the Amazon Web Services environment, it is difficult not to talk about AWS App Mesh. As the name suggests, AWS App Mesh is Amazon’s own service mesh, built to enable the creation of a service mesh layer for Amazon services.
Being an Amazon product, AWS App Mesh utilizes a proprietary technology combined with Envoy as its service proxy. AWS App Mesh connects services within the same namespace through the creation of a virtual service. Every microservice in your AWS environment can find that virtual service and use it to channel communications to other microservices.
The seamless integration of AWS App Mesh with other services like EKS, Fargate, and EC2 is its strongest suit, but there are some limitations to how App Mesh can be used. For starters, you cannot migrate outside of App Mesh or use this service in a multi-cloud setup.
App Mesh also resorts to CloudWatch and AWS X-Ray for management of service mesh, but that means you can have complete control over the layer without leaving your primary dashboard. Security features such as support for mTLS and advanced load balancing are also supported, although App Mesh doesn’t support authorization rules.
Istio is perhaps the most popular service mesh tool for Kubernetes. It was originally developed for Lyft, but later became a joint development project between the company, Google, and IBM. Considering how Google is the company behind Kubernetes in the first place, it is not surprising to see Istio being widely used in many deployment types.
Similar to App Mesh, Istio also uses Envoy as its service proxy, but it doesn’t limit you to Envoy as the only ingress controller. Istio is unique in that it offers immense flexibility without the usual complications. You can actually use Istio for other containerization platforms, but its seamless integration with Kubernetes makes it a useful tool.
For example, Istio supports mesh expansion and multi-cluster mesh, both of which are features that are absent from App Mesh and many other service mesh tools. Istio also handles traffic access control and load balancing like it is built to perform these tasks. It even supports fault injection and delay injection.
The only downside to using Istio is that you can feel overwhelmed by the features it offers. If you have the resources to handle a service mesh layer using Istio, this tool has the potential of simplifying even the most complex microservices architecture with its features.
Linkerd was already a very popular service mesh tool when v2.x was introduced. The new version has been well received by the Kubernetes community and, as of the middle of April 2020, its stable 2.7.1 version is out. It is entirely built as a standalone service mesh tool, so it doesn’t rely on third-party tools like Envoy for management. It even has linkerd-proxy included as a service proxy.
Recent upgrades also include dashboard improvements and visualizations for the traffic split feature for canary deployments. This makes it a great tool for monitoring and orchestrating canary and blue/green deployments in real time.
While remaining independent, Linkerd also maintains high compatibility with ingress controllers. Actually, Linkerd is able to work with any ingress controller you use, making it the most flexible in this respect. A simple linkerd inject command is all that is needed to get the service mesh integrated with your app.
Linkerd2 is also highly optimized, and it takes only 60 seconds to install. If you are seeking a service mesh tool that can bring the best performance to the table, this is the one to try. Being a non-invasive service mesh tool, Linkerd doesn’t require a lot of optimizations once it is deployed. The out-of-the-box configuration is more than enough to support complex microservices arrays and it is able to prevent major attacks. Linkerd enhances application security through mutual TLS (mTLS) encryption
It is also a tool developed specifically for Kubernetes. It may not support multi-cloud and multi-cluster mesh creations, but that doesn’t make it any less capable when used as a service mesh layer for a Kubernetes instance. Besides, it also plays well with OpenCensus, making tracing and management very easy to do.
Kuma offers a unique combination of Envoy as a service proxy and support for any ingress controller. It is very similar to Consul Connect—which we will get to in a second—but with a few new and refreshing features. New and refreshing because Kuma is also the newest tool on this list.
Don’t let the young age fool you though. Kuma is more than production-ready and comes with features you would expect from a capable service mesh tool. It supports all backends that are compatible with OpenTracing and lets you use an external CA certificate if needed. Unfortunately, some features are still missing from this tool.
There is no way to do path-based or header-based traffic splits in Kuma right now. There is also no support for features such as traffic access control and metrics. These features may be introduced in later updates, but for now, you have to do manual proxy templating to get around the lack of these tools.
Nevertheless, Kuma looks promising as a service mesh tool. It has yet to reach its version 1.0.0—currently at 0.4.0—but the developers behind this tool listen to the community and are more than happy to accommodate requests to make this tool more capable than its competitors.
HashiCorp’s Consul Connect is the next service mesh tool on our list. This being a HashiCorp creation, you can expect Consul Connect to work with Envoy and various other service proxy alternatives. It also works with any ingress controller, making it one of the easiest to integrate into existing Kubernetes clusters.
Consul Connect works seamlessly in any Consul environment. Unfortunately, it only works in a Consul environment. This service mesh tool, while offering a lot of handy features, is designed to be used alongside other HashiCorp products. The tools, however, are very extensive.
Everything from TCP to gRPC is supported. The tool works with Kubernetes as well as VMs and even Nomads. Mesh expansion is fully supported, so you can have an environment that spans across multiple cloud services and clusters, and still have a capable service mesh layer supporting your microservices.
The one aspect that Consul Connect needs to improve is monitoring. However, you can integrate other monitoring tools in order to get access to log and per-route metrics. You can even integrate tools like Prometheus and Grafana to visualize your monitoring data. You just have to pull the data from your service proxy instead of Consul Connect directly.
These service mesh tools are mainly designed to work with Envoy as the service proxy. Envoy does offer some advantages compared to other edge proxy tools, with advanced load balancing being the most prominent advantage of them all.
Automating retries, zone local load balancing, and request shadowing allow you to configure traffic load balancing for maximum performance. High observability, on the other hand, makes Envoy the perfect solution for maintaining a robust network supporting a capable architecture.
Of course, these tools have one primary goal: to create a cloud architecture where microservices can communicate with each other in a reliable and secure way. The good news is, you will be able to achieve that regardless of the tool you use.
Caylent provides a critical DevOps-as-a-Service function to high growth companies looking for expert support with Kubernetes, cloud security, cloud infrastructure, and CI/CD pipelines. Our managed and consulting services are a more cost-effective option than hiring in-house, and we scale as your team and company grow. Check out some of the use cases, learn how we work with clients, and read more about our DevOps-as-a-Service offering.