Getty Images/iStockphoto

DevOps teams seek service mesh help from network platform

Service mesh users including T-Mobile and Constant Contact have deployed's application networking platform to cope with overwhelming operational complexity.

Enterprises under pressure to deploy cloud-native applications face daunting complexity from the network architectures such apps require, and some have bought into vendors' service mesh platforms to help.

Kubernetes container orchestration and microservices have become the new status quo as enterprises digitally transform. Microservices apps are distributed across a network of machines, upending traditional network management conventions and intensifying scrutiny on network performance, security and resiliency. These trends helped to popularize the service mesh architecture in microservices environments, which offer precise control of network paths and can gather deeper observability data than networks.

Istio, an open source service mesh created by IBM, Google and Lyft, and its associated Envoy sidecar proxy project offer sophisticated network automation and security features, but their operational complexity has created opportunities for more accessible alternatives such as Linkerd, HashiCorp Consul, F5 and Kong.

However, as Kubernetes deployments evolved from single clusters into multiple clusters spanning multiple data centers, more layers of network automation became necessary to link them together. Then, a wave of increasingly serious cyber attacks prompted new regulations, including a 2021 presidential executive order that mandated the rollout of zero-trust architectures. Istio, for all its complexity, can facilitate high-scale multi-cluster management and has had strong security advantages since its inception.

"[Security is] what's driving a lot of enterprises to make very quick decisions to adopt service mesh," said Louis Ryan, one of the co-creators of Istio at Google, in a keynote presentation at SoloCon this week. "They want mTLS [mutual Transport Layer Security] and zero-trust capabilities, and ... the cost of maintaining [strong security is much higher than for] observability, traffic management and application frameworks. ... So people are looking for off-the-shelf solutions." turns heads amid service mesh struggles

Most mainstream companies lack the in-house technical expertise to manage the raw open source version of Istio. That gap between tech features and expertise presents a ripe opportunity for IT vendors such as Istio-based network platform startup Over the last year, has amassed about 100 customers, including USAA, Chick-fil-A, T-Mobile and Constant Contact, as well as a $135 million series C funding round and a $1 billion valuation.

If we took the same amount of money that we would allocate to an enterprise agreement with and hired engineers, would we be able to achieve the same product with the same complexity meeting all of our hard requirements ... and [do it] as well?
Thomas HowardCloud networking lead, Invitae

"If we took the same amount of money that we would allocate to an enterprise agreement with and hired engineers, would we be able to achieve the same product with the same complexity meeting all of our hard requirements ... and [do it] as well?" said Thomas Howard, cloud networking lead at Invitae, a biotech company in San Francisco, during a keynote presentation this week at the SoloCon virtual conference. "Would we have access to the same very highly technical domain-specific knowledge [that we get] from the engineers at And would we be able to retain them on a permanent basis?"

For Howard, whose company deployed's Gloo Mesh Enterprise after struggling with AWS App Mesh, the answer to all of those questions was no.

"AWS App Mesh ... was simple, relatively easy to use and well integrated," he said. "The blockers that we faced came down to ... edge cases related to external authorization and our federated trust model we're trying to implement with Spiffe and Spire, and we found that we weren't getting the [access] that we needed to Envoy [within AWS App Mesh] to implement that."

Gloo Mesh Enterprise offered a balance between access to Istio and Envoy APIs, where Invitae needed to customize certain components, and a packaged experience that made it easier for Howard's company to deploy mTLS and automate authentication and authorization between microservices, with the eventual goal of implementing zero trust.

Gloo Mesh Enterprise 2.0, API updates smooth multi-tenancy

The first version of Gloo Mesh Enterprise, which became generally available in early 2021, seemed promising to T-Mobile, which had also deployed's Gloo Edge API gateway. But this week's Gloo Mesh Enterprise 2.0 added multi-tenancy features that the mobile carrier was waiting for before it was willing to put the product into production.

