Debasree Panda 
Introduction to service mesh
A service mesh is an infrastructure layer to abstract network and security from applications for better manageability and implementation. Service mesh helps simplify the growing network complexities of distributed applications across cloud and container technologies.
A service mesh is implemented using software proxies (sidecar proxies) alongside applications or microservices. These sidecars are used to facilitate service-to-service communication among the applications stack. With the network getting abstracted from the application logic using sidecars, security, and traffic management will be easy to manage from a central location. The fleet of sidecars is referred to as a data plane, whereas the master at managing the sidecars is called a control plane.
Recently, with the rise of cloud-native applications, Kubernetes infrastructure and CI/CD process applications are getting deployed rapidly into production. But ensuring the reliability and security of the network remains one of the biggest challenges. Hence more and more companies are evaluating and adopting service mesh software.
Top open-source software for service mesh
Below is the list of a few open-source service mesh software listed in the CNCF landscape:
- Istio
- Linkered
- Consul
- Open service mesh
- Network service mesh
But the two most popular service mesh software are- Istio and Linkerd. We will evaluate them and help you choose which would make more sense for you in 2023.
A quick introduction to Istio and Linkerd
Istio
Istio is an open-source service mesh platform that simplifies and secures traffic between microservices. Istio provides a dedicated infrastructure for traffic management, security, and observability, to help developers handle the network of microservices in Kubernetes and multiple clouds at scale.
Linkerd
Linkerd is a lightweight open-source service mesh software used to secure Kubernetes applications. Buoyant developed it. Linkerd provides security, traffic management, and visibility capabilities for all the microservices running in Kubernetes.
How do Istio and Linkerd work?
Istio and Linkerd offer control and data planes to implement service mesh. While Istio provides Envoy proxy as a sidecar for the data plane, Linkerd uses Linkerd-2 proxy. Envoy proxy is widely used by over 1000 companies as of 2023 and is contributed by 300+ companies.
Coming to the control plane, both the service mesh software has various components which make up the control plane. The Istio control plane (refer Fig A) has sub-components such as Istiod, Pilot, Galley, and Citadel, while Linkerd has destination service, identity services, and proxy injector (refer Fig B). The components of each service mesh do similar activities- cascade network policies to the proxy, manage security by issuing TLS certificates, and inject proxies with specific configurations to each service in a namespace.
Fig A: Istio architecture
Fig B: Linkerd architecture
Istio vs Linkerd: Feature-wise comparison
Engineering teams such as solution architects, cloud engineers, and platform engineers usually research to find suitable service mesh software for their network management of modern infrastructure. We have considered the top criteria to compare Istio and Linkerd that would help the software engineering team to select the best service mesh software. The top 6 criteria for comparison are Traffic management, Security management, Observability, Supporting technologies, Performance & Scalability, and Community contributions.
Please read the high-level feature-wise comparison between Istio and Linkerd.
Tabular comparison: Istio vs Linkerd
Traffic management: Istio manages the network better
Both the service mesh provides basic load balancing features such as traffic routing, splitting, retries, circuit breaker, etc. But Istio leads in the traffic management capabilities because of the following reasons:
- Istio supports VMs, whereas Linkered does not. If you plan to implement service mesh for a Hybrid cloud with Kubernetes and VM workloads, then Istio would make more sense.
- Istio does support HTTP/3 protocol and also provides advanced capabilities such as delay injection, while Linkerd does not. Istio will come in handy while developing a cutting-edge resilient cloud application.
- Wrt to support for front/edge proxy, both Istio and Linkered support 3rd party ingress such as NGINX, HA Proxy, Ambassador, etc. But Istio provides its own Istio ingress gateway and allows configuring Envoy proxy as the gateway (read Envoy Gateway) so that developers and platform teams do not have to maintain yet another software.
- Egress rules can be complicated in Linkerd ( achieved through DNS and delegation tables (DTAB)). While in Istio, you can use the same ingress objects – gateway and virtual service – to configure egress traffic.
Security management: Istio is highly secured with more integrations
Istio and Linkerd are known for their security implementation at L4 and L7 layers. They provide a stronger identity with mTLS and JWT-based authentication to allow you to control which traffic can reach your pods in the service mesh.
