Service Mesh - Beyond the Hype

Service Mesh - Beyond the Hype

Service mesh technologies have gained significant interest in the past year. We often hear or read the words “Service Mesh” in blog posts or videos nowadays. But most of these don’t explain what the “Service Mesh” really is. In this talk, Anubhav Mishra helps us understand the components that make up a “Service Mesh” and how “Service Mesh” can help developers and operators adopt smart networking techniques to empower their organizations.

Anubhav Mishra will examine:
1. The history of the term “Service Mesh”.
2. What it takes to create a service mesh control plane and a data plane.
3. Responsibilities of each of those components and why they are critical to the overall functioning of a service mesh.
4. Real-world example of a service mesh in action that connects services running in VMs and containers securely.

26896287bc831a13e768cea7efe29632?s=128

Anubhav Mishra

November 28, 2019
Tweet

Transcript

  1. @build1point0  Service Mesh Beyond the Hype

  2. @build1point0  @build1point0 $ whoami Anubhav Mishra Technical Advisor to

    the CTO, HashiCorp
  3. @build1point0 

  4. @build1point0 

  5. @build1point0 

  6. @build1point0 

  7. @build1point0  Open Source

  8. @build1point0  Atlan&s Open Source

  9. @build1point0  VAULT IN ACTION BOOK

  10. @build1point0  Gopher Artwork by Ashley McNamara

  11. @build1point0 

  12. PRIVATE CLOUD AWS AZURE GCP Run Development Connect Networking Secure

    
 Security Provision Operations HashiCorp Suite
  13. @build1point0  Service Mesh Beyond the Hype

  14. @build1point0  Service Mesh Beyond the Hype

  15. @build1point0 

  16. @build1point0  https://buoyant.io/2017/04/25/whats-a-service-mesh-and-why-do-i-need-one/

  17. @build1point0 

  18. @build1point0 

  19. @build1point0 

  20. @build1point0  Smart Networking Basics

  21. @build1point0  Service A Service B

  22. @build1point0  Service A Service B Service B Service B

    ? Multiple Instances
  23. @build1point0  Service A Service B Service B Service B

    ? Multiple Instances Service Discovery
  24. @build1point0  Service A Service B

  25. @build1point0  Service A Service B Request Failed

  26. @build1point0  Service A Service B Request Failed Retries

  27. @build1point0  Service A Service B Assigning Identity Cert: serviceA.foo.com

    Cert: serviceB.foo.com
  28. @build1point0  Service A Service B Cert: serviceA.foo.com Cert: serviceB.foo.com

    Mutual TLS Assigning Identity
  29. @build1point0  Service A Service B Cert: serviceA.foo.com Cert: serviceB.foo.com

    Mutual TLS Authorizing traffic Allow?
  30. @build1point0  Challenges Service Discovery & Routing Service Retries, Circuit

    Breaking….. Service Identity & Authorization Observability
  31. @build1point0  Smart Networking - First Principles Dumb Pipe or

    Smart Network/Mesh Protocol Awareness
  32. @build1point0  Smart Networking - First Principles Dumb Pipe or

    Smart Network/Mesh Protocol Awareness
  33. @build1point0  Smart Networking - First Principles Dumb Pipe or

    Smart Network/Mesh Protocol Awareness Service A Service B
  34. @build1point0  Dumb Pipe Pros: Simplicity for Networks Smart Applications

    (“What you see is what you get”) Easily Customizable Cons: Redundant Code Every Application has to Implement the Code (Polyglot?)
  35. @build1point0  Smart Networking - First Principles Dumb Pipe or

    Smart Network/Mesh Protocol Awareness Proxy Proxy Service A Service B
  36. @build1point0  Smart Network/Mesh Pros: Little to no Application Code

    changes are required Features like Traffic Shaping, Service Discovery and Network Policy Control come out of the Box Cons: Smart Network becomes an Implicit Dependency of the Application Harder to Reason about the Whole System
  37. @build1point0  Service Mesh

