Cisco Service Mesh Manager
What is Service Mesh Manager?
Service Mesh Manager helps you to confidently scale your microservices over single- and multi-cluster environments and to make daily operational routines standardized and more efficient. The componentization and scaling of modern applications inevitably leads to a number of optimization and management issues:
- How do you spot bottlenecks? Are all components functioning correctly?
- How are connections between components secured?
- How does one reliably upgrade service components?
Service Mesh Manager helps you accomplish these tasks and many others in a simple and scalable way, by leveraging the Istio service mesh and building many automations around it. Our tag-line for the product captures this succinctly:
Service Mesh Manager operationalizes the service mesh to bring deep observability, convenient management, and policy-based security to modern container-based applications.
What are the key features?
- Service Mesh Manager not only handles the automated installation, operation and upgrade of service mesh infrastructure, but also provides a rich, high-level, multi-modal user experience that eliminates the complexity associated with service meshes.
- High-level functionality, such as deep observability, Zero-Trust security, canary deployments, traffic routing, ingress / egress exposure, or fault injection can be conveniently managed and visualized through its user interface.
- Service Mesh Manager’s automation engine reduces the risk inherent in the performance of complex tasks such as canary upgrades of microservice components, thereby cutting operational risk and cost.
- The system provides a detailed real-time dashboard for debugging.
What does the Service Mesh Manager architecture look like?
Why is Service Mesh Manager using Istio?
Istio is still the most feature complete and mature service mesh solution by far. It may have its shortcomings, especially around complexity, but it has a great community around it that continuously works towards making it better. We also aim to solve some of these problems with Service Mesh Manager. One of the main use cases of Service Mesh Manager is the ability to connect multiple clusters even across different networks, and Istio has several flexible topologies for different use cases to achieve this.
What is the Cisco Istio operator?
We developed the open source Cisco Istio operator to solve the first tier of problems related to the installation, management and upgrade of the Istio infrastructure components. The operator continuously reconciles the state of the Istio components to keep them healthy, and facilitates multi-cluster federation. We offer community and paid support for the Istio operator.
Should I use Service Mesh Manager or the Istio operator?
The Cisco Istio operator is an open-source component of the commercial Service Mesh Manager product. In addition to the Cisco Istio operator, Service Mesh Manager:
- includes a battle-hardened Istio distribution,
- installs and manages the observability infrastructure, including Prometheus, Grafana, Jaeger
- provides a UI (Web UI, CLI, API) for developers and ops to easily observe and configure all the service mesh components
- picks up user roles from native Kubernetes RBAC
- provides UI-based automation to carry out complex management tasks such as canary upgrades, traffic routing, and so on.
All Service Mesh Manager features work in multi-cluster configurations as well, and a unified cross-cluster application view is provided.
How do I integrate Service Mesh Manager with my application?
After you’ve installed Service Mesh Manager, and want to put your application in the mesh, you need to inject a sidecar in the pods of your application. You can do that manually, or by enabling automatic injection for your namespaces, and restarting your pods. While in theory it’s usually that simple, we know that in practice an application can have some problems running a sidecar, and won’t behave the same anymore. We have a deep domain knowledge of Istio and have seen a lot of these problems. When integrating your application, we can help you overcome these issues.
What’s the overhead of Service Mesh Manager?
Most of the overhead of Service Mesh Manager is coming from Istio itself, and it’s there in two different layers.
- First, it has some CPU and memory resource requirements. It needs to have a control plane running in a cluster that handles the discovery of services, injects sidecars to pods, pushes down configuration to them, and manages certificates for handling service-to-service security.
- The sidecars themselves also consume some CPU and memory. If the mesh is configured properly, this overhead shouldn’t be significant.
- The second layer of the overhead appears in network requests. Because all traffic flows through Envoy proxies, it means 2 additional hops for every request, and that adds some minimal latency. Other than for a few very latency-critical applications, this shouldn’t be significant, but see latency overheads for details.
Should I worry about latency overheads?
In general, no. There is some latency overhead added for every request because of the sidecar proxies, but if the mesh is configured properly it shouldn’t be more than a few milliseconds. Per Istio’s own measurements, with 16 concurrent connections and 1000 RPS, Istio adds 3ms over the baseline (P50) when a request travels through both a client and server proxy. At 64 concurrent connections, Istio adds 7ms over the baseline, with Mixer disabled. There could be some latency critical applications where it matters, but for most apps it won’t make a difference.
How does Service Mesh Manager keep my mesh healthy?
Service Mesh Manager provides a few handy features to keep a mesh healthy. The most important of these is the mesh validation feature. Other than doing basic validation of Istio configuration, Service Mesh Manager analyses the whole mesh state and tries to find ambiguous or invalid configs. For example, a label selector that points to an invalid service, or there is some shadowed or ambiguous routing config present.
Service Mesh Manager also provides debugging features like tapping an Envoy proxy and analyzing requests. You can also keep track of real-time metrics on the dashboard and check if your latency or error rate values are increasing.
Is this a new abstraction layer over Istio?
No, we’ve designed Service Mesh Manager in a way that it doesn’t add a new abstraction layer. We thought that Istio is complicated enough in itself and it wouldn’t do any good introducing a few new CRDs. Service Mesh Manager can help you configure your mesh through a CLI or the dashboard, but those commands are always translated to plain old Istio CRs. Doing it this way enables Service Mesh Manager to be completely compatible with all Istio configuration changes. If you write Istio config directly, Service Mesh Manager will still be able to detect it, display it, and validate it properly.
Does Service Mesh Manager support GitOps?
Yes. Since there is no additional abstraction layer involved, Service Mesh Manager is able to interpret your Istio configurations. If your virtual services, service entries, and other Istio resources are deployed through a CI/CD flow, Service Mesh Manager will instantly parse them and display your configuration on the dashboard.