Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Service Mesh - Beyond the Hype

Service Mesh - Beyond the Hype

Service mesh technologies have gained significant interest in the past year. We often hear or read the words “Service Mesh” in blog posts or videos nowadays. But most of these don’t explain what the “Service Mesh” really is. In this talk, Anubhav Mishra helps us understand the components that make up a “Service Mesh” and how “Service Mesh” can help developers and operators adopt smart networking techniques to empower their organizations.

Anubhav Mishra will examine:
1. The history of the term “Service Mesh”.
2. What it takes to create a service mesh control plane and a data plane.
3. Responsibilities of each of those components and why they are critical to the overall functioning of a service mesh.
4. Real-world example of a service mesh in action that connects services running in VMs and containers securely.

Anubhav Mishra

November 28, 2019
Tweet

More Decks by Anubhav Mishra

Other Decks in Technology

Transcript

  1. @build1point0

    Service Mesh
    Beyond the Hype

    View full-size slide

  2. @build1point0

    @build1point0
    $ whoami
    Anubhav Mishra
    Technical Advisor to the CTO, HashiCorp

    View full-size slide

  3. @build1point0

    View full-size slide

  4. @build1point0

    View full-size slide

  5. @build1point0

    View full-size slide

  6. @build1point0

    View full-size slide

  7. @build1point0

    Open Source

    View full-size slide

  8. @build1point0

    Atlan&s
    Open Source

    View full-size slide

  9. @build1point0

    VAULT IN ACTION BOOK

    View full-size slide

  10. @build1point0

    Gopher Artwork by Ashley McNamara

    View full-size slide

  11. @build1point0

    View full-size slide

  12. PRIVATE
    CLOUD
    AWS AZURE GCP
    Run
    Development
    Connect
    Networking
    Secure 

    Security
    Provision
    Operations
    HashiCorp Suite

    View full-size slide

  13. @build1point0

    Service Mesh
    Beyond the Hype

    View full-size slide

  14. @build1point0

    Service Mesh
    Beyond the Hype

    View full-size slide

  15. @build1point0

    View full-size slide

  16. @build1point0

    https://buoyant.io/2017/04/25/whats-a-service-mesh-and-why-do-i-need-one/

    View full-size slide

  17. @build1point0

    View full-size slide

  18. @build1point0

    View full-size slide

  19. @build1point0

    View full-size slide

  20. @build1point0

    Smart Networking
    Basics

    View full-size slide

  21. @build1point0

    Service A Service B

    View full-size slide

  22. @build1point0

    Service A Service B
    Service B
    Service B
    ?
    Multiple Instances

    View full-size slide

  23. @build1point0

    Service A Service B
    Service B
    Service B
    ?
    Multiple Instances
    Service Discovery

    View full-size slide

  24. @build1point0

    Service A Service B

    View full-size slide

  25. @build1point0

    Service A Service B Request Failed

    View full-size slide

  26. @build1point0

    Service A Service B Request Failed
    Retries

    View full-size slide

  27. @build1point0

    Service A Service B Assigning Identity
    Cert: serviceA.foo.com Cert: serviceB.foo.com

    View full-size slide

  28. @build1point0

    Service A Service B
    Cert: serviceA.foo.com Cert: serviceB.foo.com
    Mutual TLS
    Assigning Identity

    View full-size slide

  29. @build1point0

    Service A Service B
    Cert: serviceA.foo.com Cert: serviceB.foo.com
    Mutual TLS
    Authorizing traffic
    Allow?

    View full-size slide

  30. @build1point0

    Challenges
    Service Discovery & Routing
    Service Retries, Circuit Breaking…..
    Service Identity & Authorization
    Observability

    View full-size slide

  31. @build1point0

    Smart Networking - First Principles
    Dumb Pipe or Smart Network/Mesh
    Protocol Awareness

    View full-size slide

  32. @build1point0

    Smart Networking - First Principles
    Dumb Pipe or Smart Network/Mesh
    Protocol Awareness

    View full-size slide

  33. @build1point0

    Smart Networking - First Principles
    Dumb Pipe or Smart Network/Mesh
    Protocol Awareness
    Service A Service B

    View full-size slide

  34. @build1point0

    Dumb Pipe
    Pros:
    Simplicity for Networks
    Smart Applications (“What you see is what you get”)
    Easily Customizable
    Cons:
    Redundant Code
    Every Application has to Implement the Code (Polyglot?)

