Google and Solo.io today announced the next evolution of the Istio service mesh. Dubbed the "Ambient Mesh," this new framework does away with Istio’s sidecar-centric architecture and replaces it with a sidecar-less approach that promises to improve the service’s security posture and make it easier for new users to adopt the technology by reducing the resources needed to run it.
Service meshes are a critical piece of infrastructure for a lot of companies that aim to be (or become) cloud native. With hundreds or more microservices, all running in a variable number of containers, businesses need a way to track what’s running in their networks and ensure connectivity between all of these services. A simple IP address doesn’t cut it when you’re constantly spinning containers up and down, after all. There are a number of competing service mesh projects, but Istio, which Google recently donated to the Cloud Native Computing Foundation (CNCF), has become somewhat of a standard.
The new Ambient Mesh will be an optional feature, but in a joint interview before today’s announcement, both Google principle engineer Louis Ryan and Solo.io CEO and founder Idit Levine noted that they expect a lot of new users to opt for the Ambient Mesh approach.
“In a lot of environments, everybody is using [Istio] at crazy scale. But we wanted to figure out how to improve adoption,” Levine said. “What we learned from our customers is that we want to make the operational side of Istio better. It’s not bad right now, but we want to make it even better. We want to make sure that performance will get even better and we want to improve anything related to cost.”
Both Google and Solo started their own projects to address some of these issues but soon realized that they were both working toward the same goal and decided to combine their resources. Ryan stressed that Google had put a lot of emphasis on the security aspects of this new solution when it started working on this project.
“We’re very deliberate about what we do. We don’t make wild claims unless we can back them up — and in particular, Google is extremely security-conscious,” he said. “A big part of what services mesh is trying to do is solve security problems for people. We saw this operational friction that we wanted to help customers with. We also wanted to make sure that we didn’t lose any of the security properties of the system when we did.”
He noted that Solo brought a lot of the operational perspective to this project as the two teams worked together to develop this new framework.
Both Levine and Ryan stressed that this is an evolutionary step for Istio. The current way the system works won’t change — at least for the foreseeable future. Users can even mix and match the current sidecar approach with the sidecar-less Ambient Mesh if that’s what they want to do.
“We’ve done a lot of internal evaluations about security, but we want to let the community work through this and get feedback,” Ryan noted. “If people are comfortable with the existing security model and sidecars, they need time to get comfortable with a different — or slightly different — security posture. It’s my belief that the security posture of Ambient is at least as good as sidecar, if not better, but the community is going to need time to wrap its head around it and give us feedback and for us to react.”
Solo’s Levine meanwhile stressed that her team focused on the operational aspects of this new approach, from installing the mesh to updating it and the day-to-day operations of it. She noted that when Solo showed its new approach to customers, most wanted to start using it right away. “They were: ‘oh my god.’ And that was in terms of the operations and everything related to usability. How you install the mesh, upgrade the mesh — for that, Ambient is amazing. It’s really what we wanted to build — a service mesh that’s transparent to the application. You can apply resources, you can delete the mesh — the application doesn’t even know that it’s there. And I think that’s a big point for Ambient.”
When a platform owner now installs Ambient into a cluster, the existing applications just keep on running. As Ryan noted, you then tell the system that you want a given application to be part of the mesh and that’s it. There are no restarts and, of course, no need to inject any sidecars. And if there’s an update to Istio, the applications don’t even notice.
“The biggest enemy of service mesh adoption has always been complexity,” said Joe Searcy, a member of the technical staff at T-Mobile. “The resource and operational overhead to manage service mesh for a large enterprise has continued to make service mesh adoption cumbersome even as projects like Istio have worked to decrease complexity. The opportunities that Ambient Mesh provides are extremely exciting. With better transparency to applications, fewer moving parts, simpler invocation, and huge potential in savings of compute resources and engineering hours…all I can say is: Sign me up!“
Ambient Mesh is now available as a beta to Solo customers and will become generally available once the company launches its Gloo Mesh 2.1. And, of course, it’s also part of the Istio open source project.