Automatic intelligent observability into Envoy-proxied services of your Istio service mesh (Preview)

Dynatrace gives you out-of-the-box service-level insights into Istio Ingress/Egress Envoys with all the benefits that Dynatrace is known for: the Davis AI causation engine and entity model, automatic topology detection in Smartscape, auto-baselining, automated error detection, and much more.

The popularity of microservices and container platforms like Kubernetes and Cloud Foundry is in large part due to the associated benefits of faster deployment cycles, more flexibility in resource utilization, and reduced technology/vendor lock-in. These are however just some of the reasons why we’re now seeing these platforms in use in customer environments around the world.

The increasing number of smaller, decoupled services brings new challenges for controlling complexity within systems. To solve these operational challenges around deployment, resilience, and security, many Kubernetes users are adopting service meshes, like Istio. However, in order to enable Istio to effectively solve such operational challenges, you need to have visibility into Istio’s critical components.

Instantly see what’s going on in your Istio Ingress/Egress Envoys

Unlike other solutions on the market that force you to manually deploy and configure monitoring, Dynatrace gives you out-of-the-box service-level insights with full end-to-end traces into your microservices. Additionally, with OneAgent 1.195 we released a Preview that gives you out-of-the-box service-level insights into your Istio Ingress/Egress Envoys. Of course, this comes with all the benefits that Dynatrace is known for: the Davis AI causation engine and entity model, automatic topology detection in Smartscape, auto-baselining, automated error detection, and much more.

Understand Istio, the Kubernetes native service mesh

Istio, currently one of the most popular service meshes, allows you to manage complex micro-service architectures based on configuration—there’s no need to change any application code. Although Istio is essentially platform agnostic, it’s used primarily on Kubernetes-based platforms where it’s used to address a broad spectrum of operational requirements, including simple operations like automatic load balancing and more complex operations like applying rich routing rules, fail overs, or fault injection. Istio manages this with the help of Envoy, a lightweight remote configurable proxy server that can dynamically route traffic through the service mesh. Envoys are injected as sidecars next to each microservice (in Kubernetes these are dedicated containers in the same Pod) and they’re also often used as ingress and egress gateways.

Envoys in Istio Service Mesh

In an Istio managed service mesh the Envoys determine how specific requests should be handled. Therefore Envoys come with basic built-in distributed tracing capabilities based on OpenTracing. One often over-looked fact is that, unless all deployed services/applications propagate trace headers, full end-to-end tracing is not possible. One other drawback is that some manual configuration is required just to make basic tracing work. This combined with the need to manually adapt all microservices often disqualifies Istio managed service mesh as a viable solution with larger, more complex environments.

Easily identify bottlenecks with out-of-the-box service-level insights into your Ingress/Egress Envoys

With OneAgent 1.195 we’ve added the capability to get service level insights for the Ingress and Egress Envoy proxies. This is especially important as they are the gatekeepers for all incoming and outgoing traffic. This works with no manual configuration changes just by deploying OneAgent via the OneAgent Operator or the Helm script on Kubernetes. All this comes with the insights that OneAgent delivers out-of-the-box, like service and application metrics, deep code level insights, automated topology detection, and much more.

If your applications and microservices are already monitored by Dynatrace, OneAgent will take care that the trace headers are automatically propagated through your monitored services and applications—and that sidecar proxies are displayed as proxies in the Service flow.

As soon as Envoy monitoring is activated, Dynatrace begins automatically detecting dedicated services for your Envoy-based Ingress and Egress gateways. You get all the benefits of having the Envoys included in the Davis AI entity model together with automatic baselining and error detection.

Below you can see the Istio-ingressgateway that forwards requests to our Hipster-front-end sample web application.

Envoy-ingress-service

When opening the Service flow from the Istio-ingress controller you can immediately see and understand how your HTTP service calls are distributed through the environment. This allows you to easily identify load and error distribution in addition to bottlenecks.

Service Flow starting at an ingress gateway

The ingress controller is also visible on the PurePath level. This allows you to see all the details of each distributed trace, including the URI, HTTP method and response codes, and timing details. Here you can also investigate all the details about the downstream calls that happen in the context of this single transaction.

Ingress-Controller in the PurePath

As mentioned, all of this works completely out-of-the-box, just by deploying OneAgent in Full Stack mode, ideally directly via the OneAgent Operator or via Helm script. These approaches provide the additional benefit that deployment variants will maintain correct Istio configuration for enabling OneAgent data to reach your Dynatrace environments.

Get started

As soon as you’ve signed up and been accepted into the the Preview program:

  1. Make sure that OneAgent version 1.195+ is deployed on all hosts that your Envoys run on.
  2. Activate Envoy monitoring at Settings > Monitored technologies > Envoy.
    Envoy--start monitoring
  3. Restart your Envoy services.
  4. Make sure that HTTP requests are traversing your Envoys and applications.
  5. Find your Envoys on the Transactions and services page (in large environments, try filtering the list of technologies by Envoy).

How to participate in the Preview program

This is a Preview and therefore only available by subscription. If you’re interested in participating in this Preview, please complete the enrollment form. Once you’ve filled out and submitted the required details, you’ll be contacted by Dynatrace. Please be aware that not all who register for the Preview will be accepted into the program as we may run out of Preview slots. If you have questions regarding the Preview, see Previews and Early Adopter releases.

What’s next?

As you might guess, this is just the beginning. We’ll improve this functionality over the next sprints with:

  • Support for Envoys that run as Istio-Sidecars.
  • gRPC support.
  • Improved OOTB service detection and naming based on Preview feedback.

Stay updated