Introducing NGINX Service Mesh: Features, Architecture, and Getting Started

NGINX Service Mesh (NSM) is a highly integrated, lightweight service‑mesh development version that uses the NGINX Plus data plane to manage container traffic in Kubernetes environments. The NSM package is freely downloadable and intended for developers to try in development and testing clusters.

As microservice deployments grow in scale and complexity, service‑to‑service communication becomes difficult to debug and manage. NSM addresses these challenges by centralizing configuration and providing four key capabilities:

Security – All communication is encrypted with mTLS, preventing data leaks, and access‑control policies define which services may talk to each other.

Traffic Management – Users can limit traffic to new service versions, apply rate‑limiting, circuit‑breaking, and gradually increase traffic.

Visualization – Built‑in Grafana dashboards in NGINX Plus expose full metrics, and OpenTracing integration offers fine‑grained transaction tracing.

Hybrid Deployment – NSM works with workloads outside Kubernetes via the NGINX Kubernetes Ingress Controller, ensuring seamless communication across environments.

NSM creates a zero‑trust environment by applying encryption and authentication to container traffic, offering observability, fine‑grained traffic control, and the ability for DevOps teams to deploy and optimize distributed applications.

What Is NGINX Service Mesh?

NSM provides a unified data plane for east‑west (service‑to‑service) traffic and a locally integrated NGINX Plus ingress controller for north‑south traffic, both managed by a dedicated control plane that defines traffic‑management rules for sidecar containers.

The sidecar proxies are deployed alongside each service and integrate with open‑source components such as Grafana, Kubernetes Ingress controllers, SPIRE (certificate authority), NATS (messaging plane), OpenTracing, and Prometheus.

Features and Components

NGINX Plus, as the data plane, spans sidecar proxies (east‑west) and the ingress controller (north‑south) and provides the following features:

TLS (mTLS) authentication

Load balancing

High availability

Rate limiting

Circuit breaking

Blue‑green and canary deployments

Access control

Getting Started with NSM

To begin using NSM you need a reachable Kubernetes cluster (EKS, AKS, GKE, vSphere, or bare‑metal), the kubectl CLI installed on the host machine, and the NSM release package, which includes the required images and the nginx-meshctl binary.

Deploy NSM with the default settings using the following command (replace $DOCKER_REGISTRY and $MESH_VER with your values):

$ DOCKER_REGISTRY=your-Docker-registry ; MESH_VER=0.6.0; \
./nginx-meshctl deploy  \
  --nginx-mesh-api-image "${DOCKER_REGISTRY}/nginx-mesh-api:${MESH_VER}" \
  --nginx-mesh-sidecar-image "${DOCKER_REGISTRY}/nginx-mesh-sidecar:${MESH_VER}" \
  --nginx-mesh-init-image "${DOCKER_REGISTRY}/nginx-mesh-init:${MESH_VER}" \
  --nginx-mesh-metrics-image "${DOCKER_REGISTRY}/nginx-mesh-metrics:${MESH_VER}"

After deployment, verify that the control‑plane pods are running in the nginx-mesh namespace:

$ kubectl get pods -n nginx-mesh

By default, the NGINX sidecar is automatically injected into deployed applications. To see the injection, deploy a simple sleep pod and observe the two containers (the application and the sidecar):

$ kubectl apply -f sleep.yaml
$ kubectl get pods -n default

You can expose the sidecar locally to view the NGINX Plus dashboard:

$ kubectl port-forward sleep-674f75ff4d-gxjf2 8080:8886

Then open http://localhost:8080/dashboard.html in a browser. The same approach can be used to connect to the Prometheus server for monitoring the sleep application.

Custom resources in Kubernetes allow you to configure traffic policies such as access control, rate limiting, and circuit breaking. Refer to the official documentation for more details.

Summary

NGINX Service Mesh is available for free download from the F5 portal. Try it in your development and testing environments and provide feedback on the GitHub repository.