Istio is an open-source service mesh that, in the words of its own project README, “layers transparently onto existing distributed applications” to provide “a uniform and more efficient way to secure, connect, and monitor services.” It was announced in May 2017 as a collaboration between Google, IBM, and Lyft, and it quickly became the most widely adopted service mesh in the cloud-native ecosystem. Istio is a Cloud Native Computing Foundation project.
The system’s data plane is built on Envoy, the high-performance proxy originally created at Lyft. In Istio’s classic deployment model, an Envoy proxy is run as a sidecar next to each microservice instance to “handle ingress/egress traffic between services.” These sidecars collectively form a secure microservice mesh that provides service discovery, advanced routing, load balancing, circuit breaking, and policy enforcement, all “with few or no service code changes.”
Istio’s control plane is a component called Istiod, which is responsible for service discovery, distributing configuration to the proxies, and managing the certificates that underpin mutual TLS between services. Operators express intent through high-level configuration, and Istiod translates that into the low-level Envoy settings pushed out to every sidecar. This separation of a programmable control plane from a uniform data plane is the architectural heart of the mesh.
The project has evolved its deployment model over time. Alongside the sidecar approach, Istio introduced Ambient mode, which uses a lightweight per-node data-plane component called Ztunnel to provide secure connectivity without requiring a sidecar proxy on every workload. This addresses one of the long-standing criticisms of meshes, the resource and operational overhead of running a proxy beside every service instance.
Istio matters historically as the project that turned the service mesh from a concept into mainstream infrastructure. It demonstrated that traffic management, zero-trust security based on workload identity and mutual TLS, and rich observability could be added to a fleet of microservices as a deployable platform rather than as code in each service, and it set the template that later meshes followed or reacted against.