Service Mesh Architecture

Page last updated:

This topic describes the routing flow and architecture of the service mesh data and control plane in Cloud Foundry Application Runtime (CFAR).

Overview

The service mesh data plane is a parallel routing path for ingress traffic for apps on CFAR. It is deployed alongside the existing CFAR routing tier and manages Istio routes for apps.

CFAR uses Istio’s Pilot component to configure ingress Envoy proxies, and these proxies are the routers. CFAR uses a custom component called Copilot to push CFAR configuration to Pilot. For more information, see the Istio and Envoy websites.

A route is managed by Istio if it is associated with an Istio-managed domain. These are specified in the manifest.

Service Mesh Architecture

The diagram below shows the architecture of the service mesh data and control plane.

Istio Routing Architecture

Control Plane

The routing flow of the control plane is:

  1. A new route is added to CAPI and mapped to one or more apps.

  2. The route and mapping are sent to Copilot.

  3. Copilot exposes the route and mapping configuration in a way Pilot can understand, and Pilot polls for it.

  4. Pilot distributes the configuration to the ingress Envoy proxy.

Data Plane

The routing flow of the data plane is:

  1. The request hits your load balancer.

  2. The load balancer directs the request to one of your ingress Envoy proxies on the Istio router VM.

  3. The ingress Envoy proxy chooses which app container to send the request to.

  4. The app container has an iptables rule which uses destination network address translation (DNAT) to forward the request to its local Envoy sidecar.

  5. The Envoy sidecar passes the request to the app.

Service Mesh Components

The following table lists each component in the service mesh architecture and describes its function.

Component Name Summary
CAPI Cloud Controller receives API requests from the Cloud Foundry Command-Line Interface (cf CLI) and stores information about routes. It distributes this route information to Copilot.
BBS BBS sends information about apps across all Diego Cells to Copilot.
Copilot Copilot acts as an interface between CFAR routes and Istio configuration types. It sends configuration to Pilot through Mesh Configuration Protocol (MCP). For more information, see the Copilot repository on GitHub.
Pilot Pilot is an Istio component that can accept configuration from multiple sources simultaneously and distribute configuration intelligently across ingress and Envoy sidecars.
Envoy Envoy is a lightweight edge proxy designed for microservices. It routes traffic based on configuration it receives from Pilot and emits in-depth metrics based on that traffic.
Load Balancer The load balancer is a reverse proxy provided by the IaaS, or a physical machine, that distributes network traffic across the ingress Envoy proxies while presenting a single public endpoint. This is not the same load balancer used by Gorouter.
istio-release A BOSH release that deploys Istio-related components and configures any existing components to use them. For more information, see the Istio release repository on GitHub.
Create a pull request or raise an issue on the source for this page in GitHub