    View full-size slide

  35. @build1point0

    Smart Networking - First Principles
    Dumb Pipe or Smart Network/Mesh
    Protocol Awareness
    Proxy Proxy
    Service A Service B

    View full-size slide

  36. @build1point0

    Smart Network/Mesh
    Pros:
    Little to no Application Code changes are required
    Features like Traffic Shaping, Service Discovery and Network Policy Control come
    out of the Box
    Cons:
    Smart Network becomes an Implicit Dependency of the Application
    Harder to Reason about the Whole System

    View full-size slide

  37. @build1point0

    Service Mesh

    View full-size slide

  38. @build1point0

    Service Mesh aka Smart Network
    Proxy Proxy
    Service A Service B

    View full-size slide

  39. @build1point0

    Service Mesh aka Smart Network
    Proxy Proxy
    Service A Service B
    Configure

    View full-size slide

  40. @build1point0

    Service Mesh aka Smart Network
    Proxy Proxy
    Service A Service B
    Configure
    Two parts

    View full-size slide

  41. @build1point0

    Separation of Control and Data Plane
    Control Plane
    Data Plane

    View full-size slide

  42. @build1point0

    Separation of Control and Data Plane
    Control Plane
    Data Plane
    • Traffic Routing / Shaping
    • Configuring the Data Plane
    • Policy Enforcement
    • Provide Service Discovery Data to Data Plane

    View full-size slide

  43. @build1point0

    Separation of Control and Data Plane
    Control Plane
    Data Plane

    View full-size slide

  44. @build1point0

    Separation of Control and Data Plane
    Control Plane
    Data Plane
    • Forward Request from the Applications
    • Health Checking
    • Load Balancing
    • Circuit Breaking
    • Timeouts

    View full-size slide

  45. @build1point0

    Separation of Control and Data Plane
    Control Plane
    Data Plane
    • Forward Request from the Applications
    • Health Checking
    • Load Balancing
    • Circuit Breaking
    • Timeouts
    …..

    View full-size slide

  46. @build1point0

    Smart Networking - First Principles
    Dumb Pipe or Smart Network/Mesh
    Protocol Awareness
    Layer 4 vs Layer 7

    View full-size slide

  47. @build1point0

    Protocol Awareness
    Layer 4 vs Layer 7
    TCP, UDP vs HTTP “Universally” Compatible
    High Performance
    Difficult to provide Sophisticated
    request aware features
    Layer 4

    View full-size slide

  48. @build1point0

    Protocol Awareness
    Layer 4 vs Layer 7
    TCP, UDP vs HTTP Perform complex routing decisions
    Header and Path based routing
    Can yield lower performance
    Layer 7

    View full-size slide

  49. @build1point0

    Service Mesh
    In Action

    View full-size slide

  50. @build1point0

    Consul Usage
    Launched in 2014
    17K+ GitHub Stars
    1M+ Downloads monthly
    Customers running 50,000+ agents
    "Most widely deployed service discovery tool on AWS"

    View full-size slide

  51. @build1point0

    Public Users

    View full-size slide


  52. Last Year: Consul
    Connect

    View full-size slide


  53. Secure service-to-service communication
    with automatic TLS encryption and
    identity-based authorization that works
    everywhere.
    Consul Connect

    View full-size slide

  54. IP1 IP2
    PLAIN TCP

    View full-size slide

  55. IP2
    IP1
    IP1 IP2
    PLAIN TCP
    WEB
    DB
    API

    View full-size slide

  56. IP2
    IP1
    IP1 IP2
    MUTUAL TLS
    PLAIN TCP
    WEB
    DB
    API

    View full-size slide

  57. IP2
    IP1
    IP1 IP2
    MUTUAL TLS
    PLAIN TCP
    WEB
    DB
    API

    View full-size slide

  58. IP2
    IP1
    IP1 IP2
    MUTUAL TLS
    PLAIN TCP
    PROXY
    DB
    API
    PROXY

    View full-size slide

  59. IP2
    IP1
    IP1 IP2
    MUTUAL TLS
    PLAIN TCP
    PROXY
    DB
    API
    PROXY

    View full-size slide

  60. IP2
    IP1
    IP1 IP2
    MUTUAL TLS
    PLAIN TCP
    PROXY
    DB
    API
    PROXY

    View full-size slide

  61. IP2
    IP1
    IP1 IP2
    MUTUAL TLS
    PLAIN TCP
    PROXY
    DB
    API
    PROXY

    View full-size slide

  62. IP2
    IP1
    IP1 IP2
    MUTUAL TLS
    PLAIN TCP
    PROXY
    DB
    API
    PROXY

    View full-size slide

  63. @build1point0

    Demo

    View full-size slide


  64. Connect Layer 7 Features

    View full-size slide


  65. "web.service.consul"

    View full-size slide


  66. HTTP
    Routing
    Traffic
    Splitting
    Custom
    Resolution
    "web.service.consul"

    View full-size slide


  67. HTTP
    Routing
    Traffic
    Splitting
    Custom
    Resolution
    "web.service.consul"

    View full-size slide


  68. ▪ Path (exact, prefix, regex)
    ▪ Header
    ▪ Query Params
    ▪ HTTP Methods
    HTTP Routing

    View full-size slide

  69. Kind = "service-router"
    Name = "web"
    Routes = [
    {
    Match {
    HTTP {
    PathPrefix = "/admin"
    PrefixRewrite = "/"
    }
    }
    Destination {
    Service = "admin"
    },
    }
    ...
    ]
    C O D E E D I T O R

    View full-size slide

  70. Kind = "service-router"
    Name = "web"
    Routes = [
    {
    Match {
    HTTP {
    PathPrefix = "/admin"
    PrefixRewrite = "/"
    }
    }
    Destination {
    Service = "admin"
    },
    }
    ...
    ]
    C O D E E D I T O R

