What is Istio and what are its top alternatives?
Istio is a popular open-source service mesh that helps to connect, secure, control, and observe services within a network. Its key features include traffic management, security, observability, and policy enforcement. However, Istio can be complex to set up and manage, requiring a good understanding of networking concepts and can add overhead to your microservices architecture.
- Linkerd: Linkerd is a lightweight and service mesh designed to be beginner-friendly with features like traffic management, security, and reliability. It has a strong focus on simplicity and ease of use. Pros: Easy setup, minimal resource consumption. Cons: Less feature-rich compared to Istio.
- Consul: Consul by HashiCorp is a service mesh and service discovery tool that provides features like service discovery, health checking, and key-value storage. It offers a robust solution for connecting and securing services. Pros: Built-in service discovery, decentralized architecture. Cons: Not as dedicated to service mesh as Istio.
- Kuma: Kuma is a modern service mesh with advanced traffic routing, observability, and security capabilities. It is designed to be both powerful and easy to use, making it a great alternative to Istio. Pros: Multi-mesh support, native Kubernetes integration. Cons: Relatively newer in the market.
- Consul Connect: Consul Connect is a feature of Consul that specifically focuses on service-to-service connectivity and security. It provides sidecar proxies for secure communication and traffic management. Pros: Deep integration with Consul, strong security features. Cons: May require familiarity with Consul.
- AWS App Mesh: AWS App Mesh is a fully managed service mesh that provides traffic management, observability, and security features for microservices running on AWS. It offers seamless integration with AWS services. Pros: Easy integration with AWS ecosystem, managed service. Cons: Limited to AWS environment.
- SuperGloo: SuperGloo is a service mesh management plane that simplifies the installation and management of multiple service meshes. It provides a unified control plane for different meshes and offers advanced features for traffic control and security. Pros: Multi-mesh management, integration with Istio and other meshes. Cons: Requires additional layer of abstraction.
- Traefik Mesh: Traefik Mesh is a service mesh based on Traefik proxy that offers features like traffic splitting, load balancing, and SSL termination. It focuses on simplicity and ease of use for managing microservices. Pros: Lightweight, simple configuration. Cons: Limited feature set compared to other service meshes.
- NGINX Service Mesh: NGINX Service Mesh is built on top of NGINX and provides advanced traffic management, security, and monitoring capabilities for microservices. It offers a scalable and robust solution for service-to-service communication. Pros: High performance, deep integration with NGINX. Cons: Requires familiarity with NGINX.
- Pomerium: Pomerium is an identity-aware access proxy that can function as a lightweight service mesh for securing access to internal services. It provides features like access control, authentication, and encrypted communication. Pros: Identity-based access control, flexible deployment options. Cons: Limited in scope compared to full-fledged service meshes.
- Octarine: Octarine focuses on securing Kubernetes clusters and microservices by providing visibility, compliance, and threat detection capabilities. It integrates with Istio and other service meshes to enhance security posture. Pros: Kubernetes-native security, threat detection. Cons: More focused on security than traffic management.
Top Alternatives to Istio
- linkerd
linkerd is an out-of-process network stack for microservices. It functions as a transparent RPC proxy, handling everything needed to make inter-service RPC safe and sane--including load-balancing, service discovery, instrumentation, and routing. ...
- Envoy
Originally built at Lyft, Envoy is a high performance C++ distributed proxy designed for single services and applications, as well as a communication bus and “universal data plane” designed for large microservice “service mesh” architectures. ...
- Kubernetes
Kubernetes is an open source orchestration system for Docker containers. It handles scheduling onto nodes in a compute cluster and actively manages workloads to ensure that their state matches the users declared intentions. ...
- Conduit
Conduit is a lightweight open source service mesh designed for performance, power, and ease of use when running applications on Kubernetes. Conduit is incredibly fast, lightweight, fundamentally secure, and easy to get started with. ...
- Kong
Kong is a scalable, open source API Layer (also known as an API Gateway, or API Middleware). Kong controls layer 4 and 7 traffic and is extended through Plugins, which provide extra functionality and services beyond the core platform. ...
- AWS App Mesh
AWS App Mesh is a service mesh based on the Envoy proxy that makes it easy to monitor and control containerized microservices. App Mesh standardizes how your microservices communicate, giving you end-to-end visibility and helping to ensure high-availability for your applications. App Mesh gives you consistent visibility and network traffic controls for every microservice in an application. You can use App Mesh with Amazon ECS (using the Amazon EC2 launch type), Amazon EKS, and Kubernetes on AWS. ...
