Design and Implementation of a Service Mesh Architecture for HTTP Traffic Governance

The rapid growth of micro‑service and container technologies exposed limitations in traditional SDK‑based architectures, prompting the adoption of a service‑mesh framework to handle both east‑west (server‑to‑server) and north‑south (client‑to‑server) traffic while minimizing impact on business logic.

Technical selection focused on reusing existing infrastructure; MOSN was chosen as the data‑plane proxy over Envoy due to language compatibility, and the control‑plane was built by extending the company's existing service‑governance system rather than adopting Istio, reducing learning and migration costs.

The overall architecture separates the data‑plane and control‑plane. The data‑plane runs as sidecar containers, intercepting traffic via iptables, communicating with the control‑plane through bidirectional streams, and reporting metrics. The control‑plane provides rule distribution, monitoring aggregation, and management services, integrating with existing alerting, service discovery, and monitoring systems.

Key designs include:

HTTPS traffic interception using iptables, dnsmasq, and ipset combined with a man‑in‑the‑middle approach, ensuring client trust of root certificates across multiple languages.

Precise URL monitoring by matching dynamic paths to configured patterns, reducing data volume and enabling accurate statistics.

Plugin extensibility via multi‑container, multi‑process deployment, allowing language‑agnostic plugins, high isolation, and seamless, zero‑downtime upgrades managed by the underlying platform.

Future work aims to improve performance, enhance security and compliance, and foster a more open ecosystem supporting third‑party extensions and protocol conversion.