Splitting carrying from controlling
A service mesh manages service to service communication by inserting a proxy next to every service instance. These proxies form the data plane, the part that actually carries application traffic.
A separate control plane configures those proxies. It does not touch request bytes. Instead it pushes policy, routing rules, and certificates down to the data plane.
What the data plane does
Each data plane proxy intercepts traffic entering and leaving its service and applies:
- Load balancing across healthy instances.
- Retries and timeouts for resilience.
- Mutual TLS for encrypted identity.
- Metrics and tracing for every call.
Why the split matters
Because the data plane is many small proxies handling live traffic, it must be fast and resilient. The control plane can be slower and even briefly unavailable, since proxies keep using their last known configuration. This separation lets operators change policy centrally while traffic keeps flowing.
Key idea
The data plane is the fleet of proxies that carry traffic, configured by a separate control plane that never touches request bytes.