tolgacelik.net
All posts
·3 min read

Istio Service Mesh in Practice: What It Does and Doesn't

We brought Istio into production during our 2023 Kubernetes migration. A year in, here's what actually delivers value versus what's sold but we don't use — a field report.

istioservice-meshkubernetesmtlsproduction

Istio is one of the most argued-about tools in the Kubernetes world. Some people say "it saves lives"; others say "overkill, operational burden." I've been running it in production for a year. Here's what really pays off and what we've explicitly stayed away from.

Why we picked it up

During the 2023 Kubernetes migration we chose Istio as the primary service mesh. The drivers:

  • Service-to-service mTLS — a security team requirement. No plaintext traffic inside the cluster.
  • Canary deploy / traffic shifting — start a new version at 5% traffic
  • Observability in one place — don't bolt Prometheus/Jaeger integrations into each service by hand
  • Rate limiting and circuit breaking — between-service protection

All four are real wins. Doing them service by service is possible but expensive — every new service repeats the same boilerplate.

What we actually use

1. mTLS

With PeerAuthentication and DestinationRule resources, all inter-service traffic is TLS-encrypted. No service has to set up SSL on its own calls. This alone justifies much of Istio's cost.

Security team happy, compliance happy, developers "we don't even notice" happy.

2. Traffic splitting

Using VirtualService, sending "5% traffic to the new version" is a YAML change. In the previous setup (old reverse proxy layer) this took days. With Istio, 30 seconds.

Especially in a multiplayer game backend — where a regression directly loses players — canary deploy is genuinely valuable.

3. Resilience policies

Each upstream service gets a DestinationRule with connection pool, circuit breaker, and outlier detection settings. Example:

outlierDetection:
  consecutive5xxErrors: 5
  interval: 30s
  baseEjectionTime: 60s

Translation: if an instance returns five 5xx responses within 30 seconds, quarantine it for 60 seconds. This ended an entire class of "one pod is misbehaving, why?" incidents in our platform.

4. Tracing

Istio sidecars add spans automatically. "Which services did this request cross?" is one click away for everyone in Jaeger.

This especially collapsed the "where is the latency coming from?" diagnosis during incidents from 30 minutes to 2 minutes.

What we deliberately avoid

1. Authorization policies (complex RBAC)

Istio's AuthorizationPolicy is rich — "this service only accepts requests from that namespace with this JWT" is expressible. But we already do auth at the application layer. Auth logic in two places is double the bugs.

Rule: auth in the app, network isolation in Istio. Keep layers separate.

2. Traffic splitting for A/B tests

Because Istio traffic splitting is so easy, the temptation is "A/B test, C/D test, run everything through Istio." We resisted. Application A/B tests run at the application layer (feature flag service). Istio only handles deployment-level traffic shifting.

Reason: if application logic leaks into Istio, Istio becomes an application component and the platform team ends up doing platform work for every code change.

3. Istio's Ingress Gateway — we use Traefik instead

Istio has its own ingress gateway but we use Traefik. Why: magicdigital.org and other external sites sit behind the same Traefik. Operationally, having one ingress layer in one place is simple.

Operational cost

Istio is free but not cheap.

  • Control plane (istiod) — manages sidecars for every namespace. In a mid-size cluster, ~1–2 GB RAM + 1 CPU.
  • Sidecars — every pod adds an Envoy proxy. ~50–100 MB RAM per pod.
  • Learning curve — VirtualService, DestinationRule, Gateway, PeerAuthentication, AuthorizationPolicy. New team members spend a week reading Istio docs.
  • Debugging complexity — when a request fails, is it the sidecar config? Traffic splitting misconfigured? Extra layer to check.

Is that cost worth it for us? Yes — with 30+ microservices, it earns its keep. For a 5–10 service platform I'd hesitate. Istio's value curves sharply with scale.

When to pick Istio, when to skip

Adopt if:

  • 15+ microservices
  • Security team requires mTLS
  • You need canary deploy patterns
  • Multiple teams, standardizing observability

Skip if:

  • Monolith or a handful of services
  • No platform team, app developers manage everything
  • No two weeks to dedicate to learning
  • No budget for sidecar RAM cost

Takeaway

Istio delivers real value for us — but not all of its features. "We don't fall for the sales demo; we use what we use, and skip what we skip." If you hold that discipline, Istio is a quiet tool in production. If you don't, it gets loud.

Like any tool, it's a trade-off. When you know exactly what you're getting and paying, the right call is easy.

ShareLinkedInX
Get the next one in your inbox

Long-form notes on distributed systems, production stability, AI-assisted shipping. No spam, easy to unsubscribe.

Email only. Stored on this server. Never sold or shared.

Comments

No comments yet. Be the first.

Leave a comment

Never shown publicly. Only used if I need to reply.