Evolution of Ant Financial Service Mesh: Capabilities, Design, and Operational Practices

In 2019 Service Mesh was deployed at Ant Financial to support the Double‑11 core transaction flow, and a series of articles previously described that rollout. Over the past year the platform has continued to evolve, and this article presents the post‑Double‑11 explorations and lessons learned.

The mesh has enabled rapid development of core infrastructure capabilities. Four major features are highlighted:

Link Encryption – aiming for 100% encrypted communication across the organization, with design goals of zero impact on business, seamless gray‑release, and acceptable performance overhead.

Adaptive Rate Limiting – a PID‑style, system‑wide flow‑control that automatically detects resource pressure and adjusts limits in real time, reducing manual configuration and preventing overload.

Fine‑Grained Traffic Steering – exposing atomic traffic‑routing primitives that can be orchestrated for scenarios such as gray releases, disaster recovery, new‑datacenter validation, and per‑application or per‑interface routing.

Service Self‑Healing – an in‑mesh anomaly counter that blacklists unhealthy upstream nodes, reports them to a central self‑healing service, and triggers automated recovery actions.

For link encryption, the design uses a unified control plane to push configuration to services, MOSN receives certificates via SDS, and TLS handshakes are performed on long‑lived connections. A connection‑elimination mechanism ensures hot‑switching between plaintext and encrypted connections without dropping in‑flight requests.

Adaptive rate limiting works by continuously monitoring system resource usage, computing a baseline when thresholds are exceeded, and adjusting the limit proportionally based on real‑time metrics. The approach has been applied at scale to protect critical business flows during peak traffic periods.

Fine‑grained traffic steering allows both application‑level and interface‑level routing across deployment units. Examples include gray releases (routing all traffic to a new unit before gradual rollback), disaster recovery (shifting traffic away from a failed unit), and new‑datacenter validation (mirroring traffic to a fresh environment).

Service self‑healing replaces external probes with an internal error counter. When a node exhibits abnormal error rates, it is temporarily blacklisted locally and reported to a central healing service, which can trigger restarts or graceful removal after a cooldown period.

All of these capabilities are implemented inside MOSN, the high‑performance proxy that underlies Ant’s Service Mesh, allowing zero‑downtime deployment and rapid iteration without touching individual services.

The article concludes that the mesh has dramatically accelerated infrastructure evolution, reduced the number of required configuration rules, and enabled system‑wide improvements in performance, security, stability, and operational efficiency.

Configuration example for business‑flow isolation:

Match: type = transfer
Action: Group = Group_2