But speaking from the enterprise implementation perspective, when it comes to integrating with external security providers, Istio does it very well. Istio provides more integrations to almost all authentication and authorization providers using OIDC connectors.
E.g., Istio provides connections with Google SSO, OAuth 2.0, SAML, and Okta for more robust authentication, and supports all the external certificate authority (CA) managers like AWS CA, Lets Encrypt, etc.
Observability: Istio and Linkerd are at par
Visibility and observability into network health and application performance are vital to take action proactively. Both the service mesh provides metrics, logs, and traces for understanding the performance and behavior of the network and application. Istio and Linkerd generate metrics such as latency, errors, saturation, etc., for HTTP and gRPC traffic. (Istio can provide traffic for HTTP/3, so there is capability here). However, Both tools do not offer UI for visualization; data emitted can be seen from the CLI. So either platform teams can access the information using the Grafana dashboard or out-of-the-box vendor solutions.
Buoyant provides a web-based dashboard for Linkderd, and IMESH delivers an intuitive UI for Istio.
Scalability: Linkerd leads the pack but Istio is not far behind
The performance of a service mesh highly depends on the version of the data plane. And data plane performance depends on multiple factors such as the number of connections, target request, request size, CPU core available, number of proxy filters, etc. Since Linkerd is built to handle lightweight use cases and handle Kubernetes load only, it consumes fewer resources.
Until early 2021, the heavy-weight Istio was known for its resource-intensive data plane, primarily due to the use of multiple filters. However, as per the assessment of the performance of Istio 1.6.8 in early 2021, there are excellent improvements in the data plane as compared to its previous versions. The load test was conducted on 2000 envoy proxies injected into 1000 services, allowing 70,000 requests per second.
If you are interested, you can check the details of the Istio load test.
Here are a few points summarizing the Istio performance and scalability test:
- The Envoy proxy uses 0.5 vCPU and 50 MB memory per 1000 requests per second going through the proxy. The
- Since the Envoy proxy does not buffer the data in transit, the request and response rates do not affect the memory consumption.
- For HTTP/1.1 protocol and mTLS enabled, and with 1kb payload at 1000 requests per second, Envoy proxies add 3.12 ms to the 90th percentile latency.
In Sep 2022, Istio launched Ambient Mesh, a faster and more powerful version to implement L4 security and L7 network management sequentially. The data plane of Istio Ambient mesh is built on Rust with new architecture; hence, it is supposedly fast. The project is in beta and will be GA for production usage by the end of 2023.
Community Support: Istio has 5X more contributions than Linkerd
Istio and the Envoy proxy are two open-source projects contributed by 500+ organizations. Developers from large organizations such as Google, Microsoft, IBM, Lyft, Salesforce, SAP, etc., contribute heavily to Isito and Envoy proxy.
On the other hand, Linkerd has limited contributors and far fewer contributions made to the project. More than 80% of contributions are made by Buoyant (the founder of Linkerd).
| Service mesh software | Git Contributions | Top contributors | Reference link |
| Istio | ~500,000 | Google, IBM, Red Hat, Salesforce, VMware, Intel, SAP, NetApp, Microsoft, HP | Click here |
| Linkerd | 120,000 | Buoyant | Click here |
Conclusion
As the complexity of microservices on the cloud and Kubernetes increases, cloud architects and platform teams will adopt service mesh to simplify the network and security. Smaller organizations with fewer workloads hosted only on Kubernetes can use lightweight Linkerd service mesh. However, if an application with many microservices, spread across public clouds, serves high web traffic, then Istio with advanced features would make more sense.
Commercial versions of Istio
To help you overcome the toil of learning and experimenting with Istio, IMESH provides enterprise versions of Istio. With IMESH, you can implement Istio for your cloud applications from Day-1 without any operational hassle. We provide:
- Istio implementation into production
- Training and onboarding of Istio
- Istio lifecycle management with frequent patches and version upgrades
- Enhancements like multi-cluster implementation in AKE/GKE/EKS, FIPS compliance
- High-performance and Highly available Istio
- Guaranteed SLAs for vulnerability fixes
