Service Mesh Architecture
Page last updated:
This topic describes the routing flow and architecture of the service mesh data and control plane in Cloud Foundry Application Runtime.
The service mesh data plane is a parallel routing path for ingress traffic for apps on CFAR. It is deployed alongside the existing Cloud Foundry routing tier and manages istio routes for applications.
A route is managed by istio if it is associated with an istio managed domain. These are specified in the manifest.
- A new route is added to CAPI and mapped to one or more applications
- The route and mapping are sent to copilot
- Copilot then exposes that configuration in a way Pilot can understand, Pilot polls for it
- Pilot distributes the configuration to the ingress envoys
- The request hits your load balancer.
- The load balancer directs the request to one of your ingress envoys (on the istio-router vm)
- The ingress envoy then chooses which app container to send the request to
- The app container has an iptables rule which DNATs the request to its local envoy sidecar
- The envoy sidecar passes the request along to the application
The following table lists each component in the service mesh architecture and describes its function.
|CAPI||Cloud Controller receives API requests from the cf CLI and stores information about routes. It distributes this route information to Copilot.|
|BBS||BBS sends information about apps across all Diego cells to Copilot.|
|Copilot||Copilot acts as an interface between Cloud Foundry routes and Istio configuration types. It sends configuration to Pilot through Mesh Configuration Protocol (MCP).|
|Pilot||Pilot is an Istio component that can accept configuration from multiple sources simultaneously and distribute configuration intelligently across ingress and sidecar envoys.|
|Envoy||Envoy Proxy is a lightweight edge proxy designed for microservices. It routes traffic based on configuration it receives from Pilot and emits in-depth metrics based on that traffic.|
|Load Balancer||The load balancer is a reverse proxy provided by the IaaS, or a physical machine, that distributes network traffic across the ingress envoys while presenting a single public endpoint. This is not the same load balancer used by Gorouter.|
|istio-release||A BOSH release that deploys Istio-related components and configures any existing components to use them.|