Deployment Models

Important system models impact your overall Istio deployment model. This page discusses the options for each of these models and describes how you can configure Istio to address them.

Cluster models

The workload instances of your application run in one or more clusters. For isolation, performance, and high availability, you can confine clusters to availability zones and regions.

Production systems, depending on their requirements, can run across multiple clusters spanning a number of zones or regions, leveraging cloud load balancers to handle things like locality and zonal or regional fail over.

In most cases, clusters represent boundaries for configuration and endpoint discovery. For example, each Kubernetes cluster has an API Server which manages the configuration for the cluster as well as serving service endpoint information as pods are brought up or down. Since Kubernetes configures this behavior on a per-cluster basis, this approach helps limit the potential problems caused by incorrect configurations.

In Istio, you can configure a single service mesh to span any number of clusters.

Single cluster

In the simplest case, you can confine an Istio mesh to a single cluster. A cluster usually operates over a single network, but it varies between infrastructure providers. A single cluster and single network model includes a control plane, which results in the simplest Istio deployment.

A service mesh with a single cluster
A service mesh with a single cluster

Single cluster deployments offer simplicity, but lack other features, for example, fault isolation and fail over. If you need higher availability, you should use multiple clusters.

Multiple clusters

You can configure a single mesh to include multiple clusters. Using a multi-cluster deployment within a single mesh affords the following capabilities beyond that of a single cluster deployment:

  • Fault isolation and fail over: cluster-1 goes down, fail over to cluster-2.
  • Location-aware routing and fail over: Send requests to the nearest service.
  • Various control plane models: Support different levels of availability.
  • Team or project isolation: Each team runs its own set of clusters.
A service mesh with multiple clusters
A service mesh with multiple clusters

Multi-cluster deployments give you a greater degree of isolation and availability but increase complexity. If your systems have high availability requirements, you likely need clusters across multiple zones and regions. You can canary configuration changes or new binary releases in a single cluster, where the configuration changes only affect a small amount of user traffic. Additionally, if a cluster has a problem, you can temporarily route traffic to nearby clusters until you address the issue.

You can configure inter-cluster communication based on the network and the options supported by your cloud provider. For example, if two clusters reside on the same underlying network, you can enable cross-cluster communication by simply configuring firewall rules.

Network models

Many production systems require multiple networks or subnets for isolation and high availability. Istio supports spanning a service mesh over a variety of network topologies. This approach allows you to select the network model that fits your existing network topology.

Single network

In the simplest case, a service mesh operates over a single fully connected network. In a single network model, all workload instances can reach each other directly without an Istio gateway.

A single network allows Istio to configure service consumers in a uniform way across the mesh with the ability to directly address workload instances.

A service mesh with a single network
A service mesh with a single network

Multiple networks

You can span a single service mesh across multiple networks; such a configuration is known as multi-network.

Multiple networks afford the following capabilities beyond that of single networks:

  • Overlapping IP or VIP ranges for service endpoints
  • Crossing of administrative boundaries
  • Fault tolerance
  • Scaling of network addresses
  • Compliance with standards that require network segmentation

In this model, the workload instances in different networks can only reach each other through one or more Istio gateways. Istio uses partitioned service discovery to provide consumers a different view of service endpoints. The view depends on the network of the consumers.

A service mesh with multiple networks
A service mesh with multiple networks

Control plane models

An Istio mesh uses the control plane to configure all communication between workload instances within the mesh. You can replicate the control plane, and workload instances connect to any control plane instance to get their configuration.

In the simplest case, you can run your mesh with a control plane on a single cluster.

A service mesh with a control plane
A service mesh with a control plane

Multi-cluster deployments can also share control plane instances. In this case, the control plane instances can reside in one or more clusters.

A service mesh with two clusters sharing a control plane
A service mesh with two clusters sharing a control plane

For high availability, you should deploy a control plane across multiple clusters, zones, or regions.

A service mesh with control plane instances for each region
A service mesh with control plane instances for each region

This model affords the following benefits:

  • Improved availability: If a control plane becomes unavailable, the scope of the outage is limited to only that control plane.

  • Configuration isolation: You can make configuration changes in one cluster, zone, or region without impacting others.

You can improve control plane availability through fail over. When a control plane instance becomes unavailable, workload instances can connect to another available control plane instance. Fail over can happen across clusters, zones, or regions.

A service mesh after a control plane instance fails
A service mesh after a control plane instance fails

The following list ranks control plane deployment examples by availability:

  • One cluster per region (lowest availability)
  • Multiple clusters per region
  • One cluster per zone
  • Multiple clusters per zone
  • Each cluster (highest availability)

Identity and trust models

When a workload instance is created within a service mesh, Istio assigns the workload an identity.

