According to The New Stack, service mesh is a technology that aims to “improve the security, observability and traffic control of distributed systems”. More specifically, a service mesh is a component of orchestration tools for containerized environments such as Kubernetes, typically responsible for functions that include routing traffic among containerized applications, serving as the interface for defining autonomous service-to-service mutual TLS (mTLS) policies and then enforcing them, and providing visibility into application availability and security. Like Kubernetes as a whole, service meshes consist of control, management, and data planes.
Service meshes typically handle traffic management and security in a way that’s transparent to the containerized applications. By offloading functions like SSL/TLS and load balancing, service meshes free developers from having to implement security or service availability separately in each application. An enterprise‑grade service mesh provides solutions for a variety of “problems”:
- Securing traffic with end-to-end encryption and mTLS
- Orchestration via injection and sidecar management, and Kubernetes API integration
- Management of service traffic, including load balancing, traffic control (rate limiting and circuit breaking), and traffic shaping (canary deployments, A/B testing, blue‑green deployments)
- Improved monitoring and visibility of service-to-service traffic with popular tools like Prometheus and Grafana
- Simplified management of Kubernetes ingress and egress traffic by integrating natively with an Ingress controller
Service meshes range in focus from small and very focused to very large with a comprehensive set of network and cluster management tools (such as Istio), and everywhere in between. The larger and more complex the service mesh, the more helpful an independent management plane can be.
Are You Ready for a Service Mesh?
While service meshes are an excellent tool for application traffic management in a managed cluster, they are not the be‑all and end‑all for Kubernetes. Like any additional tool, they introduce overhead: training for users, new management requirements, integration into existing CI/CD pipelines, and so on. Before investing in a service mesh, it’s important to identify which of your current and planned use cases might benefit from it.
To determine if you’re ready for a mesh and how to take the next steps, read How to Choose a Service Mesh on our blog to get:
- Our 6-point checklist for determining readiness
- A 3-step process for choosing the mesh that’s right for you
- An overview of NGINX Service Mesh
How Can NGINX Help?
When you’ve established that you need a service mesh, the decision about which to choose comes down to your use cases. Ask yourself: “What do I want the mesh to manage?”
- If the answer is application traffic management, security, and governance, choose a mesh that highlights the data plane rather than the control plane, such as NGINX Service Mesh. It’s lightweight but full‑featured, and leverages NGINX Plus to bring enterprise‑grade traffic management and security tools to Kubernetes environments.
- If the answer is Kubernetes cluster and network management, lean towards a more feature‑rich mesh such as Istio with F5’s Aspen Mesh as the independent management plane.