Home/Glossary/Service Mesh

Service Mesh

A dedicated infrastructure layer that handles service-to-service communication, providing observability, traffic management, and security without changing application code.

Cloud Infrastructure

A service mesh abstracts network complexity from applications by deploying sidecar proxies alongside each service instance, centralizing cross-cutting concerns like encryption, load balancing, and telemetry.

Why it matters

  • Enables consistent security policies (mTLS, authorization) across all services automatically.
  • Provides deep observability with distributed tracing, metrics, and access logs.
  • Simplifies traffic management with canary deployments, circuit breakers, and retries.
  • Decouples infrastructure concerns from application logic, reducing developer burden.

Key concepts

  • Sidecar Proxy: A lightweight proxy (typically Envoy) deployed alongside each service instance.
  • Data Plane: The collection of sidecar proxies handling actual service traffic.
  • Control Plane: Centralized management components that configure the data plane.
  • Service Discovery: Automatic detection of service instances and their endpoints.
  • Traffic Policies: Rules for routing, load balancing, timeouts, and retries.

Core capabilities

  • Security: Automatic mTLS encryption, identity-based access control, certificate management.
  • Observability: Distributed tracing, golden signal metrics, access logging without code changes.
  • Traffic Management: Canary releases, A/B testing, traffic mirroring, fault injection.
  • Resilience: Circuit breakers, rate limiting, automatic retries with exponential backoff.

Popular service mesh options

  • Istio: Feature-rich mesh with extensive policy capabilities; can be complex to operate.
  • Linkerd: Lightweight, Rust-based mesh focused on simplicity and performance.
  • Consul Connect: HashiCorp's mesh with strong service discovery and multi-datacenter support.
  • AWS App Mesh: Managed service mesh for AWS workloads using Envoy.

When to adopt

  • Running dozens or hundreds of microservices that need consistent security and observability.
  • Requiring zero-trust networking with automatic mTLS between all services.
  • Implementing sophisticated deployment strategies like canary releases.
  • Needing deep traffic insights without instrumenting every application.

Related Articles

View all articles
Threat Modeling with STRIDE and DREAD: A Complete Guide to Proactive Security Architecture

Threat Modeling with STRIDE and DREAD: A Complete Guide to Proactive Security Architecture

Master threat modeling with STRIDE and DREAD frameworks to identify, classify, and prioritize security threats before they become vulnerabilities. This comprehensive guide covers data flow diagrams, mitigation mappings, MITRE ATT&CK integration, and building an enterprise threat modeling program.

Read article →
Zero Trust Architecture: A Practical Guide for Cloud Security

Zero Trust Architecture: A Practical Guide for Cloud Security

Learn how to implement Zero Trust architecture in AWS, Azure, and GCP. This guide covers the core principles, implementation strategies, and common pitfalls.

Read article →
Kubernetes Security & Hardening Workflow | CIS Benchmark

Kubernetes Security & Hardening Workflow | CIS Benchmark

Master the complete Kubernetes security workflow from CIS benchmark assessment to runtime threat detection. Implement Pod Security Standards, RBAC, network policies, and NSA/CISA hardening guidance for production clusters.

Read article →
API Security Complete Guide: OWASP Top 10, Authentication, and Best Practices

API Security Complete Guide: OWASP Top 10, Authentication, and Best Practices

The definitive guide to API security covering OWASP API Security Top 10, authentication methods (OAuth 2.0, JWT, API keys), rate limiting, input validation, and security testing.

Read article →

Explore More Cloud Infrastructure

View all terms

API Gateway

A service that acts as a single entry point for API requests, handling routing, authentication, rate limiting, and other cross-cutting concerns.

Read more →

AWS (Amazon Web Services)

Amazon's comprehensive cloud computing platform offering over 200 services for compute, storage, databases, networking, security, and application development.

Read more →

Azure (Microsoft Azure)

Microsoft's cloud computing platform providing integrated services for compute, analytics, storage, networking, AI, and enterprise applications.

Read more →

CDN (Content Delivery Network)

A geographically distributed network of servers that cache and deliver web content from locations closest to end users, improving performance and reliability.

Read more →

Docker

A platform for developing, shipping, and running applications in lightweight, portable containers that package code with all its dependencies.

Read more →

Kubernetes

An open-source container orchestration platform that automates deployment, scaling, and management of containerized applications across clusters of hosts.

Read more →
Back to glossary