Explore the fundamental concepts of service mesh control planes, focusing on features, architecture, protocols, and best practices. This quiz helps you review key aspects of service mesh operation, security, and observability across popular platforms and implementations.
Which of the following best describes the primary responsibility of the control plane in a service mesh architecture?
Explanation: The control plane manages service discovery, configurations, and policies, which are critical for controlling how mesh services interact. It does not directly handle data traffic; that's the responsibility of the data plane. Storing application data and monitoring hardware utilization are outside the primary functions of a service mesh control plane, as these relate to storage and host-level monitoring, respectively.
In the context of a service mesh, what is the main function of a sidecar proxy injected alongside an application instance?
Explanation: Sidecar proxies intercept and manage all inbound and outbound network traffic for their associated service instance, allowing consistent policy enforcement and observability. They do not store configuration files, interpret user interfaces, or compile source code, which are tasks handled by other components or stages in the application lifecycle.
Which feature provided by the control plane allows services within a mesh to automatically find and communicate with each other, even as IP addresses change?
Explanation: Service discovery enables dynamic detection of service instances, accommodating changing IPs and scaling. Automatic certificate rotation deals with security, rate limiting with traffic management, and static routing does not handle dynamic service endpoint updates.
If you want to gradually shift 20% of user requests to a new version of your service, which service mesh control plane capability would you use?
Explanation: Traffic splitting allows you to direct a defined percentage of traffic to new service versions for canary deployments or gradual rollouts. Circuit breaking prevents overloaded services from failing, A/B testing typically refers to experimental comparison in user interfaces, and sidecar injection is about deploying sidecar proxies, not managing traffic distribution.
How does enabling mutual TLS (mTLS) in a service mesh enhance security between services?
Explanation: Mutual TLS encrypts communication and ensures both client and server authenticate each other, securing service-to-service connections. Load balancing distributes traffic, service discovery focuses on locating services, and mTLS does not make other access controls unnecessary.
Which scenario best illustrates the policy enforcement capability of a service mesh control plane?
Explanation: Policy enforcement involves defining and enforcing access controls and behavioral policies, such as time-based restrictions. Metrics generation is about observability, sidecar injection is related to deployment, and serving documentation is unrelated to runtime policy enforcement.
What is the main purpose of observability features in the service mesh control plane?
Explanation: Observability makes it possible to monitor interactions, latency, errors, and network topology within the mesh. Security controls manage access, data encryption is handled by other systems, and code compilation is managed externally from the mesh.
Why is declarative configuration preferred for managing service mesh policies and resources?
Explanation: Declarative configuration lets operators define what they want the system to look like, letting the system implement it automatically. This improves flexibility and reduces human error. Manual updates are avoided, log storage is unrelated, and rewriting network packets is not enabled by declarative configuration.
Which concept describes a security model where all internal and external communication requires authentication and authorization, often implemented via the service mesh control plane?
Explanation: Zero Trust Network advocates that all entities, regardless of network location, must verify identity and have explicit permission. Open source networking is a development model. Flat topology doesn’t provide inherent security, and Trusted Perimeter is a traditional, less secure approach.
What type of telemetry data is typically collected by a service mesh control plane for monitoring health and performance?
Explanation: Service mesh telemetry focuses on network and communication metrics such as latency, request success, and volume. Disk usage and UI loading times are monitored elsewhere, and relying solely on error logs omits vital operational insights.
What is the primary role of the data plane in a service mesh compared to the control plane?
Explanation: The data plane is responsible for processing and forwarding service-to-service traffic according to the rules received from the control plane. Access policy management, configuration storage, and administrative dashboards are managed elsewhere.
What does the term 'service mesh' refer to when discussing cloud-native architectures?
Explanation: A service mesh is a dedicated infrastructure layer that transparently handles service-to-service communication. It is not a storage protocol, a server, or a dedicated firewall appliance.
How can a service mesh control plane simplify rolling updates or blue-green deployments?
Explanation: Control planes provide traffic management features that enable dynamic traffic switching, essential for safe rollouts. Compiling code and host file edits are not part of the mesh role, while resource allocation changes do not manage traffic routing.
Which service mesh capability helps protect services by temporarily blocking requests to a failing or unhealthy service instance?
Explanation: Circuit breaking prevents overloading unhealthy services by stopping requests until recovery. Traffic mirroring copies requests, request rewriting alters requests, and header injection adds header fields, none of which directly protect services from failures.
Why is a service mesh control plane beneficial for multi-cluster or hybrid cloud environments?
Explanation: A control plane provides a unified interface for managing multiple clusters, improving consistency and reducing errors. Increasing latency and disabling monitoring are not benefits, while restricting to one data center defeats the purpose of hybrid or multi-cluster configurations.
How does a service mesh control plane enable granular access control between different services?
Explanation: The control plane creates fine-grained access rules based on service identity and policies. Storage limitations, code rewriting, and scheduling are unrelated to access control enforcement within a mesh.