Raw Record Source

{
  "$type": "site.standard.document",
  "bskyPostRef": {
    "cid": "bafyreih7t5imq6l52pswz2jcthvjj5if3qq5d2gt2ssuyi2ivxxesbsodi",
    "uri": "at://did:plc:5sgu76a53rz3n6unbykmovqy/app.bsky.feed.post/3mlogumze7zo2"
  },
  "description": "A service mesh is an infrastructure layer that handles service-to-service communication for a microservices application: routing, retries, timeouts, mTLS encryption, authorization, traffic shifting, and observability. The mesh moves these cross-cutting concerns out of each service into a dedicated layer, typically implemented as a sidecar proxy or a kernel module per pod.\n\n\nHow it works\n\nMost service meshes follow the same architecture: a data plane of proxies (Envoy is the dominant choice) that",
  "path": "/engineering-glossary/service-mesh-microservices-networking/",
  "publishedAt": "2026-05-12T18:40:45.000Z",
  "site": "https://sahilkapoor.com",
  "tags": [
    "Kubernetes",
    "Microservices",
    "API Gateway",
    "Observability",
    "Distributed Tracing"
  ],
  "textContent": "**A service mesh** is an infrastructure layer that handles service-to-service communication for a microservices application: routing, retries, timeouts, mTLS encryption, authorization, traffic shifting, and observability. The mesh moves these cross-cutting concerns out of each service into a dedicated layer, typically implemented as a sidecar proxy or a kernel module per pod.\n\n## How it works\n\nMost service meshes follow the same architecture: a **data plane** of proxies (Envoy is the dominant choice) that intercepts every inbound and outbound request, and a **control plane** that configures the proxies based on declarative policy. Services communicate as before; the mesh transparently adds mTLS, retries, traffic splits, and emits telemetry.\n\n## What a mesh typically provides\n\n  * **mTLS.** Mutual TLS between every pair of services, with automatic certificate rotation.\n  * **Traffic management.** Weighted routing, canary deployments, fault injection, retries with backoff, circuit breaking.\n  * **Authorization.** Per-service or per-path policies, often expressed as Kubernetes CRDs.\n  * **Observability.** Uniform metrics, traces, and access logs across all services without changing application code.\n\n\n\n## Common meshes\n\n  * **Istio.** Feature-rich, Envoy-based, the most widely deployed.\n  * **Linkerd.** Ultra-light, Rust-based proxy, simpler operational model.\n  * **Cilium Service Mesh.** eBPF-based, sidecarless, integrates with Cilium CNI.\n  * **Consul Connect.** HashiCorp's mesh, works beyond Kubernetes.\n  * **AWS App Mesh, GCP Anthos Service Mesh, Azure Service Mesh.** Managed flavours.\n\n\n\n🔗\n\n**Related Terms**\nKubernetes, Microservices, API Gateway, Observability, Distributed Tracing.",
  "title": "Service Mesh",
  "updatedAt": "2026-05-13T19:14:41.502Z"
}