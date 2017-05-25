IBM and Google launch Wednesday Istio, an open technology that provides a way for developers to seamlessly connect, manage and secure networks of different microservices—regardless of platform, source or vendor.

Istio, the Greek word for ‘sail,’ is the result of a joint collaboration between IBM, Google and Lyft as a means to support traffic flow management, access policy enforcement and the telemetry data aggregation between microservices. It integrates these features without requiring developers to make changes to application code by building on earlier work from IBM, Google and Lyft.

Istio is being developed and maintained as open-source software. We encourage contributions and feedback from the community at-large, and is not targeted at any specific deployment environment. During the initial stages of development, Istio will support Kubernetes-based deployments. However, Istio is being built to enable rapid and easy adaptation to other environments.

Istio features automatic zone-aware load balancing and failover for HTTP/1.1, HTTP/2, gRPC, and TCP traffic; fine-grained control of traffic behavior with rich routing rules, fault tolerance, and fault injection; pluggable policy layer and configuration API supporting access controls, rate limits and quotas; automatic metrics, logs and traces for all traffic within a cluster, including cluster ingress and egress; and delivers secure service-to-service authentication with strong identity assertions between services in a cluster.

As microservices scale dynamically, problems such as service discovery, load balancing and failure recovery become increasingly important to solve uniformly. The individual development teams manage and make changes to their microservices independently, making it difficult to keep all of the pieces working together as a single unified application. Often, we see customers build custom solutions to these challenges that are unable to scale even outside of their own teams.

Before combining forces, IBM, Google, and Lyft had been addressing separate, but complementary, pieces of the problem. IBM’s Amalgam8 project, a unified service mesh that was created and open sourced last year, provided a traffic routing fabric with a programmable control plane to help its internal and enterprise customers with A/B testing, canary releases, and to systematically test the resilience of their services against failures.

It also includes Google’s Service Control provided a service mesh with a control plane that focused on enforcing policies such as ACLs, rate limits and authentication, in addition to gathering telemetry data from various services and proxies; and Lyft developed the Envoy proxy to aid their microservices journey, which brought them from a monolithic app to a production system spanning over 10,000 virtual machines handling over 100 microservices. IBM and Google were impressed by Envoy’s capabilities, performance, and the willingness of Envoy’s developers to work with the community.

Istio has been designed to manage communications between microservices and applications. Without requiring changes to the underlying services, Istio provides automated baseline traffic resilience, service metrics collection, distributed tracing, traffic encryption, protocol upgrades, and advanced routing functionality for all service-to-service communication.

With Istio managing how traffic flows across their services, developers can focus exclusively on business logic and iterate quickly on new features. Istio also enables policy enforcement and mesh monitoring from a single centralized control point, independent of application evolution. As a result, operators can ensure continuous policy compliance through a simplified management plane.

The Istio project was started by teams from Google and IBM in partnership with the Envoy team from Lyft. It’s been developed fully in the open on GitHub. Istio is designed and built to be platform-independent. For our 0.1 release, however, Istio only supports environments running Kubernetes v1.5 or greater.

Istio converts disparate microservices into an integrated service mesh by introducing programmable routing and a shared management layer. By injecting Envoy proxy servers into the network path between services, Istio provides traffic management controls such as load-balancing and fine-grained routing. This routing mesh also enables the extraction of a wealth of metrics about traffic behavior, which can be used to enforce policy decisions such as fine-grained access control and rate limits that operators can configure. Those same metrics are also sent to monitoring systems.

This way, it offers improved visibility into the data flowing in and out of apps, without requiring extensive configuration and reprogramming to ensure all parts of an app work together smoothly and securely. Once control of the communication between services is achieved, it can enforce authentication and authorization between any pair of communicating services. The communication is automatically secured via mutual TLS authentication with automatic certificate management, while working on adding support for common authorization mechanisms as well.