Joe Searcy, member of technical staff, distributed systems, T-MobileJoe Searcy

"We've been in a holding pattern with our existing upstream, generic vanilla open source Istio configurations, [waiting for] a service mesh that exists in a logical context that can go across multiple Kubernetes clusters, and manage and orchestrate configurations for end users," said Joe Searcy, a member of T-Mobile's distributed systems technical staff, in an interview this week.

Gloo Mesh Enterprise 2.0 introduced the concept of workspaces, a set of logical boundaries that can be jointly provisioned and maintained by IT operations, platform engineering, application management and software development teams, and shared among multiple Kubernetes clusters. Platform operators can grant application owners and developers specific access to Kubernetes infrastructure, along with editing permissions. Gloo Mesh Enterprise then automatically keeps underlying physical clusters in sync with administrators' traffic management and security policies as applications change.

"[Developers] aren't having to manage their service mesh configurations on cluster B as separate artifacts from cluster A or cluster C -- they manage one artifact," Searcy said. "And Gloo Mesh sort of helped figure out what it needs to look like in each cluster on their behalf. There's a huge operational overhead that's being removed."

Move over DevOps platforms, here come network platforms

The abstraction of infrastructure into logical services that developers can directly access is in keeping with broader industry trends toward DevOps platforms. Products such as Red Hat OpenShift, VMware Tanzu and cloud provider services such as Google Kubernetes Engine (GKE) and Amazon Elastic Kubernetes Service (EKS) also offer integrated sets of components that can be managed by multiple IT and developer teams, some of which also encompass service mesh.

"We're seeing consolidation from almost every technology sector at this point, driven as much by customers' demands for a better developer experience and fewer commercial relationships to traverse as by commercial vendors seeing adjacent market opportunities," said Stephen O'Grady, an analyst at RedMonk.

Network platforms aren't necessarily mutually exclusive to DevOps platforms, but for some large enterprises, a separate network platform such as lets them avoid lock-in with any infrastructure provider's network stack.

"We use Gloo Mesh on EKS, OpenShift and soon GKE," said David Ortiz, principal software engineer at martech company Constant Contact, in an online interview following his SoloCon presentation this week. "One of the reasons multi-cluster was such an early requirement for us is that we needed a way to make it so workloads could communicate with and ideally be moved between them. ... We're trying to stay away from doing things specific to any cloud providers."

Screenshot of David Ortiz's SoloCon presentation
David Ortiz, principal software engineer at Constant Contact, presents on his company's service mesh strategy at SoloCon 2022.

Still, some of the vertical integration that provides within the network layer, such as Gloo Edge, which combines the functions of an API gateway, a Kubernetes ingress controller and an Istio gateway, is also welcome, Ortiz said. isn't alone in targeting customers that seek help with service mesh. Kong Mesh is part of a broader platform that also includes the Kong API gateway and offers multi-cluster management features. Linkerd, which prioritized simplicity in earlier versions over some of the finer points of multi-tenant service mesh security, has caught up in recent releases, including this week's early-stage support for multi-cluster automated failover, slated for general availability within the upcoming version 2.12.

"You can see how a consolidation and simplifying effort is playing out at and other vendors, including but not limited to integration of ingress and API gateways with service mesh, support for VMs, improved UIs and observability, and better workload protection and isolation to support multi-tenancy," said Brad Casemore, an analyst at IDC. "There's still healthy competition in the service mesh market, but the Istio camp, including, has definitely worked hard to simplify deployment and use of the technology, and that is beginning to pay tangible dividends."

Beth Pariseau, senior news writer at TechTarget, is an award-winning veteran of IT journalism. She can be reached at [email protected] or on Twitter @PariseauTT.

Next Steps

What we can learn from the top DevOps articles of 2022

Istio service mesh doyen departs Google, touts Ambient Mesh

Dig Deeper on Containers and virtualization

Software Quality
App Architecture
Cloud Computing
Data Center