Unraveling the Power of Istio Mesh on Amazon EKS

Authored by Ashish Kapoor , Kiran K , and Akshaya Parthiban

Istio simplifies establishing a network of deployed services, incorporating features such as load balancing, service-to-service authentication, monitoring, and beyond. To integrate Istio support into your services, you deploy a dedicated sidecar proxy across your environment. This proxy intercepts all network communication between microservices. Subsequently, you configure and oversee Istio using its control plane functionality, a comprehensive set of tools and interfaces that empower you to manage various aspects of your microservices architecture.

Challenges without Istio Mesh?

The developer needs to handle the following within the application process

• ?Service Discovery and Load Balancing - Manual implementation is required, leading to complexity and potential errors.
• Traffic Management - Lack of automated features like intelligent routing and canary releases.
• Security - Need for individual implementation of security measures like mutual Transport Layer Security (TLS) and access control.
• Observability - Absence of built-in monitoring, logging, and tracing tools, requiring integration of separate solutions.

Why Istio Mesh?

• Service Connectivity: Istio facilitates communication between microservices by managing traffic routing and load balancing. It abstracts away the underlying network complexity, making it easier to build, deploy, and scale microservices.
• Load Balancing: Istio automatically distributes incoming traffic across different instances of a service, ensuring that the load is evenly distributed. This helps optimize resource utilization and improves the overall performance and reliability of the system.
• Security: Istio enhances the security of microservices by providing features like mutual TLS, which encrypts communication between services. It also offers fine-grained access control and authorization policies to protect against unauthorized access.
• Observability: Istio provides tools for monitoring and tracing microservices. It collects telemetry data, such as metrics and distributed traces, which can be used for troubleshooting, performance analysis, and understanding the system behavior.

Prerequisites

• AWS CLI and kubectl installed
• Helm and Istio CLI (Istioctl) installed
• Amazon EKS cluster

Step-by-step deployment

DOWNLOAD ISTIO

• ??Using the curl -L command, download all of the essential Istio binary files?

???????curl -L https://istio.io/downloadIstio | sh -        

• ????Cd istio-1.11.1 in the terminal (will change depending on the version). Run the command export to set the path for the istio binary.

??????????????????export PATH=$PWD/bin:$PATH??        

DEPLOY SAMPLE BOOK APPLICATION

• Deploy the book sample application:

?????????kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml        

?OPEN THE APPLICATION TO OUTSIDE TRAFFIC

?INGRESS

The Istio will expose to a standard load balancer (in AWS, it’s a classic Application Load Balancer or ALB). Instead of building an ALB, we are modifying it to expose it to clusterIP so we can use ALB here.

Before building an AWS ALB, the next step is to create an AWS Ingress controller.

Refer to AWS Ingress controller for steps to create the Ingress controller.

Next is the yaml file for creating an AWS ALB, which transfers all the incoming traffic to the Istio ingress gateway.

Please refer and make the appropriate changes depending on your environment.

Ingress resource is used to configure an AWS ALB to route traffic to the "istio-ingress gateway" service in the "istio-system" namespace, perform health checks, and handle SSL termination and HTTP to HTTPS redirection. The Ingress is associated with a specific hostname and listens on both HTTP and HTTPS ports (80 and 443, respectively).

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: bookinfo-ingress
  namespace: istio-system
  annotations:
    alb.ingress.kubernetes.io/healthcheck-path: /healthz/ready
    alb.ingress.kubernetes.io/healthcheck-port: status-port
    alb.ingress.kubernetes.io/healthcheck-protocol: HTTP
    alb.ingress.kubernetes.io/backend-protocol: HTTPS
    alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS":443}]'
    alb.ingress.kubernetes.io/ssl-redirect: '443'
    alb.ingress.kubernetes.io/load-balancer-name: bookinfo-ingress
    alb.ingress.kubernetes.io/scheme: internet-facing
    alb.ingress.kubernetes.io/subnets: subnet-0c6, subnet-016
    alb.ingress.kubernetes.io/target-type: ip
    alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-east-1:123456789:certificate/as334
    alb.ingress.kubernetes.io/actions.ssl-redirect: '{"Type": "redirect", "RedirectConfig": { "Protocol": "HTTPS", "Port": "443", "StatusCode": "HTTP_301"}}'
    kubernetes.io/ingress.class: alb
spec:
  rules:
  - host: <hostname>
    http:
      paths:
      - backend:
          service:
            name: istio-ingressgateway
            port:
              number: 443
        path: /
        pathType: Prefix? ???        

The new ALB is formed, and in Route 53, update the domain to use the newly created ALB.

GATEWAY

Istio Gateway configuration defines a route for incoming HTTPS traffic on port 443 to the Istio Ingress Gateway. The traffic is accepted for any host ("*"), and it terminates TLS encryption using a certificate and private key stored in a Kubernetes Secret named "bookinfo-tls." The Gateway is named "book-gateway" and is located in the "istio-system" namespace, which is a common namespace for Istio control plane components.

apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
  name: book-gateway
  namespace: istio-system
spec:
  selector:
    istio: ingressgateway
  servers:
  - hosts:
    - '*'
    port:
      name: https
      number: 443
      protocol: HTTPS
    tls:
      credentialName: bookinfo-tls
 mode: SIMPLE        

?Kubectl apply -f gateway.yaml?        

The request will be received by the AWS load balancer, which will then transmit it to istio-ingress-gateway.

VIRTUALSERVICE?

VirtualService defines routing rules for various URIs, directing traffic to the "product page" service within the Kubernetes cluster. It's important to ensure that the "product page" service and the gateway "book gateway" are correctly set up and that Istio is properly configured to make this routing effective. Additionally, ensure this VirtualService is applied within the "istio-system" namespace where Istio is managing the service.

apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: bookinfo-virtualservice
  namespace: istio-system
spec:
  gateways:
  - istio-system/book-gateway
  hosts:
  - '*'
  http:
  - match:
    - uri:
        exact: /productpage
    - uri:
        prefix: /static
    - uri:
        exact: /login
    - uri:
        exact: /logout
    - uri:
        prefix: /api/v1/products
    route:
    - destination:
        host: productpage.default.svc.cluster.local
        port:
          number: 9080

Kubectl apply -f virutalservice.yaml        

TRAFFIC FLOW WITHOUT mTLS

Mutual Transport Layer Security (mTLS) - Mutual Transport Layer Security (mTLS) is an essential security feature provided by Istio for securing communication between services in a microservices architecture.

TRAFFIC FLOW WITH mTLS

Also, let's check our Bookinfo application via browser:

Kiali

Kiali is an observability console for Istio with service mesh configuration and validation capabilities. It helps you understand the structure and health of your service mesh by monitoring traffic flow to infer the topology and report errors. Install Kiali and the other addons and wait for them to be deployed.

kubectl apply -f samples/addons
kubectl rollout status deployment/kiali -n istio-system        

Access the Kiali dashboard.

istioctl dashboard kiali        

Check kiali UI:

The Kiali dashboard shows an overview of your mesh with the relationships between the services in the Bookinfo sample application. It also provides filters to visualize the traffic flow.

Look out for part two of this blog on Canary and Blue-Green Deployments on Amazon EKS with Istio. For more information on our cloud and DevOps consulting services, please visit our website or write to us at [email protected].