Overview
In a service mesh, services do not talk directly to each other. They talk to a "sidecar proxy" (like Envoy), which handles network communication, retries, and security policies on their behalf.
How it Works
- Sidecar Injection: A proxy is injected into the Pod along with your application container.
- Traffic Interception: All outgoing traffic is redirected through the local proxy.
- Control Plane: Manages the configuration of all proxies centrally.
Benefits
- Transparent: Application code remains network-agnostic.
- Resilient: Automatic retries and circuit breaking.
- Secure: mTLS is enforced automatically between proxies.
Example: Communication Flow
graph LR
App1[Service A] --> ProxyA[Sidecar Proxy A]
ProxyA --> |Encrypted mTLS| ProxyB[Sidecar Proxy B]
ProxyB --> App2[Service B]Result: Service A reaches Service B securely, even over an unencrypted network.
Connection established via mTLS (TLS 1.3)