  38. @build1point0  Service Mesh aka Smart Network Proxy Proxy Service

    A Service B
  39. @build1point0  Service Mesh aka Smart Network Proxy Proxy Service

    A Service B Configure
  40. @build1point0  Service Mesh aka Smart Network Proxy Proxy Service

    A Service B Configure Two parts
  41. @build1point0  Separation of Control and Data Plane Control Plane

    Data Plane
  42. @build1point0  Separation of Control and Data Plane Control Plane

    Data Plane • Traffic Routing / Shaping • Configuring the Data Plane • Policy Enforcement • Provide Service Discovery Data to Data Plane
  43. @build1point0  Separation of Control and Data Plane Control Plane

    Data Plane
  44. @build1point0  Separation of Control and Data Plane Control Plane

    Data Plane • Forward Request from the Applications • Health Checking • Load Balancing • Circuit Breaking • Timeouts
  45. @build1point0  Separation of Control and Data Plane Control Plane

    Data Plane • Forward Request from the Applications • Health Checking • Load Balancing • Circuit Breaking • Timeouts …..
  46. @build1point0  Smart Networking - First Principles Dumb Pipe or

    Smart Network/Mesh Protocol Awareness Layer 4 vs Layer 7
  47. @build1point0  Protocol Awareness Layer 4 vs Layer 7 TCP,

    UDP vs HTTP “Universally” Compatible High Performance Difficult to provide Sophisticated request aware features Layer 4
  48. @build1point0  Protocol Awareness Layer 4 vs Layer 7 TCP,

    UDP vs HTTP Perform complex routing decisions Header and Path based routing Can yield lower performance Layer 7
  49. @build1point0  Service Mesh In Action

  50. @build1point0  Consul Usage Launched in 2014 17K+ GitHub Stars

    1M+ Downloads monthly Customers running 50,000+ agents "Most widely deployed service discovery tool on AWS"
  51. @build1point0  Public Users

  52. ∕ Last Year: Consul Connect

  53. ∕ Secure service-to-service communication with automatic TLS encryption and identity-based

    authorization that works everywhere. Consul Connect
  54. IP1 IP2

  55. IP1 IP2 PLAIN TCP

  56. IP2 IP1 IP1 IP2 PLAIN TCP WEB DB API

  57. IP2 IP1 IP1 IP2 MUTUAL TLS PLAIN TCP WEB DB

    API
  58. IP2 IP1 IP1 IP2 MUTUAL TLS PLAIN TCP WEB DB

    API
  59. IP2 IP1 IP1 IP2 MUTUAL TLS PLAIN TCP PROXY DB

    API PROXY
  60. IP2 IP1 IP1 IP2 MUTUAL TLS PLAIN TCP PROXY DB

    API PROXY
  61. IP2 IP1 IP1 IP2 MUTUAL TLS PLAIN TCP PROXY DB

    API PROXY
  62. IP2 IP1 IP1 IP2 MUTUAL TLS PLAIN TCP PROXY DB

    API PROXY
  63. IP2 IP1 IP1 IP2 MUTUAL TLS PLAIN TCP PROXY DB

    API PROXY
  64. @build1point0  Demo

  65. ∕ Connect Layer 7 Features

  66. ∕ "web.service.consul"

  67. ∕ HTTP Routing Traffic Splitting Custom Resolution "web.service.consul"

  68. ∕ HTTP Routing Traffic Splitting Custom Resolution "web.service.consul"

  69. ∕ ▪ Path (exact, prefix, regex) ▪ Header ▪ Query

    Params ▪ HTTP Methods HTTP Routing
  70. Kind = "service-router" Name = "web" Routes = [ {

    Match { HTTP { PathPrefix = "/admin" PrefixRewrite = "/" } } Destination { Service = "admin" }, } ... ] C O D E E D I T O R
  71. Kind = "service-router" Name = "web" Routes = [ {

    Match { HTTP { PathPrefix = "/admin" PrefixRewrite = "/" } } Destination { Service = "admin" }, } ... ] C O D E E D I T O R
  72. Kind = "service-router" Name = "web" Routes = [ {

