open-consul/website/content/docs/intro/vs/istio.mdx
Zachary Shilton 5b53b5aef5
website: implement mktg 032 (#9953)
* website: migrate to new nav-data format

* website: clean up unused intro content

* website: remove deprecated sidebar_title from frontmatter

* website: add react-content to fix global style import issue
2021-04-07 15:50:38 -04:00

81 lines
4.3 KiB
Plaintext

---
layout: docs
page_title: Consul vs. Istio
description: >-
Istio is a platform for connecting and securing microservices. This page
describes the similarities and differences between Istio and Consul.
---
# Consul vs. Istio
Istio is an open platform to connect, manage, and secure microservices.
To enable the full functionality of Istio, multiple services must
be deployed. For the control plane: Pilot, Mixer, and Citadel must be
deployed and for the data plane an Envoy sidecar is deployed. Additionally,
Istio requires a 3rd party service catalog from Kubernetes, Consul, Eureka,
or others. Finally, Istio requires an external system for storing state,
typically etcd. At a minimum, three Istio-dedicated services along with at
least one separate distributed system (in addition to Istio) must be
configured to use the full functionality of Istio.
Istio provides layer 7 features for path-based routing, traffic shaping,
load balancing, and telemetry. Access control policies can be configured
targeting both layer 7 and layer 4 properties to control access, routing,
and more based on service identity.
Consul is a single binary providing both server and client capabilities, and
includes all functionality for service catalog, configuration, TLS certificates,
authorization, and more. No additional systems need to be installed to use
Consul, although Consul optionally supports external systems such as Vault
to augment behavior. This architecture enables Consul to be easily installed
on any platform, including directly onto the machine.
Consul uses an agent-based model where each node in the cluster runs a
Consul Client. This client maintains a local cache that is efficiently updated
from servers. As a result, all secure service communication APIs respond in
microseconds and do not require any external communication. This allows us to
do connection enforcement at the edge without communicating to central
servers. Istio flows requests to a central Mixer service and must push
updates out via Pilot. This dramatically reduces the scalability of Istio,
whereas Consul is able to efficiently distribute updates and perform all
work on the edge.
Consul provides layer 7 features for path-based routing, traffic shifting,
load balancing, and telemetry. Consul enforces authorization and identity to
layer 4 only — either the TLS connection can be established or it can't.
We believe service identity should be tied to layer 4, whereas layer 7 should be
used for routing, telemetry, etc. We will be adding more layer 7 features to Consul in the future.
The data plane for Consul is pluggable. It includes a built-in proxy with
a larger performance trade off for ease of use. But you may also use third
party proxies such as Envoy to leverage layer 7 features. The ability to use the
right proxy for the job allows flexible heterogeneous deployments where
different proxies may be more correct for the applications they're proxying. We
encourage users leverage the pluggable data plane layer and use a proxy which
supports the layer 7 features necessary for the cluster.
In addition to third party proxy support, applications can natively integrate
with the Connect protocol. As a result, the performance overhead of introducing
Connect is negligible. These "Connect-native" applications can interact with
any other Connect-capable services, whether they're using a proxy or are
also Connect-native.
Consul implements automatic TLS certificate management complete with rotation
support. Both leaf and root certificates can be rotated automatically across
a large Consul cluster with zero disruption to connections. The certificate
management system is pluggable through code change in Consul and will be
exposed as an external plugin system shortly. This enables Consul to work
with any PKI solution.
Because Consul's service connection feature "Connect" is built-in, it
inherits the operational stability of Consul. Consul has been in production
for large companies since 2014 and is known to be deployed on as many as
50,000 nodes in a single cluster.
This comparison is based on our own limited usage of Istio as well as
talking to Istio users. If you feel there are inaccurate statements in this
comparison, please click "Edit This Page" in the footer of this page and
propose edits. We strive for technical accuracy and will review and update
this post for inaccuracies as quickly as possible.