Exercise 5: Visualise the Mesh with Kiali

In this exercise, you will install Kiali and a lightweight Prometheus instance, generate traffic through the mesh, and use Kiali to visualise service-to-service traffic.

Kiali is a dashboard for Istio service meshes. It helps you see workloads, traffic flows, health, and Istio configuration. It is commonly used during learning and troubleshooting because it makes mesh behaviour visible.

Info

This exercise installs Kiali with anonymous access and uses kubectl port-forward for local access. This is suitable for a workshop lab, but not a production configuration.

Task 1: Install Prometheus and Kiali

Kiali uses Prometheus as its metrics source. For this short lab, you will install a lightweight, dedicated Prometheus instance using Helm.

Info

Lab 3 set up Azure Managed Prometheus for cluster monitoring. We deploy a separate in-cluster Prometheus for Kiali here to keep the lab self-contained: Azure Managed Prometheus does not scrape the Istio sidecar (Envoy) metrics that Kiali needs by default, and its query endpoint requires Microsoft Entra authentication, which would add significant setup. For a production mesh you would instead add Istio scrape configuration to Azure Managed Prometheus and point Kiali at it through an authenticating proxy.

Add the required Helm repositories.

helm repo add prometheus-community https://prometheus-community.github.io/helm-charts
helm repo add kiali https://kiali.org/helm-charts
helm repo update

helm repo add prometheus-community https://prometheus-community.github.io/helm-charts
helm repo add kiali https://kiali.org/helm-charts
helm repo update

Install Prometheus.

helm upgrade --install prometheus prometheus-community/prometheus `
  --namespace monitoring `
  --create-namespace `
  --set server.persistentVolume.enabled=false `
  --set alertmanager.enabled=false `
  --set kube-state-metrics.enabled=false `
  --set prometheus-node-exporter.enabled=false `
  --set prometheus-pushgateway.enabled=false

helm upgrade --install prometheus prometheus-community/prometheus \
  --namespace monitoring \
  --create-namespace \
  --set server.persistentVolume.enabled=false \
  --set alertmanager.enabled=false \
  --set kube-state-metrics.enabled=false \
  --set prometheus-node-exporter.enabled=false \
  --set prometheus-pushgateway.enabled=false

Install Kiali and configure it to use the Prometheus service.

helm upgrade --install kiali-server kiali/kiali-server `
  --namespace aks-istio-system `
  --set auth.strategy=anonymous `
  --set external_services.prometheus.url=http://prometheus-server.monitoring.svc.cluster.local `
  --set deployment.accessible_namespaces="{istio-demo,aks-istio-system}"

helm upgrade --install kiali-server kiali/kiali-server \
  --namespace aks-istio-system \
  --set auth.strategy=anonymous \
  --set external_services.prometheus.url=http://prometheus-server.monitoring.svc.cluster.local \
  --set deployment.accessible_namespaces="{istio-demo,aks-istio-system}"

Check that Kiali is running.

kubectl get pods -n aks-istio-system -l app.kubernetes.io/name=kiali

kubectl get pods -n aks-istio-system -l app.kubernetes.io/name=kiali

Task 2: Generate Mesh Traffic

Kiali needs recent traffic before the graph becomes interesting. Generate traffic through the Istio gateway for a minute or two.

1..100 | ForEach-Object {
  Invoke-WebRequest -UseBasicParsing "http://$INGRESS_IP" | Out-Null
}

for i in {1..100}; do
  curl -s "http://$INGRESS_IP" > /dev/null
done

Task 3: Open the Kiali Dashboard

Port-forward the Kiali service.

kubectl port-forward `
  -n aks-istio-system `
  svc/kiali 20001:20001

kubectl port-forward \
  -n aks-istio-system \
  svc/kiali 20001:20001

Open Kiali in your browser:
```
http://localhost:20001
```
In Kiali, navigate to Graph and select the istio-demo namespace.
You should see traffic flowing from the Istio ingress gateway to the web service and then to the backing workloads.
Turn on the security overlay to see mTLS. In the graph toolbar, open the Display menu and enable Security.
A padlock icon appears on the edges between workloads. This is the visual confirmation that the connections are encrypted with mTLS - the same strict mTLS you enforced in Exercise 4.

Task 4: Discuss What You Are Seeing

Use Kiali to answer the following questions:

Which workloads are part of the mesh?
Can you see the ingress gateway sending traffic to the web service?
Did the graph change after shifting traffic to v2?
What telemetry would you want before using this in production?

Tip

Kiali is most useful when paired with clear operational questions. Use it to validate traffic flow, spot unexpected dependencies, and troubleshoot routing policy.