Service Mesh Architecture
This topic describes the routing flow and architecture of the service mesh data and control plane in Cloud Foundry Application Runtime (CFAR).
The service mesh data plane is a parallel routing path for ingress traffic for apps on Cloud Foundry Application Runtime. It is deployed alongside the existing Cloud Foundry routing tier and manages istio routes for applications.
A route is managed by istio if it is associated with an istio managed domain. These are specified in the manifest.
- A new route is added to CAPI and mapped to one or more applications
- The route and mapping are sent to copilot
- Copilot then exposes that configuration in a way Pilot can understand, Pilot polls for it
- Pilot distributes the configuration to the ingress envoys
- The request hits your load balancer.
- The load balancer directs the request to one of your ingress envoys (on the istio-router vm)
- The ingress envoy then chooses which app container to send the request to
- The app container has an iptables rule which DNATs the request to its local envoy sidecar
- The envoy sidecar passes the request along to the application
The following table lists each component in the service mesh architecture and describes its function.
|CAPI||Cloud Controller receives API requests from the cf CLI and stores information about routes. It distributes this route information to Copilot.|
|BBS||BBS sends information about apps across all Diego cells to Copilot.|
|Copilot||Copilot acts as an interface between Cloud Foundry routes and Istio configuration types. It sends configuration to Pilot through Mesh Configuration Protocol (MCP).|
|Pilot||Pilot is an Istio component that can accept configuration from multiple sources simultaneously and distribute configuration intelligently across ingress and sidecar envoys.|
|Envoy||Envoy Proxy is a lightweight edge proxy designed for microservices. It routes traffic based on configuration it receives from Pilot and emits in-depth metrics based on that traffic.|
|Load Balancer||The load balancer is a reverse proxy provided by the IaaS, or a physical machine, that distributes network traffic across the ingress envoys while presenting a single public endpoint. This is not the same load balancer used by Gorouter.|
|istio-release||A BOSH release that deploys Istio-related components and configures any existing components to use them.|