The API Gateway is based on Istio.
Istio is open source software developed in order to implement Service Mesh, so it is much more than simple GW. In fact, the subdivision of a monolithic application into several microservices, on the one hand facilitates their development and deployment, on the other hand makes their management extremely complex, due to the large number of microservices themselves.
This complexity makes the correct management of communication, load balancing, tracing and faults challenging and often an API GW it is not enough to manage this scenario. The Service Mesh, instead, is an infrastructure designed to meet the need to manage this complex environment based on microservices with high volumes of traffic. Some the features it provides to facilitate the management of these environments are:
- Load balancing: It allows load balancing based on Layer 7 instead of only classic Layer 4
- Encryption: It allows encrypting all requests and responses both towards services and among services, the most used technology is mTLS (mutual TLS)
- Circuit breaker pattern: It allows managing automatically faults in microservice instances.
The Service Mesh for its operation takes advantage of the logical separation that exists between the “Data plane”, namely where the traffic takes place between services and the “Control plane” where all logics and policies are saved. In practice, the Service Mesh creates a proxy for each instance of microservices; these proxies within Kubernetes are called “sidecars”. The sidecar’s duty is to intercept all calls towards the microservice by applying the policies defined by the engine deployed in the Control plane of the system.
The Istio Architecture is shown in the figure below
More specifically, istio architecture includes the following components:
- Proxy: Is based on Envoy open source proxy developed in C++
- Mixer: Enforces access control and usage policies across the service mesh, and collects telemetry data from the Envoy proxy and other services.
- Pilot: Provides service discovery for the Envoy sidecars, traffic management capabilities for intelligent routing (e.g. canary rollouts), and resiliency (e.g. retries, circuit breakers)
- Citadel: Enables strong service-to-service and end-user authentication with built-in identity and credential management.
- Galley: Is Istio’s configuration validation, ingestion, processing and distribution component.