In a service mesh, each application microservice instance, called the service instance, is paired with an instance of software that is a reverse proxy server, called a service proxy, sidecar proxy, or sidecar. The service instance and sidecar proxy share a container, and the containers are managed by a container orchestration platform.
The sidecar proxies are responsible for communication between microservice instances.
The service mesh also includes a controller for managing the configuration and health of the sidecars and the interaction between services, mediated by sidecar proxies. The service mesh controller provides load balancing as well as the list of the healthy services available to be reached by sidecars initiating communications.
When the service mesh is providing secure communications, the network architecture is a flat mesh network, usually with encrypted tunnels end to end using TLS encryption, which runs as an overlay to the underlying IP network.