Deploying Service Mesh (Beta)

This topic describes how to deploy service mesh for Cloud Foundry. Following this procedure deploys an new routing plane consisting of three VMs. This routing plane runs in parallel to the existing HTTP and TCP routers. For more information, see Service Mesh (Beta).

This routing plane provides additional features, such as the ability to configure routing weights for apps. For more information, see Using Weighted Routing (Beta).


This procedure requires that you have deployed Cloud Foundry using cf-deployment. For more information, see Deploying Cloud Foundry with cf-deployment.

Deploy Cloud Foundry with the Istio Ops File

To deploy Cloud Foundry with service mesh, do the following:

  1. Clone the istio-release repository:

    git clone
  2. In the istio-release repository, run the following command:

  3. (Optional) To use a domain other than istio.CF-APPS-DOMAIN for Istio routes, modify the temporary_istio_domains property in the ops file deploy/cf-deployment-operations/add-istio.yml.

  4. (Optional) To enable TLS termination at the Istio router, add a frontend_tls_keypairs property to the copilot job in the ops file deploy/cf-deployment-operations/add-istio.yml. This step is strongly recommended for security.

      - cert_chain: |
        -----BEGIN CERTIFICATE-----
        -----END CERTIFICATE-----
      - private_key: |
        -----BEGIN RSA PRIVATE KEY-----
        -----END RSA PRIVATE KEY-----


    • YOUR-CERTIFICATE is your TLS certificate.
    • YOUR-PRIVATE-KEY is the private key pair to your TLS certificate.

    During deployment, the routing plane integrates the certificates with any Istio routes. All routes created using the Istio routing plane then use TLS.

  5. Create and upload the Istio release with BOSH:

    bosh create-release && bosh upload-release
  6. Deploy your cf-deployment with the Istio ops file:

    bosh -e YOUR-ENV -d cf deploy PATH-TO-CF-MANIFEST -v PATH-TO-VARIABLES \
    -o deploy/cf-deployment-operations/add-istio.yml


    • YOUR-ENV is the name of the BOSH environment that contains your CF deployment.
    • PATH-TO-CF-MANIFEST is the path to the manifest file for your CF deployment.
    • PATH-TO-VARIABLES is the path to the variables file for your CF deployment.

    For example:

    $ bosh -e my-env -d cf deploy ~/workspace/cf-deployment/cf-deployment.yml -v cf-deployment/cf-deployment.yml \
    -o deploy/cf-deployment-operations/add-istio.yml
  7. Once you deploy with the ops file, you can run bosh vms to see the new VMs in your deployment: istio-router, istio-control, and cc-route-syncer.

Configure Load Balancing

When you deploy a Cloud Foundry with service mesh, you must set up a new load balancer to communicate with the Istio routers.

To configure load balancing, choose one of the following procedures that correspond to your use case:

Configure with bbl

If you deployed CF on GCP using bbl, you can use a custom bbl-config to set up load balancers that point to the Istio routers.

To configure load balancing with bbl, do the following:

  1. In a terminal window, navigate to the bosh-bootloader repository from which you initially ran bbl up to pave your infrastructure.

    cd bosh-bootloader
  2. Run the following command to copy the cloud-config file from your istio-release directory to the bosh-bootloader directory:

    cp ~/workspace/istio-release/deploy/bbl-config/cloud-config/istio.yml cloudconfig/gcp/fixtures/
  3. Copy the following Terraform template from the istio-release directory to the bosh-bootloader directory:

    cp ~/workspace/istio-release/deploy/bbl-config/terraform/ terraform/gcp/templates/
  4. Run bbl up.

Configure Manually

To configure your load balancer, do the following. The exact procedure varies by IaaS.

  1. Create a load balancer with a static IP.
  2. Configure the backends of the load balancer to be the istio-router VMs. You can retrieve the IPs of the router VMs by running bosh vms.
  3. Configure the health check to be port 8002 and path /healthcheck.
  4. Add firewall rules for the load balancer to allow HTTP port 80, TLS on 443, and HTTP on 8002 for the healthcheck.
  5. Create a new DNS name that resolves to the IP of the load balancer. By default this must be *.istio.CF-APPS-DOMAIN. If you modified the temporary_istio_domains field in the ops file, use the domain you specified.

Create a Domain

You must create a new domain dedicated to service mesh. Routes pushed to this domain are handled by the Istio router, and can take advantage of service mesh features like weighted routing.

To create a domain, do the following:

  1. Using the CF CLI, create a new apps domain that matches the DNS name created when configuring load balancing. For example:

    cf create-shared-domain
View the source for this page in GitHub