2026-05-19
Once you have more than a handful of services talking to each other, the same problems show up everywhere: mutual TLS, retries, timeouts, circuit breaking, traffic splitting, observability. You can solve them in every service (and every language) — or you can push them down into the network layer.
A service mesh deploys a lightweight proxy (the "data plane") alongside every service instance — typically as a sidecar like Envoy. All inbound and outbound traffic flows through that proxy. A central control plane (Istio, Linkerd, Consul) pushes configuration to every proxy: who can talk to whom, what timeouts apply, what percentage of traffic goes to the canary, what certificates to use.
The result: your application code makes a plain HTTP call to http://billing. The proxy adds mTLS, retries on 503, records latency metrics, enforces a 2-second timeout, and routes 5% of traffic to v2 — none of which the developer wrote.
Real-world example: A fintech company runs 60 microservices across Go, Java, Python, and Node. Each language has a different HTTP client with different retry semantics, and rolling out a TLS cert rotation means coordinating 60 deploys. After installing Linkerd, they delete the retry/timeout/TLS code from every service. A platform engineer rotates certs by updating one CRD; the proxies pick it up in seconds. Canary deploys move from "ship a feature flag through every service" to a single VirtualService YAML that shifts 1% → 10% → 50% → 100% of traffic.
What you give up:
When to reach for it: You have 10+ services, multiple languages, and you're already writing the same retry/TLS/observability code over and over. Below that threshold, a shared library or API gateway is usually cheaper.
When to skip it: Monolith, three services in one language, or a team without dedicated platform engineering. The mesh is infrastructure — someone has to own it.