Home/Glossary/Service Mesh

Service Mesh

A dedicated infrastructure layer that handles service-to-service communication, providing observability, traffic management, and security without changing application code.

Cloud Infrastructure

A service mesh abstracts network complexity from applications by deploying sidecar proxies alongside each service instance, centralizing cross-cutting concerns like encryption, load balancing, and telemetry.

Why it matters

  • Enables consistent security policies (mTLS, authorization) across all services automatically.
  • Provides deep observability with distributed tracing, metrics, and access logs.
  • Simplifies traffic management with canary deployments, circuit breakers, and retries.
  • Decouples infrastructure concerns from application logic, reducing developer burden.

Key concepts

  • Sidecar Proxy: A lightweight proxy (typically Envoy) deployed alongside each service instance.
  • Data Plane: The collection of sidecar proxies handling actual service traffic.
  • Control Plane: Centralized management components that configure the data plane.
  • Service Discovery: Automatic detection of service instances and their endpoints.
  • Traffic Policies: Rules for routing, load balancing, timeouts, and retries.

Core capabilities

  • Security: Automatic mTLS encryption, identity-based access control, certificate management.
  • Observability: Distributed tracing, golden signal metrics, access logging without code changes.
  • Traffic Management: Canary releases, A/B testing, traffic mirroring, fault injection.
  • Resilience: Circuit breakers, rate limiting, automatic retries with exponential backoff.

Popular service mesh options

  • Istio: Feature-rich mesh with extensive policy capabilities; can be complex to operate.
  • Linkerd: Lightweight, Rust-based mesh focused on simplicity and performance.
  • Consul Connect: HashiCorp's mesh with strong service discovery and multi-datacenter support.
  • AWS App Mesh: Managed service mesh for AWS workloads using Envoy.

When to adopt

  • Running dozens or hundreds of microservices that need consistent security and observability.
  • Requiring zero-trust networking with automatic mTLS between all services.
  • Implementing sophisticated deployment strategies like canary releases.
  • Needing deep traffic insights without instrumenting every application.

Related Articles

View all articles
Kubernetes Security & Hardening Workflow | CIS Benchmark

Kubernetes Security & Hardening Workflow | CIS Benchmark

Master the complete Kubernetes security workflow from CIS benchmark assessment to runtime threat detection. Implement Pod Security Standards, RBAC, network policies, and NSA/CISA hardening guidance for production clusters.

Read article →
What are well-known ports vs registered ports?

What are well-known ports vs registered ports?

Learn the difference between well-known ports and registered ports, their use cases, and how they

Read article →
API Security & Rate Limiting Implementation Workflow

API Security & Rate Limiting Implementation Workflow

A comprehensive 6-stage workflow for implementing production-grade API security with OAuth 2.1, rate limiting algorithms, webhook validation, quota management, and incident response. Covers OWASP API Top 10 protections with real-world code examples.

Read article →
DevOps Log Analysis & Infrastructure Troubleshooting: Complete Observability and Incident Response Guide

DevOps Log Analysis & Infrastructure Troubleshooting: Complete Observability and Incident Response Guide

Master modern observability with OpenTelemetry, structured logging, and distributed tracing. Complete guide to log aggregation, root cause analysis, and incident response for microservices and Kubernetes.

Read article →

Explore More Cloud Infrastructure

View all terms

API Gateway

A service that acts as a single entry point for API requests, handling routing, authentication, rate limiting, and other cross-cutting concerns.

Read more →

AWS (Amazon Web Services)

Amazon's comprehensive cloud computing platform offering over 200 services for compute, storage, databases, networking, security, and application development.

Read more →

Azure (Microsoft Azure)

Microsoft's cloud computing platform providing integrated services for compute, analytics, storage, networking, AI, and enterprise applications.

Read more →

CDN (Content Delivery Network)

A geographically distributed network of servers that cache and deliver web content from locations closest to end users, improving performance and reliability.

Read more →

Docker

A platform for developing, shipping, and running applications in lightweight, portable containers that package code with all its dependencies.

Read more →

Kubernetes

An open-source container orchestration platform that automates deployment, scaling, and management of containerized applications across clusters of hosts.

Read more →
Back to glossary