- Apigee
API management, design, analytics, and security are at the heart of modern digital architecture. The Apigee intelligent API platform is a complete solution for moving business to the digital world. ...
- Consul
Consul is a tool for service discovery and configuration. Consul is distributed, highly available, and extremely scalable. ...
Istio alternatives & related posts
- CNCF Project3
- Service Mesh1
- Fast Integration1
- Pre-check permissions1
- Light Weight1
related linkerd posts
related Envoy posts
We just launched the Segment Config API (try it out for yourself here) — a set of public REST APIs that enable you to manage your Segment configuration. Behind the scenes the Config API is built with Go , GRPC and Envoy.
At Segment, we build new services in Go by default. The language is simple so new team members quickly ramp up on a codebase. The tool chain is fast so developers get immediate feedback when they break code, tests or integrations with other systems. The runtime is fast so it performs great at scale.
For the newest round of APIs we adopted the GRPC service #framework.
The Protocol Buffer service definition language makes it easy to design type-safe and consistent APIs, thanks to ecosystem tools like the Google API Design Guide for API standards, uber/prototool
for formatting and linting .protos and lyft/protoc-gen-validate
for defining field validations, and grpc-gateway
for defining REST mapping.
With a well designed .proto, its easy to generate a Go server interface and a TypeScript client, providing type-safe RPC between languages.
For the API gateway and RPC we adopted the Envoy service proxy.
The internet-facing segmentapis.com
endpoint is an Envoy front proxy that rate-limits and authenticates every request. It then transcodes a #REST / #JSON request to an upstream GRPC request. The upstream GRPC servers are running an Envoy sidecar configured for Datadog stats.
The result is API #security , #reliability and consistent #observability through Envoy configuration, not code.
We experimented with Swagger service definitions, but the spec is sprawling and the generated clients and server stubs leave a lot to be desired. GRPC and .proto and the Go implementation feels better designed and implemented. Thanks to the GRPC tooling and ecosystem you can generate Swagger from .protos, but it’s effectively impossible to go the other way.
At uSwitch we wanted a way to load balance between our multiple Kubernetes clusters in AWS to give us added redundancy. We already had ingresses defined for all our applications so we wanted to build on top of that, instead of creating a new system that would require our various teams to change code/config etc.
Envoy seemed to tick a lot of boxes:
- Loadbalancing capabilities right out of the box: health checks, circuit breaking, retries etc.
- Tracing and prometheus metrics support
- Lightweight
- Good community support
This was all good but what really sold us was the api that supported dynamic configuration. This would allow us to dynamically configure envoy to route to ingresses and clusters as they were created or destroyed.
To do this we built a tool called Yggdrasil using their Go sdk. Yggdrasil effectively just creates envoy configuration from Kubernetes ingress objects, so you point Yggdrasil at your kube clusters, it generates config from the ingresses and then envoy can loadbalance between your clusters for you. This is all done dynamically so as soon as new ingress is created the envoy nodes get updated with the new config. Importantly this all worked with what we already had, no need to create new config for every application, we just put this on top of it.
Kubernetes
- Leading docker container management solution166
- Simple and powerful129
- Open source107
- Backed by google76
- The right abstractions58
- Scale services25
- Replication controller20
- Permission managment11
- Supports autoscaling9
- Simple8
- Cheap8
- Self-healing6
- Open, powerful, stable5
- Reliable5
- No cloud platform lock-in5
- Promotes modern/good infrascture practice5
- Scalable4
- Quick cloud setup4
- Custom and extensibility3
- Captain of Container Ship3
- Cloud Agnostic3
- Backed by Red Hat3
- Runs on azure3
- A self healing environment with rich metadata3
- Everything of CaaS2
- Gke2
- Golang2
- Easy setup2
- Expandable2
- Sfg2
- Steep learning curve16
- Poor workflow for development15
- Orchestrates only infrastructure8
- High resource requirements for on-prem clusters4
- Too heavy for simple systems2
- Additional vendor lock-in (Docker)1
- More moving parts to secure1
- Additional Technology Overhead1
related Kubernetes posts
How Uber developed the open source, end-to-end distributed tracing Jaeger , now a CNCF project:
Distributed tracing is quickly becoming a must-have component in the tools that organizations use to monitor their complex, microservice-based architectures. At Uber, our open source distributed tracing system Jaeger saw large-scale internal adoption throughout 2016, integrated into hundreds of microservices and now recording thousands of traces every second.
