Advanced

Service Mesh

Architecture & Deployment

Infrastructure layer for service-to-service communication via sidecars

Core Idea

Delegate mTLS, retries, timeouts, circuit breaking, traffic shaping, and telemetry to a data-plane proxy with a centralized control plane.

When to Use

When you have many services requiring uniform policies, mTLS, and advanced L7 routing with rich observability.

Recognition Cues
Indicators that this pattern might be the right solution
  • Inconsistent networking policies across services
  • Desire for zero-trust mTLS and authZ
  • Complex traffic policies (canary, mirroring, locality)

Pattern Variants & Approaches

Overview
Sidecar proxies handle mTLS, retries, and telemetry; a control plane distributes policy and certs.

Overview Architecture

localhostmTLSlocalhostPolicy/CertsPolicy/Certs⚙️Service A⚙️Sidecar A⚙️Sidecar B⚙️Service B⚖️Control Plane

When to Use This Variant

  • Uniform networking/security
  • Advanced L7 traffic control
  • Zero-trust requirements

Use Case

Large fleets of microservices needing consistent traffic policy and observability.

Advantages

  • Consistent policy
  • Powerful traffic features
  • Built-in telemetry

Implementation Example

# Mesh high-level
svcA <-> sidecarA ==mTLS== sidecarB <-> svcB
control-plane -> sidecars (policy, certs)
Tradeoffs

Pros

  • Uniform networking and security policies
  • Powerful traffic shaping and resiliency
  • Built-in telemetry and tracing context

Cons

  • Latency/resource tax per hop
  • Steep operational learning curve
  • Not needed for simple architectures
Common Pitfalls
  • Increased latency and resource overhead
  • Operational complexity and upgrade burden
  • Overlapping responsibilities with gateways
  • Misconfigured retries causing amplification
Design Considerations
  • Incremental rollout and opt-out for simple paths
  • Policy-as-code and versioned traffic rules
  • Golden signals before/after rollout
  • Budget sidecar CPU/memory and tune pools
  • mTLS identity, cert rotation, and revocation
Real-World Examples
Istio

mTLS, traffic policy, telemetry via Envoy

Large K8s clusters
Linkerd

Lightweight, secure service mesh

Latency-sensitive services
Consul

Mesh + service discovery across platforms

Hybrid/multi-cloud
Complexity Analysis
Scalability

Per-pod sidecars; centralized control plane

Implementation Complexity

High - Mesh operations and policy

Cost

Medium to High - Resource overhead

Related Patterns
API GatewayCircuit BreakerRate LimitingBulkhead Isolation