© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. M O S C O W Service Mesh Magic Dr. Frank Munz Senior Technical Evangelist Amazon Web Services @frankmunz

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. About me • Software Architect / DevOps Engineer • Technical Evangelist @ AWS • Published an AWS book • Containers, serverless and a sprinkle of ML & big / fast data @frankmunz

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. 10+ Years Back in Time: SOA ESB = Service Virtualization Layer • Reduces complexity, #cx: squared -> linear with ESB • VETO pattern • CCC = versioning, monitoring, security, etc.

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Modern Application Architecture: Microservices Building Blocks • Containers • Serverless (e.g. AWS Lambda) • 165 AWS services • Do NOT stuff everything into container! -> Container / K8s will not make other cloud services redundant • EC2

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Challenges of Containers at Scale • More transient • More distributed and complex • Networking • Scheduling / Resource Management • Not virtualized, but isolated: containers share Linux kernel -> Tooling and orchestration required

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. … so we built a solution for that

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon ECS Easiest way to deploy and manage containers at scale Integration with entire AWS platform ALB, Auto Scaling, Batch, Elastic Beanstalk, CloudFormation, CloudTrail, CloudWatch Events, CloudWatch Logs, CloudWatch Metrics, ECR, EC2 Spot, IAM, NLB, Parameter Store, and VPC Scales to support clusters of any size Service integrations (like ALB and NLB) are at container level 1 2 3

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Then Kubernetes entered the stage

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. … and devOps ❤ Kubernetes

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. “Run Kubernetes for me.”

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Availability Zone 1 Availability Zone 2 Availability Zone 3 Kubectl Amazon EKS Architecture

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. OSSC libraries: code changes required, language specific Service Mesh: decentral, language agnostic, polyglot, light-weight https://www.infoq.com/articles/microservices-post-kubernetes Need for a Service Mesh ESB: clustered monolith

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Istio Service Mesh with Envoy Proxy

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Open Source: Istio Service Mesh Connect, secure, and observe services • Shift in where functionality is located • Control plane = Istio • Data plane = set of all Envoy proxies • Envoy proxy as sidecar in K8s pod • Automatic or manual injection of proxy with EKS

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Envoy Proxy • Level 7 proxy • HTTP, HTTP/2, gRPC, Amazon Dynamo DB, MongoDB • C++11 code base , only 8 MB (statically linked) • No language or framework dependencies • Rquires no code changes • Battle proven open source, started at Lyft • Envoy is not tightly coupled to Istio

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Netcraft: Envoy

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. https://martinfowler.com/bliki/BlueGreenDeployment.html How to update a complex system?

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. A bath tub full of cold water ? K8s rolling update 25% 1 pod at a time … or just wetten your feet? Service Mesh 3% Traffic routing ! ! ! " # ! $❄$❄$❄ Fancy a Swim in the Arctic Sea ? Blue / Green 100% All services at once Microservices Update Strategies

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. But Docker / Kubernetes can do rolling updates! Yes, but a service mesh separates traffic flow from replica deployment

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. … EKS is upstream K8s and supports Istio / Envoy

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS is a platinum member of CNCF

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. But you asked us for more…

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. A mesh for all compute services

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. App Mesh works across compute services Amazon ECS AWS Fargate Amazon EKS Amazon EC2 Kubernetes on EC2

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Based on Envoy proxy Start App Mesh from the AWS CLI, console or SDK There is no additional charge for using AWS App Mesh Supports any third-party tool that works with Envoy App Mesh

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. How to get started…?

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. https://eksctl.io/ Tip: Easy way to create an EKS cluster: $ eksctl create cluster --name meshtest --appmesh-access

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Install AppMesh # AppMesh Installation with Grafana/Prometheus # and Envoy, AWS X-Ray daemon sidecar # and StatsD Prometheus exporter $ helm install -n aws-appmesh \ --namespace appmesh-system \ https://github.com/PaulMaddox/ \ aws-appmesh-helm/releases/ \ latest/download/aws-appmesh.tgz https://github.com/PaulMaddox/aws-appmesh-helm

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Install Demo App # create ns & enable auto-injection $ kubectl create ns appmesh-demo $ kubectl label namespace appmesh-demo appmesh.k8s.aws/sidecarInjectorWebhook=enabled # deploy the demo $ helm install -n aws-appmesh-demo \ --namespace appmesh-demo \ https://github.com/.../aws-appmesh-demo.tgz

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Observability: AWS X-Ray Service Map

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS X-Ray: Traces

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS X-Ray: Response Time Precentiles

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Open-Source Grafana: AppMesh Overview

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Open-Source Grafana: Service View

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Logging HTTP access logging Amazon CloudWatch Logs Available as container logs on Amazon ECS, Amazon EKS, AWS Fargate Metrics CloudWatch metrics StatsD (with tags) Prometheus Tracing AWS X-Ray Other Envoy tracing drivers Observability

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Traffic shaping Load balancing Weighted targets Service discovery (DNS + AWS Cloud Map) Health checks Retries* Timeouts* Circuit breakers* *Coming soon Routing controls Protocols support (HTTP, TCP, gRPC*) Path-based Header-based* Cookie-based* Host-based* Traffic Management

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. App Mesh constructs Mesh Virtual node Virtual router and routes Virtual service Create and manage these in App Mesh API, CLI, SDK, or AWS Management Console Proxies Services Service discovery Configure and run proxies and services on Amazon ECS, Fargate, Amazon EKS, Amazon EC2 Service discovery with AWS Cloud Map

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. App Mesh Ressources App Mesh Ressource Service Mesh Logical boundary for network traffic between the services that reside within it Virtual Node Logical pointer to a particular task group (ECS service) or Kubernetes deployment (FQDN). Virtual Service Abstraction of a real service that is provided by a virtual node directly or indirectly by means of a virtual router Virtual Router Handles traffic for one or more virtual services Route Associated with a virtual router, and it directs traffic that matches a service name prefix to one or more virtual nodes.

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS App Mesh Roadmap is Public https://github.com/aws/aws-app-mesh-roadmap

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Summary • Architect wisely • Running K8s is hard, use a managed K8s service • EKS is unforked upstream K8s • A Service Mesh complements K8s: It adds observability and traffic management • AWS App Mesh is free to use and works across compute services • Service mesh can help to containerize and transition to micro services architecture

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. CODE One Presentation (Istio with Envoy on EKS) https://www.youtube.com/watch?v=fDmJf9kWFws

Thank you! © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. frankmunz @frankmunz https://medium.com/@frank.munz (Blog) https://speakerdeck.com/fmunz (Slides)