The Certificate Authority (CA) creates and signs the certificates used to verify the identities used within the mesh. You can verify the identity of the message sender with the public key of the CA that created and signed the certificate for that identity. A trust bundle is the set of all CA public keys used by an Istio mesh. With a mesh’s trust bundle, anyone can verify the sender of any message coming from that mesh.

Trust within a mesh

Within a single Istio mesh, Istio ensures each workload instance has an appropriate certificate representing its own identity, and the trust bundle necessary to recognize all identities within the mesh and any federated meshes. The CA only creates and signs the certificates for those identities. This model allows workload instances in the mesh to authenticate each other when communicating.

A service mesh with a certificate authority
A service mesh with a certificate authority

Trust between meshes

If a service in a mesh requires a service in another, you must federate identity and trust between the two meshes. To federate identity and trust, you must exchange the trust bundles of the meshes. You can exchange the trust bundles either manually or automatically using a protocol such as SPIFFE Trust Domain Federation. Once you import a trust bundle to a mesh, you can configure local policies for those identities.

Multiple service meshes with certificate authorities
Multiple service meshes with certificate authorities

Mesh models

Istio supports having all of your services in a mesh, or federating multiple meshes together, which is also known as multi-mesh.

Single mesh

The simplest Istio deployment is a single mesh. Within a mesh, service names are unique. For example, only one service can have the name mysvc in the foo namespace. Additionally, workload instances share a common identity since service account names are unique within a namespace, just like service names.

A single mesh can span one or more clusters and one or more networks. Within a mesh, namespaces are used for tenancy.

Multiple meshes

Multiple mesh deployments result from mesh federation.

Multiple meshes afford the following capabilities beyond that of a single mesh:

  • Organizational boundaries: lines of business
  • Service name or namespace reuse: multiple distinct uses of the default namespace
  • Stronger isolation: isolating test workloads from production workloads

You can enable inter-mesh communication with mesh federation. When federating, each mesh can expose a set of services and identities, which all participating meshes can recognize.

Multiple service meshes
Multiple service meshes

To avoid service naming collisions, you can give each mesh a globally unique mesh ID, to ensure that the fully qualified domain name (FQDN) for each service is distinct.

When federating two meshes that do not share the same trust domain, you must federate identity and trust bundles between them. See the section on Multiple Trust Domains for an overview.

Tenancy models

In Istio, a tenant is a group of users that share common access and privileges to a set of deployed workloads. Generally, you isolate the workload instances from multiple tenants from each other through network configuration and policies.

You can configure tenancy models to satisfy the following organizational requirements for isolation:

  • Security
  • Policy
  • Capacity
  • Cost
  • Performance

Istio supports two types of tenancy models:

Namespace tenancy

Istio uses namespaces as a unit of tenancy within a mesh. Istio also works in environments that don’t implement namespace tenancy. In environments that do, you can grant a team permission to deploy their workloads only to a given namespace or set of namespaces. By default, services from multiple tenant namespaces can communicate with each other.

A service mesh with two isolated namespaces
A service mesh with two isolated namespaces

To improve isolation, you can selectively choose which services to expose to other namespaces. You can configure authorization policies for exposed services to restrict access to only the appropriate callers.

A service mesh with two namespaces and an exposed service
A service mesh with two namespaces and an exposed service

When using multiple clusters, the namespaces in each cluster sharing the same name are considered the same namespace. For example, Service B in the foo namespace of cluster-1 and Service B in the foo namespace of cluster-2 refer to the same service, and Istio merges their endpoints for service discovery and load balancing.

A service mesh with two clusters with the same namespace
A service mesh with clusters with the same namespace

Cluster tenancy

Istio supports using clusters as a unit of tenancy. In this case, you can give each team a dedicated cluster or set of clusters to deploy their workloads. Permissions for a cluster are usually limited to the members of the team that owns it. You can set various roles for finer grained control, for example:

  • Cluster administrator
  • Developer

To use cluster tenancy with Istio, you configure each cluster as an independent mesh. Alternatively, you can use Istio to implement a group of clusters as a single tenant. Then, each team can own one or more clusters, but you configure all their clusters as a single mesh. To connect the meshes of the various teams together, you can federate the meshes into a multi-mesh deployment.

Two isolated service meshes with two clusters and two namespaces
Two isolated service meshes with two clusters and two namespaces

Since a different team or organization operates each mesh, service naming is rarely distinct. For example, the mysvc in the foo namespace of cluster-1 and the mysvc service in the foo namespace of cluster-2 do not refer to the same service. The most common example is the scenario in Kubernetes where many teams deploy their workloads to the default namespace.

When each team has their own mesh, cross-mesh communication follows the concepts described in the multiple meshes model.