1 Introduction to the Service Mesh

This chapter provides introductory information about the Istio module for Oracle Cloud Native Environment, which is used to set up a service mesh in Oracle Cloud Native Environment.

What is a Service Mesh?

A service mesh is a configurable, low‑latency infrastructure layer that controls the interaction between a network of microservices. A service mesh makes sure communication among containerized application infrastructure services is fast, reliable, and secure. The service mesh provides critical capabilities including service discovery, load balancing, encryption, observability, traceability, and authentication and authorization.

A service mesh provides the ability to monitor the microservices in the Kubernetes cluster. Istio can support most of the popular current deployment patterns for deploying microservices. This is transparent to a developer.

What is Istio?

Istio is a type of service mesh designed to manage the interaction and operation of services in a microservices architecture. Istio is an open source project that coordinates communication between services, providing service discovery, load balancing, security, recovery, telemetry, and policy enforcement capabilities. Istio uses a sidecar service mesh model. This means that network communication proxy capabilities are implemented in a separate container for every service or application container that is deployed. Envoy is the product that implements this proxy capability and these special containers run alongside every other container. The Istio sidecar service mesh frees developers from having to program these types of capabilities into application code and makes development and enhancement of applications in a microservice architecture much more efficient and rapid.

Istio's control plane provides an abstraction layer over the underlying cluster management platform, Kubernetes.

Istio contains the following components:

  • Envoy: Sidecar proxies per microservice to handle ingress/egress traffic between services in the cluster and from a service to external services. The proxies form a secure microservice mesh providing a rich set of functions like discovery, rich layer-7 routing, policy enforcement and telemetry recording/reporting functions.

  • Istiod: A component responsible for service discovery, configuration and certificate management.

For more information on the Istio deployment architecture, see the upstream documentation at:


About the Istio Module

The Istio module is based on a stable release of the upstream Istio project. Differences between Oracle versions of the software and upstream releases are limited to Oracle provided configuration profiles and patches for specific bugs.

For upstream Istio documentation, see https://istio.io/latest/docs/.

For more information about Istio, see https://istio.io/.

Istio Module Components

The upstream Istio installation has a number of configuration profiles you can choose from. The Istio module components are based on the upstream installation configuration profiles, and includes components curated for Oracle Cloud Native Environment. You can see the upstream installation configuration profiles at:


The core Istio components installed with their corresponding container name prefix are:

  • Egress gateway (istio-egressgateway )

  • Ingress gateway (istio-ingressgateway)

  • Istiod (istiod)

Two additional modules are installed as supporting modules for monitoring and visualization of the Kubernetes cluster. These are:

  • Grafana (grafana)

  • Prometheus (prometheus-server)