A service mesh is an infrastructure layer that manages communication between the services of an application. The Istio project defines it as “an infrastructure layer that gives applications capabilities like zero-trust security, observability, and advanced traffic management, without code changes.” The phrase without code changes is the defining promise: the mesh adds networking capabilities to a distributed system without requiring developers to modify or even be aware of the services themselves.
The mesh exists because microservice architectures multiply the number of network hops in an application. Concerns that were once internal function calls, such as retries, timeouts, encryption, load balancing, and tracing, become network problems that every service would otherwise have to solve on its own. A service mesh moves that logic out of the application and into a shared layer, so it can be implemented once and applied uniformly.
Most service meshes implement this layer using application proxies. As Istio describes, “by using application proxies, Istio lets you program application-aware traffic management, incredible observability, and robust security capabilities into your network.” A small proxy is deployed alongside each service instance, and all traffic into and out of the service flows through that proxy. The proxies collectively form the data plane of the mesh, while a separate control plane configures them.
The capabilities a mesh provides cluster into three areas. Traffic management covers routing rules, percentage-based traffic splitting, canary deployments, and A/B testing. Security centers on a zero-trust model “based on workload identity, mutual TLS, and strong policy controls,” giving every service-to-service call mutual TLS encryption and policy-based access control. Observability comes from telemetry the proxies generate automatically, feeding metrics, logs, and traces into systems such as Prometheus and Grafana.
The service mesh emerged as a named concept around 2016 and 2017, popularized by Buoyant’s Linkerd and then by Istio. It represents a recurring pattern in computing: as a class of cross-cutting concerns becomes too important and too repetitive to leave to each application, it is pushed down into a dedicated infrastructure layer.