By Bahubali Shetti, Director of Public Cloud Solutions for VMware Cloud Services at VMware

Deploying and managing an application on Kubernetes, while easy in a single cluster configuration, becomes complex across clusters. Complexity surrounds not only application deployment but also management capabilities, such as monitoring, security, scale, and inter-service connectivity.

Istio simplifies the operation of micro-service based applications across Kubernetes clusters by enabling the following capabilities:

1. Traffic Management

  • Automatic load balancing for HTTP, gRPC, WebSocket, and TCP traffic.
  • Fine-grained control of traffic behavior with rich routing rules, retries, A/B testing, canary releases, fail-overs, and fault injection.

2. Security

  • A pluggable policy layer and configuration API supporting access controls, rate limits and quotas.
  • Secure service-to-service communication in a cluster with strong identity-based authentication and authorization.

3. Observability

  • Automatic metrics, logs, and traces for all traffic within a cluster, including cluster ingress and egress.

Istio is designed to be part of the application deployment, through the use of a proxy per deployment. This proxy ensures enforcement of traffic rules, security policies and collects observability data (logs, metrics, tracing) from each deployment.
Once the application starts to scale, Istio will also scale, as long as proxies are deployed with each new replica. The interconnection of multiple micro-services with the appropriate traffic management, observability and security is what is called a Service Mesh.

Istio is a service mesh.

From’s site:

Service mesh is used to describe the network of microservices that make up such applications and the interactions between them. As a service mesh grows in size and complexity, it can become harder to understand and manage. Its requirements can include discovery, load balancing, failure recovery, metrics, and monitoring. A service mesh also often has more complex operational requirements, like A/B testing, canary releases, rate limiting, access control, and end-to-end authentication.

Istio Overview
There are other service mesh options in the eco-system:

  • Linkerd (CNCF)
  • Istio
  • Conduit

I work through installing Istio on VMware Cloud PKS “out of the box” and discuss how to ensure your application runs properly with Istio.

I will explore the best practices in installing Istio and properly building Docker images that run properly with Istio. The following two blogs cover these topics:


For questions and comments, please connect with me.
Baubali Shetti