Skip to main content
Istio is an open-source service mesh that simplifies connecting, securing, managing, and monitoring microservices. With Istio, you get:
  • Automated service discovery, load balancing, and failure recovery
  • Fine-grained traffic control for A/B testing, canary releases, and rate limiting
  • End-to-end security with mutual TLS, policy enforcement, and telemetry
  • Zero or minimal changes to application code
Istio works transparently alongside any application stack (Spring Boot, Node.js, Vert.x, etc.) by injecting an Envoy sidecar proxy into each pod.
The image is an informational slide about Istio, describing it as an open framework for managing microservices with features like discovery, load balancing, and more, without requiring code changes. It includes a list of basic and complex operational requirements that Istio can handle.

Architecture Overview

Istio’s design is split into two planes:
  • Data Plane
    Consists of Envoy sidecar proxies that run next to application containers. They intercept all inbound/outbound traffic, enabling metrics collection, policy enforcement, and traffic routing.
  • Control Plane
    Configures and manages the proxies, distributing routing rules, certificates, and configuration to ensure consistent behavior across the mesh.
Envoy is a high-performance proxy written in C++ that mediates all service-to-service communication within the mesh.
The image illustrates the Istio architecture, showing the data plane with applications and proxies, and the control plane with components like Pilot, Citadel, and Galley. It depicts the flow of ingress, mesh, and egress traffic within the Istio mesh.

Control Plane Components

ComponentResponsibilityReference
PilotService discovery, traffic management & routingPilot Docs
CitadelmTLS-based authentication & certificate issuanceCitadel Docs
GalleyConfiguration ingestion, validation & distributionGalley Docs
In Istio 1.5+, Galley and Pilot components were merged into istiod. Be sure to check your Istio version and configuration model.

Sidecar Proxy Pattern

When you deploy Istio, each application pod includes an Envoy sidecar. The sidecar:
  1. Intercepts all network traffic to/from the application
  2. Forwards requests to the application container and relays responses
  3. Encrypts traffic between pods using mutual TLS
This pattern externalizes cross-cutting concerns—tracing, metrics, load balancing, and security—out of application code.

From Netflix OSS to Istio

Before Istio, Spring Boot microservices often required embedding multiple Netflix OSS libraries:
Netflix OSS ComponentUse CaseIstio Equivalent
EurekaService discoveryEnvoy + Pilot
Spring Cloud Config ServerCentralized configurationGalley / Config APIs
RibbonClient-side load balancingEnvoy load-balancer
HystrixCircuit breaking & resilienceEnvoy retry & circuit-breakers
ZipkinDistributed tracingEnvoy + Zipkin/Jaeger plugin
ZuulAPI gatewayIngressGateway
The image illustrates the transition of microservices from a traditional container setup to using Istio with sidecar containers, highlighting the externalization of capabilities. It also features logos of technologies like Netflix OSS, Spring, and Envoy.

Summary

Istio’s sidecar-based approach offloads critical infrastructure concerns from your code to a transparent proxy mesh. You gain unified traffic management, security, and observability with minimal disruption to your existing workflows.

Watch Video