Service Mesh Architecture
Page last updated:
This topic describes the routing flow and architecture of the service mesh data and control plane in VMware Tanzu Application Service for VMs (TAS for VMs).
The service mesh data plane is a parallel routing path for ingress traffic for apps on TAS for VMs. It is deployed alongside the existing TAS for VMs routing tier and manages Istio routes for apps.
TAS for VMs uses Istio’s Pilot component to configure ingress Envoy proxies, and these proxies are the routers. TAS for VMs uses a custom component called Copilot to push TAS for VMs configuration to Pilot. For more information, see the Istio and Envoy websites.
A route is managed by Istio if it is associated with an Istio-managed domain. These are specified in the manifest.
The diagram below shows the architecture of the service mesh data and control plane.
The routing flow of the control plane is:
A new route is added to CAPI and mapped to one or more apps.
The route and mapping are sent to Copilot.
Copilot exposes the route and mapping configuration in a way Pilot can understand, and Pilot polls for it.
Pilot distributes the configuration to the ingress Envoy proxy.
The routing flow of the data plane is:
The request hits your load balancer.
The load balancer directs the request to one of your ingress Envoy proxies on the Istio router VM.
The ingress Envoy proxy chooses which app container to send the request to.
The app container has an iptables rule which uses destination network address translation (DNAT) to forward the request to its local Envoy sidecar.
The Envoy sidecar passes the request to the app.
The following table lists each component in the service mesh architecture and describes its function.
|CAPI||Cloud Controller receives API requests from the Cloud Foundry Command-Line Interface (cf CLI) and stores information about routes. It distributes this route information to Copilot.|
|BBS||BBS sends information about apps across all Diego Cells to Copilot.|
|Copilot||Copilot acts as an interface between TAS for VMs routes and Istio configuration types. It sends configuration to Pilot through Mesh Configuration Protocol (MCP). For more information, see the Copilot repository on GitHub.|
|Pilot||Pilot is an Istio component that can accept configuration from multiple sources simultaneously and distribute configuration intelligently across ingress and Envoy sidecars.|
|Envoy||Envoy is a lightweight edge proxy designed for microservices. It routes traffic based on configuration it receives from Pilot and emits in-depth metrics based on that traffic.|
|Load Balancer||The load balancer is a reverse proxy provided by the IaaS, or a physical machine, that distributes network traffic across the ingress Envoy proxies while presenting a single public endpoint. This is not the same load balancer used by Gorouter.|
|istio-release||A BOSH release that deploys Istio-related components and configures any existing components to use them. For more information, see the Istio release repository on GitHub.|