Istio Service Mesh FAQ & Answers

Service mesh provides observability, security, and traffic management for microservices without modifying application code. Istio 1.24+ (GA 2024) uses ambient mode as alternative to sidecars, reducing resource overhead 40-50%. Solves: (1) Zero-touch mTLS across 100+ microservices (impossible manually), (2) Unified observability (service graph, latency percentiles, error rates), (3) Traffic shifting without redeploying apps (faster iteration), (4) Standardized resilience patterns (retries, timeouts, circuit breakers). Essential for >20 microservices needing unified security/observability.

Sidecar mode: Istio injects Envoy proxy (1.29+) into each pod via mutating webhook, proxies intercept all traffic via iptables rules. Resource overhead: 50-100MB memory per pod + 0.05-0.1 vCPU. Ambient mode (2024+): Layer 4 ztunnel (zero-trust tunnel) runs per-node instead of per-pod, opt-in Layer 7 waypoint proxies for advanced features. Resource reduction: 40-50% lower overhead (10-20MB per pod via shared node proxy). 100-pod cluster: sidecars +5-10GB memory, ambient +1-2GB. Install: istioctl install --set profile=ambient (ambient) or --set profile=default (sidecar).

Traffic management via VirtualService/DestinationRule CRDs: (1) Intelligent routing for A/B testing (10% traffic to v2), (2) Canary deployments (gradual 10%→50%→100%), (3) Circuit breaking (max connections, pending requests), (4) Retries with exponential backoff, (5) Timeouts. Example canary: VirtualService routes 90% to stable subset, 10% to canary subset based on weights, DestinationRule defines subsets by pod labels. P50 latency impact 0.5-1ms, P99 impact 1-2ms.

Security features: (1) Automatic mutual TLS encryption between all services (STRICT/PERMISSIVE modes), (2) Certificate rotation every 24h (default), (3) L7 authorization policies based on JWT claims, source identity, HTTP methods. Best practices: start with PERMISSIVE mTLS mode (validation period), enable strict mTLS after validation, use PeerAuthentication CRD to enforce mTLS policy. 2025 adoption: 35% of large enterprises use service mesh, financial services and healthcare lead adoption due to compliance requirements (audit trails, mTLS). Real-world: reduced security incidents 60% via authorization policies.

Observability: (1) Distributed tracing integration (Jaeger, Zipkin) with 1% default sampling rate (configurable), (2) RED metrics (Rate, Errors, Duration) exported to Prometheus, (3) Detailed access logs with request/response metadata. Provides complete service graph visibility showing all microservice communication patterns. Debugging requires understanding Envoy config (use istioctl proxy-config commands). Common pitfalls: misconfigured DestinationRule subsets cause 503 errors, VirtualService match order matters (first match wins), resource limits too low cause Envoy OOMKills.

Use Istio for: >20 microservices needing unified security/observability. Overkill for <10 services (use simpler ingress controller). Alternatives: Linkerd (Rust-based, 20MB memory per proxy, simpler but fewer features), Consul Connect (HashiCorp ecosystem), AWS App Mesh (managed, AWS-only). Best practices: (1) Start with ambient mode for new deployments (lower resource cost), (2) Set conservative retry/timeout defaults (max 3 retries, 15s timeout). 2025 adoption: ambient mode driving renewed interest due to lower cost vs traditional sidecar approach.