Introduction to Network Operations
This section is intended as a guide to operators of an Istio baseddeployment. It will provide information an operator of a Istio deploymentwould need to manage the networking aspects of an Istio service mesh. Muchof the information and many of the procedures that an Istio operatorwould require are already documented in other sections of the Istiodocumentation so this section will rely heavily on pointers to thatother content.
Key Istio Concepts
When attempting to understand, monitor or troubleshoot the networking withinan Istio deployment it is critical to understand the fundamental Istioconcepts starting with the service mesh. The service mesh is describedin Architecture. As notedin the architecture section Istio has a distinct control plane and a dataplane and operationally it will be important to be able to monitor thenetwork state of both. The service mesh is a fully interconnected set ofproxies that are utilized in both the control and data plane to providethe Istio features.
Another key concept to understand is how Istio performs traffic management.This is described in Traffic Management Explained.Traffic management allows fine grained control with respect to what externaltraffic can enter or exit the mesh and how those requests are routed. Thetraffic management configuration also dictates how requests betweenmicroservices within the mesh are handled. Full details on how toconfigure the traffic management is availablehere: Traffic Management Configuration.
The final concept that is essential for the operator to understand is howIstio uses gateways to allow traffic into the mesh or control how requests originatingin the mesh access external services. This is described with aconfiguration example here:Istio Gateways
Network Layers Beneath the Mesh
Istio’s service mesh runs on top of the networking provided by theinfrastructure environment (e.g. Kubernetes) on which the Istio meshis deployed. Istio has certain requirements of this networking layer.This guide will not attempt to provide any operational insight to thisnetworking layer as many options exist. In the case of Kubernetes agood reference to understand the container networking layer isKubernetes Cluster Operator.Istio has the following requirements of the networking infrastructureunderneath it:
The mapping of a service name to workload IP is discoverable by Pilot (this is more a service discovery requirement than a networking requirement)
The Pilot discovery process can reach the environment specific API server for service discovery.
Service endpoints have L3 reachability to all endpoints for services in the Istio mesh.
Any firewall or ACL rules at the infrastructure networking layer don’t conflict with any of the Istio layer 3-7 traffic management rules
Any firewall or ACL rules at the infrastructure networking layer don’t conflict with any of the ports used for Istio control traffic