Here is the story of how we got here, from investigating off-the-shelf solutions like Zipkin, to why we switched from pull to push architecture, and how distributed tracing will continue to evolve:
https://eng.uber.com/distributed-tracing/
(GitHub Pages : https://www.jaegertracing.io/, GitHub: https://github.com/jaegertracing/jaeger)
Bindings/Operator: Python Java Node.js Go C++ Kubernetes JavaScript OpenShift C# Apache Spark
To provide employees with the critical need of interactive querying, we’ve worked with Presto, an open-source distributed SQL query engine, over the years. Operating Presto at Pinterest’s scale has involved resolving quite a few challenges like, supporting deeply nested and huge thrift schemas, slow/ bad worker detection and remediation, auto-scaling cluster, graceful cluster shutdown and impersonation support for ldap authenticator.
Our infrastructure is built on top of Amazon EC2 and we leverage Amazon S3 for storing our data. This separates compute and storage layers, and allows multiple compute clusters to share the S3 data.
We have hundreds of petabytes of data and tens of thousands of Apache Hive tables. Our Presto clusters are comprised of a fleet of 450 r4.8xl EC2 instances. Presto clusters together have over 100 TBs of memory and 14K vcpu cores. Within Pinterest, we have close to more than 1,000 monthly active users (out of total 1,600+ Pinterest employees) using Presto, who run about 400K queries on these clusters per month.
Each query submitted to Presto cluster is logged to a Kafka topic via Singer. Singer is a logging agent built at Pinterest and we talked about it in a previous post. Each query is logged when it is submitted and when it finishes. When a Presto cluster crashes, we will have query submitted events without corresponding query finished events. These events enable us to capture the effect of cluster crashes over time.
Each Presto cluster at Pinterest has workers on a mix of dedicated AWS EC2 instances and Kubernetes pods. Kubernetes platform provides us with the capability to add and remove workers from a Presto cluster very quickly. The best-case latency on bringing up a new worker on Kubernetes is less than a minute. However, when the Kubernetes cluster itself is out of resources and needs to scale up, it can take up to ten minutes. Some other advantages of deploying on Kubernetes platform is that our Presto deployment becomes agnostic of cloud vendor, instance types, OS, etc.
#BigData #AWS #DataScience #DataEngineering
related Conduit posts
- Easy to maintain37
- Easy to install32
- Flexible26
- Great performance21
- Api blueprint7
- Custom Plugins4
- Kubernetes-native3
- Security2
- Has a good plugin infrastructure2
- Agnostic2
- Load balancing1
- Documentation is clear1
- Very customizable1
related Kong posts
Hello :) We are using Datadog on Kong to monitor the metrics and analytics.
We feel that the cost associated with Datadog is high in terms of custom metrics and indexations. So, we planned to find an alternative for Datadog and we are looking into Grafana implementation with kong.
Will the shift from Datadog to Grafana be a wise move and flawless?
As for the new support of service mesh pattern by Kong, I wonder how does it compare to Istio?
related AWS App Mesh posts
- Highly scalable and secure API Management Platform12
- Good documentation6
- Quick jumpstart6
- Fast and adjustable caching3
- Easy to use3
- Expensive11
- Doesn't support hybrid natively1
related Apigee posts
Amazon API Gateway vs Apigee. How do they compare as an API Gateway? What is the equivalent functionality, similarities, and differences moving from Apigee API GW to AWS API GW?
- Great service discovery infrastructure61
- Health checking35
- Distributed key-value store29
- Monitoring26
- High-availability23
- Web-UI12
- Token-based acls10
- Gossip clustering6
- Dns server5
- Not Java4
- Docker integration1
- Javascript1
related Consul posts
As we've evolved or added additional infrastructure to our stack, we've biased towards managed services. Most new backing stores are Amazon RDS instances now. We do use self-managed PostgreSQL with TimescaleDB for time-series data—this is made HA with the use of Patroni and Consul.
We also use managed Amazon ElastiCache instances instead of spinning up Amazon EC2 instances to run Redis workloads, as well as shifting to Amazon Kinesis instead of Kafka.
Postmates built a tool called Bazaar that helps onboard new partners and handles several routine tasks, like nightly emails to merchants alerting them about items that are out of stock.
Since they ran Bazaar across multiple instances, the team needed to avoid sending multiple emails to their partners by obtaining lock across multiple hosts. To solve their challenge, they created and open sourced ConsulMutEx, and an Elixir module for acquiring and releasing locks with Consul and other backends.
It works with Consul’s KV store, as well as other backends, including ets, Erlang’s in-memory database.