    View full-size slide

  71. Kind = "service-router"
    Name = "web"
    Routes = [
    {
    Match {
    HTTP {
    PathPrefix = "/admin"
    PrefixRewrite = "/"
    }
    }
    Destination {
    Service = "admin"
    },
    }
    ...
    ]
    C O D E E D I T O R

    View full-size slide


  72. HTTP
    Routing
    Traffic
    Splitting
    Custom
    Resolution
    "web.service.consul"
    /admin =>
    service: "admin"

    path: "/"

    View full-size slide

  73. Kind = "service-splitter"
    Name = "admin"
    Splits = [
    {
    Weight = 10
    ServiceSubset = "v2"
    },
    {
    Weight = 90
    ServiceSubset = "v1"
    },
    ]
    C O D E E D I T O R

    View full-size slide

  74. Kind = "service-splitter"
    Name = "admin"
    Splits = [
    {
    Weight = 10
    ServiceSubset = "v2"
    },
    {
    Weight = 90
    ServiceSubset = "v1"
    },
    ]
    C O D E E D I T O R

    View full-size slide

  75. Kind = "service-splitter"
    Name = "admin"
    Splits = [
    {
    Weight = 10
    ServiceSubset = "v2"
    },
    {
    Weight = 90
    ServiceSubset = "v1"
    },
    ]
    C O D E E D I T O R

    View full-size slide


  76. HTTP
    Routing
    Traffic
    Splitting
    Custom
    Resolution
    "web.service.consul"
    /admin =>
    service: "admin"

    path: "/"
    Subset: "v2"

    View full-size slide

  77. Kind = "service-resolver"
    Name = "admin"
    DefaultSubset = "v1"
    Subsets = {
    "v1" = {
    Filter = "Service.Meta.version == 1"
    },
    "v2" = {
    Filter = "Service.Meta.version == 2"
    },
    }
    C O D E E D I T O R

    View full-size slide

  78. Kind = "service-resolver"
    Name = "admin"
    DefaultSubset = "v1"
    Subsets = {
    "v1" = {
    Filter = "Service.Meta.version == 1"
    },
    "v2" = {
    Filter = "Service.Meta.version == 2"
    },
    }
    C O D E E D I T O R

    View full-size slide

  79. Kind = "service-resolver"
    Name = "admin"
    DefaultSubset = "v1"
    Subsets = {
    "v1" = {
    Filter = "Service.Meta.version == 1"
    },
    "v2" = {
    Filter = "Service.Meta.version == 2"
    },
    }
    C O D E E D I T O R

    View full-size slide

  80. Kind = "service-resolver"
    Name = "admin"
    DefaultSubset = "v1"
    Subsets = {
    "v1" = {
    Filter = "Service.Meta.version == 1"
    },
    "v2" = {
    Filter = "Service.Meta.version == 2"
    },
    }
    C O D E E D I T O R

    View full-size slide


  81. HTTP
    Routing
    Traffic
    Splitting
    Custom
    Resolution
    "web.service.consul"
    V2
    v1
    V2
    /admin =>
    service: "admin"

    path: "/"
    Subset: "v2" Meta.Version == 2

    View full-size slide

  82. @build1point0

    Demo

    View full-size slide


  83. 10.0.1.1/24
    IP2
    IP1
    WEB
    DB
    API

    View full-size slide


  84. 10.0.2.1/24
    10.0.1.1/24
    IP2
    IP1
    WEB
    DB
    API
    X

    View full-size slide


  85. 10.0.2.1/24
    10.0.1.1/24
    IP2
    IP1
    WEB
    DB
    API
    X
    Requires complex, manual network configuration to make work.

    View full-size slide


  86. Mesh Gateways

    View full-size slide


  87. Secure service-to-service communication
    across networks with full end-to-end
    encryption that works everywhere.
    Mesh Gateway

    View full-size slide


  88. 10.0.2.1/24
    10.0.1.1/24
    IP2
    IP1
    WEB
    DB
    API
    X

    View full-size slide


  89. 10.0.2.1/24
    10.0.1.1/24
    IP2
    IP1
    WEB
    DB
    API
    CONNECT 

    MESH 

    GATEWAY
    CONNECT 

    MESH 

    GATEWAY

    View full-size slide

  90. @build1point0

    Demo

    View full-size slide


  91. ▪ Gateways cannot decrypt payloads
    – Do not have keys, only end service has the private key
    – Works by inspecting SNI headers
    ▪ Intentions enforced across datacenters
    Security

    View full-size slide


  92. 10.0.2.1/24
    10.0.1.1/24
    IP2
    IP1
    WEB
    DB
    API
    CONNECT 

    MESH 

    GATEWAY
    CONNECT 

    MESH 

    GATEWAY
    Allow "API" to "DB"
    Deny "Web" to "DB"

    View full-size slide


  93. Consul is a full-featured service mesh
    that supports multi-cloud, multi-region
    scale.
    Consul

    View full-size slide

  94. Thank You
    Anubhav Mishra
    @build1point0

    View full-size slide