Skip to main content
Published 22 November 2025 — 3 min read

Getting Started with Istio Service Mesh

A practical introduction to Istio - traffic management, observability, and security for your Kubernetes microservices.

Table of Contents

As your microservices grow, managing service-to-service communication becomes complex. Istio helps tame this complexity.

What is a Service Mesh? #

A service mesh handles:

  • Traffic Management: Load balancing, routing, retries
  • Security: mTLS, authorization policies
  • Observability: Metrics, traces, logs

Istio implements this by injecting a sidecar proxy (Envoy) into each pod.

Installing Istio #

# Download Istio
curl -L https://istio.io/downloadIstio | sh -
cd istio-*

# Install with demo profile (good for learning)
istioctl install --set profile=demo -y

# Enable sidecar injection for your namespace
kubectl label namespace default istio-injection=enabled

Traffic Management #

Canary Deployments #

Route a percentage of traffic to a new version:

apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: myapp
spec:
  hosts:
    - myapp
  http:
    - route:
        - destination:
            host: myapp
            subset: v1
          weight: 90
        - destination:
            host: myapp
            subset: v2
          weight: 10
---
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
  name: myapp
spec:
  host: myapp
  subsets:
    - name: v1
      labels:
        version: v1
    - name: v2
      labels:
        version: v2

Header-Based Routing #

Route specific users to new versions:

apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: myapp
spec:
  hosts:
    - myapp
  http:
    - match:
        - headers:
            x-user-type:
              exact: beta-tester
      route:
        - destination:
            host: myapp
            subset: v2
    - route:
        - destination:
            host: myapp
            subset: v1

Retries and Timeouts #

Handle transient failures automatically:

apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: myapp
spec:
  hosts:
    - myapp
  http:
    - route:
        - destination:
            host: myapp
      timeout: 10s
      retries:
        attempts: 3
        perTryTimeout: 3s
        retryOn: 5xx,reset,connect-failure

Security #

Mutual TLS #

Enable mTLS mesh-wide:

apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: default
  namespace: istio-system
spec:
  mtls:
    mode: STRICT

Authorization Policies #

Control which services can communicate:

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: orders-policy
  namespace: default
spec:
  selector:
    matchLabels:
      app: orders
  rules:
    - from:
        - source:
            principals: ["cluster.local/ns/default/sa/api-gateway"]
      to:
        - operation:
            methods: ["GET", "POST"]
            paths: ["/orders/*"]

Observability #

Kiali Dashboard #

Visualize your service mesh:

kubectl apply -f samples/addons/kiali.yaml
istioctl dashboard kiali

Distributed Tracing with Jaeger #

kubectl apply -f samples/addons/jaeger.yaml
istioctl dashboard jaeger

Your services need to propagate trace headers:

func handler(w http.ResponseWriter, r *http.Request) {
    // Propagate these headers to downstream calls
    headers := []string{
        "x-request-id",
        "x-b3-traceid",
        "x-b3-spanid",
        "x-b3-parentspanid",
        "x-b3-sampled",
        "x-b3-flags",
    }
    
    req, _ := http.NewRequest("GET", downstreamURL, nil)
    for _, h := range headers {
        if v := r.Header.Get(h); v != "" {
            req.Header.Set(h, v)
        }
    }
    // Make downstream call
}

Circuit Breaker #

Prevent cascading failures:

apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
  name: orders
spec:
  host: orders
  trafficPolicy:
    connectionPool:
      tcp:
        maxConnections: 100
      http:
        h2UpgradePolicy: UPGRADE
        http1MaxPendingRequests: 100
        http2MaxRequests: 1000
    outlierDetection:
      consecutive5xxErrors: 5
      interval: 30s
      baseEjectionTime: 60s
      maxEjectionPercent: 50

Production Considerations #

Resource Allocation #

Envoy sidecars consume resources:

apiVersion: v1
kind: Pod
metadata:
  annotations:
    sidecar.istio.io/proxyCPU: "100m"
    sidecar.istio.io/proxyMemory: "128Mi"
    sidecar.istio.io/proxyCPULimit: "500m"
    sidecar.istio.io/proxyMemoryLimit: "256Mi"

Disable for Specific Pods #

Some workloads don’t need the mesh:

metadata:
  annotations:
    sidecar.istio.io/inject: "false"

Key Takeaways #

  1. Start with observability - understand your traffic before adding rules
  2. Use mTLS for zero-trust security
  3. Implement circuit breakers for resilience
  4. Canary deployments reduce deployment risk
  5. Monitor sidecar resource usage

Istio adds complexity but provides powerful capabilities for managing microservices at scale.