    Match { HTTP { PathPrefix = "/admin" PrefixRewrite = "/" } } Destination { Service = "admin" }, } ... ] C O D E E D I T O R
  73. ∕ HTTP Routing Traffic Splitting Custom Resolution "web.service.consul" /admin =>

    service: "admin"
 path: "/"
  74. Kind = "service-splitter" Name = "admin" Splits = [ {

    Weight = 10 ServiceSubset = "v2" }, { Weight = 90 ServiceSubset = "v1" }, ] C O D E E D I T O R
  75. Kind = "service-splitter" Name = "admin" Splits = [ {

    Weight = 10 ServiceSubset = "v2" }, { Weight = 90 ServiceSubset = "v1" }, ] C O D E E D I T O R
  76. Kind = "service-splitter" Name = "admin" Splits = [ {

    Weight = 10 ServiceSubset = "v2" }, { Weight = 90 ServiceSubset = "v1" }, ] C O D E E D I T O R
  77. ∕ HTTP Routing Traffic Splitting Custom Resolution "web.service.consul" /admin =>

    service: "admin"
 path: "/" Subset: "v2"
  78. Kind = "service-resolver" Name = "admin" DefaultSubset = "v1" Subsets

    = { "v1" = { Filter = "Service.Meta.version == 1" }, "v2" = { Filter = "Service.Meta.version == 2" }, } C O D E E D I T O R
  79. Kind = "service-resolver" Name = "admin" DefaultSubset = "v1" Subsets

    = { "v1" = { Filter = "Service.Meta.version == 1" }, "v2" = { Filter = "Service.Meta.version == 2" }, } C O D E E D I T O R
  80. Kind = "service-resolver" Name = "admin" DefaultSubset = "v1" Subsets

    = { "v1" = { Filter = "Service.Meta.version == 1" }, "v2" = { Filter = "Service.Meta.version == 2" }, } C O D E E D I T O R
  81. Kind = "service-resolver" Name = "admin" DefaultSubset = "v1" Subsets

    = { "v1" = { Filter = "Service.Meta.version == 1" }, "v2" = { Filter = "Service.Meta.version == 2" }, } C O D E E D I T O R
  82. ∕ HTTP Routing Traffic Splitting Custom Resolution "web.service.consul" V2 v1

    V2 /admin => service: "admin"
 path: "/" Subset: "v2" Meta.Version == 2
  83. @build1point0  Demo

  84. ∕ 10.0.1.1/24 IP2 IP1 WEB DB API

  85. ∕ 10.0.2.1/24 10.0.1.1/24 IP2 IP1 WEB DB API X

  86. ∕ 10.0.2.1/24 10.0.1.1/24 IP2 IP1 WEB DB API X Requires

    complex, manual network configuration to make work.
  87. ∕ Mesh Gateways

  88. ∕ Secure service-to-service communication across networks with full end-to-end encryption

    that works everywhere. Mesh Gateway
  89. ∕ 10.0.2.1/24 10.0.1.1/24 IP2 IP1 WEB DB API X

  90. ∕ 10.0.2.1/24 10.0.1.1/24 IP2 IP1 WEB DB API CONNECT 


    MESH 
 GATEWAY CONNECT 
 MESH 
 GATEWAY
  91. ∕ GW GW GW

  92. @build1point0  Demo

  93. ∕ ▪ Gateways cannot decrypt payloads – Do not have

    keys, only end service has the private key – Works by inspecting SNI headers ▪ Intentions enforced across datacenters Security
  94. ∕ 10.0.2.1/24 10.0.1.1/24 IP2 IP1 WEB DB API CONNECT 


    MESH 
 GATEWAY CONNECT 
 MESH 
 GATEWAY Allow "API" to "DB" Deny "Web" to "DB"
  95. ∕ Consul is a full-featured service mesh that supports multi-cloud,

    multi-region scale. Consul
  96. Thank You Anubhav Mishra @build1point0