github.com/outbrain/consul@v1.4.5/website/source/intro/vs/istio.html.md (about)

     1  ---
     2  layout: "intro"
     3  page_title: "Consul vs. Istio"
     4  sidebar_current: "vs-other-istio"
     5  description: |-
     6    Istio is a platform for connecting and securing microservices. This page describes the similarities and differences between Istio and Consul.
     7  ---
     8  
     9  # Consul vs. Istio
    10  
    11  Istio is an open platform to connect, manage, and secure microservices.
    12  
    13  To enable the full functionality of Istio, multiple services must
    14  be deployed. For the control plane: Pilot, Mixer, and Citadel must be
    15  deployed and for the data plane an Envoy sidecar is deployed. Additionally,
    16  Istio requires a 3rd party service catalog from Kubernetes, Consul, Eureka,
    17  or others. Finally, Istio requires an external system for storing state,
    18  typically etcd. At a minimum, three Istio-dedicated services along with at
    19  least one separate distributed system (in addition to Istio) must be
    20  configured to use the full functionality of Istio.
    21  
    22  Istio provides layer 7 features for path-based routing, traffic shaping,
    23  load balancing, and telemetry. Access control policies can be configured
    24  targeting both layer 7 and layer 4 properties to control access, routing,
    25  and more based on service identity.
    26  
    27  Consul is a single binary providing both server and client capabilities, and
    28  includes all functionality for service catalog, configuration, TLS certificates,
    29  authorization, and more. No additional systems need to be installed to use
    30  Consul, although Consul optionally supports external systems such as Vault
    31  to augment behavior. This architecture enables Consul to be easily installed
    32  on any platform, including directly onto the machine.
    33  
    34  Consul uses an agent-based model where each node in the cluster runs a
    35  Consul Client. This client maintains a local cache that is efficiently updated
    36  from servers. As a result, all secure service communication APIs respond in
    37  microseconds and do not require any external communication. This allows us to
    38  do connection enforcement at the edge without communicating to central
    39  servers. Istio flows requests to a central Mixer service and must push
    40  updates out via Pilot. This dramatically reduces the scalability of Istio,
    41  whereas Consul is able to efficiently distribute updates and perform all
    42  work on the edge.
    43  
    44  The data plane for Consul is pluggable. It includes a built-in proxy with
    45  a larger performance trade off for ease of use. But you may also use third
    46  party proxies such as Envoy. The ability to use the right proxy for the job
    47  allows flexible heterogeneous deployments where different proxies may be
    48  more correct for the applications they're proxying.
    49  
    50  In addition to third party proxy support, applications can natively integrate
    51  with the Connect protocol. As a result, the performance overhead of introducing
    52  Connect is negligible. These "Connect-native" applications can interact with
    53  any other Connect-capable services, whether they're using a proxy or are
    54  also Connect-native.
    55  
    56  Consul enforces authorization and identity to layer 4 only -- either the TLS
    57  connection can be established or it can't. We believe
    58  service identity should be tied to layer 4, whereas layer 7 should be used
    59  for routing, telemetry, etc. We encourage users to use the pluggable data
    60  plane layer to use a proxy that supports the layer 7 features necessary
    61  for the cluster. Consul will be adding more layer 7 features in the future.
    62  
    63  Consul implements automatic TLS certificate management complete with rotation
    64  support. Both leaf and root certificates can be rotated automatically across
    65  a large Consul cluster with zero disruption to connections. The certificate
    66  management system is pluggable through code change in Consul and will be
    67  exposed as an external plugin system shortly. This enables Consul to work
    68  with any PKI solution.
    69  
    70  Because Consul's service connection feature "Connect" is built-in, it
    71  inherits the operational stability of Consul. Consul has been in production
    72  for large companies since 2014 and is known to be deployed on as many as
    73  50,000 nodes in a single cluster.
    74  
    75  This comparison is based on our own limited usage of Istio as well as
    76  talking to Istio users. If you feel there are inaccurate statements in this
    77  comparison, please click "Edit This Page" in the footer of this page and
    78  propose edits. We strive for technical accuracy and will review and update
    79  this post for inaccuracies as quickly as possible.