Istio addresses the challenges developers and operators face with a distributed or microservices architecture. [1]

Service mesh
Figure 1. By adding a proxy "sidecar" along with every application deployed, Istio lets you program application-aware traffic management, incredible observability, and robust security capabilities into your network.

1. What is a Service Mesh

Modern applications are typically architected as distributed collections of microservices, with each collection of microservices performing some discrete business function. [1]

A service mesh is a dedicated infrastructure layer that you can add to your applications. It allows you to transparently add capabilities like observability, traffic management, and security, without adding them to your own code.

The term “service mesh” describes both the type of software you use to implement this pattern, and the security or network domain that is created when you use that software.

2. What’s Istio?

Istio is an open source service mesh that layers transparently onto existing distributed applications.

Istio’s powerful features provide a uniform and more efficient way to secure, connect, and monitor services. Istio is the path to load balancing, service-to-service authentication, and monitoring – with few or no service code changes. Its powerful control plane brings vital features, including:

  • Secure service-to-service communication in a cluster with TLS encryption, strong identity-based authentication and authorization

  • Automatic load balancing for HTTP, gRPC, WebSocket, and TCP traffic

  • Fine-grained control of traffic behavior with rich routing rules, retries, failovers, and fault injection

  • A pluggable policy layer and configuration API supporting access controls, rate limits and quotas

  • Automatic metrics, logs, and traces for all traffic within a cluster, including cluster ingress and egress

Istio’s control plane runs on Kubernetes, and you can add applications deployed in that cluster to your mesh, extend the mesh to other clusters, or even connect VMs or other endpoints running outside of Kubernetes.

2.1. Architecture

An Istio service mesh is logically split into a data plane and a control plane. [2]

  • The data plane is composed of a set of intelligent proxies (Envoy) deployed as sidecars. These proxies mediate and control all network communication between microservices. They also collect and report telemetry on all mesh traffic.

  • The control plane manages and configures the proxies to route traffic.

    The overall architecture of an Istio-based application.


Istio uses an extended version of the Envoy proxy. Envoy is a high-performance proxy developed in C++ to mediate all inbound and outbound traffic for all services in the service mesh. Envoy proxies are the only Istio components that interact with data plane traffic.


Istiod provides service discovery, configuration and certificate management.

2.2. Install Istio

  1. Go the the Istio release page to download the installation file for your OS, or download and extract the latest release automatically (Linux or macOS): [3]

    curl -L | sh -
  2. Move to the Istio package directory. For example, if the package is istio-1.20.3:

    cd istio-1.20.3

    The installation directory contains:

    • Sample applications in samples/

    • The istioctl client binary in the bin/ directory.

  3. Add the istioctl client to your path (Linux or macOS):

    export PATH=$PWD/bin:$PATH
  4. For this installation, we use the demo configuration profile. It’s selected to have a good set of defaults for testing, but there are other profiles for production or performance testing.

    $ istioctl install --set profile=demo -y
    ✔ Istio core installed
    ✔ Istiod installed
    ✔ Egress gateways installed
    ✔ Ingress gateways installed
    ✔ Installation complete
    Made this installation the default for injection and validation.
  5. Add a namespace label to instruct Istio to automatically inject Envoy sidecar proxies when you deploy your application later:

    $ kubectl label namespace default istio-injection=enabled
    namespace/default labeled


  1. The Istio uninstall deletes the RBAC permissions and all resources hierarchically under the istio-system namespace. It is safe to ignore errors for non-existent resources because they may have been deleted hierarchically.

    istioctl uninstall -y --purge

    The istio-system namespace is not removed by default. If no longer needed, use the following command to remove it:

    kubectl delete namespace istio-system

    The label to instruct Istio to automatically inject Envoy sidecar proxies is not removed by default. If no longer needed, use the following command to remove it:

    kubectl label namespace default istio-injection-