Service Mesh Overview

Oracle Cloud Infrastructure Service Mesh allows you to add a set of capabilities that enables microservices within a cloud native application to communicate with each other in a centrally managed and secure manner. Adding a service mesh is done by deploying a proxy alongside each microservice, which receives configuration information from a managed control plane. Service Mesh includes standardized patterns around observability, security, and traffic management for communication between microservices.

Companies continue to build net-new applications in a cloud native architecture or modernize their applications using containerization techniques using microservice-based approaches. Service Mesh makes it easier for you to develop and operate their cloud native applications.

Why Service Mesh?

With a service mesh, you can automatically add features to your cloud native microservice application. Manage security, control traffic, and add observability features without changing your application's source code.

With Service Mesh you can:

  • Secure: Access Policies are the major tool for injecting security components into the application while having no effect on the underlying programming logic. With access policies, a service mesh assists you in eliminating network partitioning at transport layer boundaries. You can use identities and encryption for all communication between mutually authenticated services by the service mesh. Adding permission checks imposed by policies you set, adopts a zero-trust security architecture, automatically and declaratively.
  • Connect: Traffic Management features allow you to do canary deployment. When you publish a new version of your code to production, you only allow a portion of traffic to reach it. The feature enables you to deploy quicker and causes the least amount of disturbance to your application. You define routing rules that govern all inter-service communication inside the mesh. You might route a portion of the traffic to a certain version of the service.
  • Observe: The Service Mesh default observability features collect telemetry data throughout the service mesh. Installing Prometheus and Grafana is all that is required to get started with crucial metrics like latency, failures, and requests. In addition, you might activate OCI Logging after your application is mesh enabled. Service Mesh proxies provide two types of logs: error logs and traffic logs. These logs might be used to generate log-based statistics or to debug 404 and 503 issues.

Ways to Access Service Mesh

You can access Service Mesh by using the console (a browser-based interface), OCI CLI, or REST APIs, Kubernetes CLI tool kubectl, and Helm.

This guide includes instructions for using these methods.

Resource Identifiers

Service Mesh resources, like most types of resources in Oracle Cloud Infrastructure, have a unique, Oracle-assigned identifier called an Oracle Cloud ID (OCID).

Service Mesh components with OCIDs are:

  • service mesh
  • virtual service
  • virtual service route table
  • virtual deployment
  • ingress gateway
  • ingress gateway route table
  • access policy
  • work request

For information about the OCID format and other ways to identify your resources, see Resource Identifiers.

Authentication and Authorization

Each service in Oracle Cloud Infrastructure integrates with IAM for authentication and authorization, for all interfaces (the Console, SDK or CLI, and REST API).

An administrator in your organization needs to set up groups, compartments , and policies  that control which users can access which services, and which resources, and the type of access they have. For example, policies control who can create users, groups, and compartments, or who can create and manage virtual deployments.

Service Limits

See Service Limits for a list of applicable limits and instructions for requesting a limit increase. To set compartment-specific limits on a resource or resource family, administrators can use compartment quotas.


There are no charges for using OCI Service Mesh. Customers only pay for the infrastructure required to run the proxy component that runs alongside the application.

For more information on Oracle Cloud Infrastructure pricing, see the Cloud Price List.