Microservices Patterns

API Gateway vs Service Mesh

Navigating the connectivity maze: Understanding North-South vs East-West traffic, the Sidecar pattern, and when you truly need Istio.

Comparison Sidecar Pattern

The Core Distinction

A common source of confusion. Both route traffic, but they serve different domains.

🌐 API Gateway (North-South)

Entry Point: Handles traffic entering the cluster from the outside world (Mobile/Web).

  • Authentication (OAuth/JWT)
  • Rate Limiting (Per Client)
  • Response Aggregation
  • SSL Termination
πŸ•ΈοΈ Service Mesh (East-West)

Inter-Service: Handles traffic inside the cluster between microservices.

  • Mutual TLS (mTLS) Security
  • Service Discovery
  • Retries & Circuit Breaking
  • Observability (Tracing)

The Sidecar Pattern

How does a Service Mesh intercept traffic without changing code? By injecting a Sidecar Proxy (e.g., Envoy) into every Pod.

Pod A (Checkout)
Envoy Proxy ↔ App Container
➑ mTLS ➑
Pod B (Payment)
App Container ↔ Envoy Proxy

Application code talks to `localhost`. Envoy handles the network magic.

Traffic Control (Istio Example)

Service Meshes allow advanced routing rules like Canary Deployments (shift 10% traffic to v2).

1. VirtualService (Routing Logic)
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: payment-service
spec:
  hosts:
  - payment
  http:
  - route:
    - destination:
        host: payment
        subset: v1
      weight: 90
    - destination:
        host: payment
        subset: v2
      weight: 10  # 10% traffic to Canary
2. DestinationRule (Subsets)
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: payment-service
spec:
  host: payment
  subsets:
  - name: v1
    labels:
      version: v1
  - name: v2
    labels:
      version: v2

When to use what?

Requirement API Gateway Service Mesh
Hiding Internal APIs βœ… Yes (Facade Pattern) ❌ No
Zero-Trust Security (mTLS) ❌ No (Usually terminates SSL) βœ… Yes (Auto-rotates certs)
Protocol Translation βœ… Yes (REST -> gRPC) ❌ No (Primarily Transport)
Observability Edge Metrics only Deep End-to-End Tracing
⚠️ Complexity Warning: Don't adopt a Service Mesh (Istio/Linkerd) unless you have 50+ microservices or strict compliance (mTLS) needs. The operational overhead is massive.

Summary

  • API Gateway: The "Front Door". Focuses on Client-to-Cluster security and routing.
  • Service Mesh: The "Internal Nervous System". Focuses on Service-to-Service reliability and security.
  • Sidecar Pattern: Decouples network logic from application code.
  • Start Simple: Most smaller architectures only need an API Gateway + Standard K8s networking.