Comprehensive Guide to Deploying Istio Service Mesh on Azure Kubernetes Service (AKS): In-Depth Setup, Best Practices, and Practical Examples

Introduction

Kubernetes has transformed the way modern applications are deployed and managed, but as microservices architectures grow, managing traffic, security, and observability becomes increasingly complex. This is where service meshes like Istio come into play, providing a powerful abstraction layer to handle these concerns transparently.

Azure Kubernetes Service (AKS) now offers a streamlined way to deploy Istio as a managed add-on, simplifying installation and integration. This comprehensive guide covers everything intermediate to advanced Kubernetes administrators need to know to deploy, configure, and operate Istio on AKS effectively.

What is Istio Service Mesh and Why Use It on AKS?

Istio is an open-source service mesh that provides advanced traffic management, security, and observability capabilities by injecting lightweight proxies (Envoy sidecars) alongside your application containers. This enables fine-grained control over service-to-service communication without changing application code.

Benefits of using Istio on AKS:

• Traffic routing and control: Canary deployments, traffic splitting, fault injection.
• Security: Mutual TLS encryption, authorization policies.
• Observability: Distributed tracing, metrics, and logging.
• Policy enforcement: Rate limiting, quotas.

By leveraging the AKS Istio add-on, you gain a fully managed control plane integrated with Azure, reducing operational overhead while adopting best practices.

Prerequisites and Environment Setup

Before deploying Istio on AKS, ensure the following prerequisites are met:

• Azure CLI version 2.57.0 or later installed. Check with:

  az --version
  

• Familiarity with Kubernetes and kubectl.

• An AKS cluster running Kubernetes version 1.23 or higher.

• Clean up any existing Istio CRDs or self-managed Istio resources to avoid conflicts:

  kubectl delete crd $(kubectl get crd -A | grep "istio.io" | awk '{print $1}')
  

• Set environment variables for convenience:

  export CLUSTER=<your-cluster-name>
  export RESOURCE_GROUP=<your-resource-group>
  export LOCATION=<your-azure-region>
  

Installing the Istio Add-on on AKS

1. Understand Available Istio Revisions

AKS supports multiple Istio revisions to maintain compatibility with Kubernetes cluster versions. To list available revisions in your region:

az aks mesh get-revisions --location ${LOCATION} -o table

Choose an appropriate revision, e.g., asm-1-24.

2. Install During AKS Cluster Creation

You can enable the Istio add-on when creating a new AKS cluster:

az group create --name ${RESOURCE_GROUP} --location ${LOCATION}

az aks create \
    --resource-group ${RESOURCE_GROUP} \
    --name ${CLUSTER} \
    --enable-asm \
    --generate-ssh-keys

To specify a revision explicitly:

az aks create \
    --resource-group ${RESOURCE_GROUP} \
    --name ${CLUSTER} \
    --enable-asm \
    --enable-azure-service-mesh \
    --mesh-revision asm-1-24 \
    --generate-ssh-keys

3. Enable Istio on Existing AKS Cluster

If you already have an AKS cluster, enable Istio add-on with:

az aks mesh enable --resource-group ${RESOURCE_GROUP} --name ${CLUSTER}

Important:

• You cannot enable Istio if the Open Service Mesh (OSM) add-on is present. Uninstall OSM first.
• Istio add-on requires AKS version 1.23 or later.

4. Node Scheduling Considerations

If you want istiod and gateway pods on specific nodes, label your nodes or use AKS system pools. Istio pods have affinity rules favoring nodes labeled:

• kubernetes.azure.com/mode: system with weight 100
• azureservicemesh/istio.replica.preferred: true with weight 50

This helps isolate control plane components for reliability.

Verifying the Deployment

After installation:

1. Confirm Istio is enabled:

az aks show --resource-group ${RESOURCE_GROUP} --name ${CLUSTER} --query 'serviceMeshProfile.mode'

Output should be:

"Istio"

2. Fetch cluster credentials:

az aks get-credentials --resource-group ${RESOURCE_GROUP} --name ${CLUSTER}

3. Check the Istio control plane pods:

kubectl get pods -n aks-istio-system

You should see pods like istiod-asm-1-24 running:

NAME                               READY   STATUS    RESTARTS   AGE
istiod-asm-1-24-74f7f7c46c-xfdtl   1/1     Running   0          2m
...

Enabling Automatic Sidecar Injection

Istio injects an Envoy proxy as a sidecar container into your pods to enable the service mesh features.

1. Label the Namespace with Istio Revision

The Istio add-on requires explicit revision labeling for sidecar injection. First, check installed revisions:

az aks show --resource-group ${RESOURCE_GROUP} --name ${CLUSTER} --query 'serviceMeshProfile.istio.revisions'

Then label your namespace (e.g., default) with the installed revision:

kubectl label namespace default istio.io/rev=asm-1-24

Note: The older label istio-injection=enabled will not work and will cause injection to be skipped.

2. Deploy or Restart Workloads

For new deployments, the sidecar will be injected automatically.

For existing workloads, restart deployments to trigger injection:

kubectl rollout restart -n <namespace> <deployment-name>

Verify sidecar presence:

kubectl describe pod -n <namespace> <pod-name>

Look for a container named istio-proxy alongside your application container.

Testing with a Sample Application

To validate your Istio mesh, deploy the Bookinfo sample application:

kubectl apply -f https://raw.githubusercontent.com/istio/istio/release-1.24/samples/bookinfo/platform/kube/bookinfo.yaml

Check deployed services:

kubectl get services

Expected services include:

NAME          TYPE        CLUSTER-IP     PORT(S)    AGE
productpage   ClusterIP   10.0.x.x       9080/TCP   1m
ratings       ClusterIP   10.0.x.x       9080/TCP   1m
reviews       ClusterIP   10.0.x.x       9080/TCP   1m
details       ClusterIP   10.0.x.x       9080/TCP   1m

Check pods to ensure sidecars are injected:

kubectl get pods

Pods will show 2/2 containers ready, where the second container is Envoy proxy.

Advanced Tips and Best Practices

Using istioctl with AKS Add-on

When using istioctl for debugging or manual injection, specify the namespace and revision:

kubectl apply -f <(istioctl kube-inject -f sample.yaml -i aks-istio-system -r asm-1-24) -n foo

Scaling Istio Components

For production workloads, consider scaling istiod and gateways using Horizontal Pod Autoscalers (HPA) to handle load.

Network Policies and Egress Gateways

Implement egress gateways for controlling outbound traffic and enforce network policies for security.

Monitoring and Observability

Leverage Azure Managed Prometheus integration to collect Istio metrics and integrate with Azure Monitor for centralized observability.

Handling HTTP Proxies

If your cluster uses an outbound HTTP proxy, configure Istio Service Entries accordingly to allow external communication.

Conclusion

Deploying Istio as a managed add-on in AKS simplifies the introduction of a powerful service mesh into your Kubernetes environment. By following this detailed guide, you can set up Istio with best practices, enabling advanced traffic management, security, and observability for your microservices.

With Istio on AKS, you gain cloud-native service mesh capabilities fully integrated with Azure tools, empowering your teams to build resilient, secure, and observable distributed applications.

Additional Resources

• Azure AKS Istio Add-on Documentation
• Istio Official Documentation
• Azure Managed Prometheus for Istio

Deploying and managing Istio on AKS is a strategic step towards operational excellence in cloud-native application architectures. Start experimenting with the Istio add-on on your AKS clusters today to unlock advanced service mesh capabilities with minimal effort.