Service Mesh - Beyond the Hype

Transcript

1. @build1point0  Service Mesh Beyond the Hype

2. @build1point0  @build1point0 $ whoami Anubhav Mishra Technical Advisor to

   the CTO, HashiCorp

3. @build1point0 

4. @build1point0 

5. @build1point0 

6. @build1point0 

7. @build1point0  Open Source

8. @build1point0  Atlan&s Open Source

9. @build1point0  VAULT IN ACTION BOOK

10. @build1point0  Gopher Artwork by Ashley McNamara

11. @build1point0 

12. PRIVATE CLOUD AWS AZURE GCP Run Development Connect Networking Secure

    
 Security Provision Operations HashiCorp Suite

13. @build1point0  Service Mesh Beyond the Hype

14. @build1point0  Service Mesh Beyond the Hype

15. @build1point0 

16. @build1point0  https://buoyant.io/2017/04/25/whats-a-service-mesh-and-why-do-i-need-one/

17. @build1point0 

18. @build1point0 

19. @build1point0 

20. @build1point0  Smart Networking Basics

21. @build1point0  Service A Service B

22. @build1point0  Service A Service B Service B Service B

    ? Multiple Instances

23. @build1point0  Service A Service B Service B Service B

    ? Multiple Instances Service Discovery

24. @build1point0  Service A Service B

25. @build1point0  Service A Service B Request Failed

26. @build1point0  Service A Service B Request Failed Retries

27. @build1point0  Service A Service B Assigning Identity Cert: serviceA.foo.com

    Cert: serviceB.foo.com

28. @build1point0  Service A Service B Cert: serviceA.foo.com Cert: serviceB.foo.com

    Mutual TLS Assigning Identity

29. @build1point0  Service A Service B Cert: serviceA.foo.com Cert: serviceB.foo.com

    Mutual TLS Authorizing traffic Allow?

30. @build1point0  Challenges Service Discovery & Routing Service Retries, Circuit

    Breaking….. Service Identity & Authorization Observability

31. @build1point0  Smart Networking - First Principles Dumb Pipe or

    Smart Network/Mesh Protocol Awareness

32. @build1point0  Smart Networking - First Principles Dumb Pipe or

    Smart Network/Mesh Protocol Awareness

33. @build1point0  Smart Networking - First Principles Dumb Pipe or

    Smart Network/Mesh Protocol Awareness Service A Service B

34. @build1point0  Dumb Pipe Pros: Simplicity for Networks Smart Applications

    (“What you see is what you get”) Easily Customizable Cons: Redundant Code Every Application has to Implement the Code (Polyglot?)

35. @build1point0  Smart Networking - First Principles Dumb Pipe or

    Smart Network/Mesh Protocol Awareness Proxy Proxy Service A Service B

36. @build1point0  Smart Network/Mesh Pros: Little to no Application Code

    changes are required Features like Traffic Shaping, Service Discovery and Network Policy Control come out of the Box Cons: Smart Network becomes an Implicit Dependency of the Application Harder to Reason about the Whole System

37. @build1point0  Service Mesh

38. @build1point0  Service Mesh aka Smart Network Proxy Proxy Service

    A Service B

39. @build1point0  Service Mesh aka Smart Network Proxy Proxy Service

    A Service B Configure

40. @build1point0  Service Mesh aka Smart Network Proxy Proxy Service

    A Service B Configure Two parts

41. @build1point0  Separation of Control and Data Plane Control Plane

    Data Plane

42. @build1point0  Separation of Control and Data Plane Control Plane

    Data Plane • Traffic Routing / Shaping • Configuring the Data Plane • Policy Enforcement • Provide Service Discovery Data to Data Plane

43. @build1point0  Separation of Control and Data Plane Control Plane

    Data Plane

44. @build1point0  Separation of Control and Data Plane Control Plane

    Data Plane • Forward Request from the Applications • Health Checking • Load Balancing • Circuit Breaking • Timeouts

45. @build1point0  Separation of Control and Data Plane Control Plane

    Data Plane • Forward Request from the Applications • Health Checking • Load Balancing • Circuit Breaking • Timeouts …..

46. @build1point0  Smart Networking - First Principles Dumb Pipe or

    Smart Network/Mesh Protocol Awareness Layer 4 vs Layer 7

47. @build1point0  Protocol Awareness Layer 4 vs Layer 7 TCP,

    UDP vs HTTP “Universally” Compatible High Performance Difficult to provide Sophisticated request aware features Layer 4

48. @build1point0  Protocol Awareness Layer 4 vs Layer 7 TCP,

    UDP vs HTTP Perform complex routing decisions Header and Path based routing Can yield lower performance Layer 7

49. @build1point0  Service Mesh In Action

50. ∕

51. @build1point0  Consul Usage Launched in 2014 17K+ GitHub Stars

    1M+ Downloads monthly Customers running 50,000+ agents "Most widely deployed service discovery tool on AWS"

52. @build1point0  Public Users

53. ∕ Last Year: Consul Connect

54. ∕ Secure service-to-service communication with automatic TLS encryption and identity-based

    authorization that works everywhere. Consul Connect

55. IP1 IP2

56. IP1 IP2 PLAIN TCP

57. IP2 IP1 IP1 IP2 PLAIN TCP WEB DB API

58. IP2 IP1 IP1 IP2 MUTUAL TLS PLAIN TCP WEB DB

    API

59. IP2 IP1 IP1 IP2 MUTUAL TLS PLAIN TCP WEB DB

    API

60. IP2 IP1 IP1 IP2 MUTUAL TLS PLAIN TCP PROXY DB

    API PROXY

61. IP2 IP1 IP1 IP2 MUTUAL TLS PLAIN TCP PROXY DB

    API PROXY

62. IP2 IP1 IP1 IP2 MUTUAL TLS PLAIN TCP PROXY DB

    API PROXY

63. IP2 IP1 IP1 IP2 MUTUAL TLS PLAIN TCP PROXY DB

    API PROXY

64. IP2 IP1 IP1 IP2 MUTUAL TLS PLAIN TCP PROXY DB

    API PROXY

65. @build1point0  Demo

66. ∕ Connect Layer 7 Features

67. ∕ "web.service.consul"

68. ∕ HTTP Routing Traffic Splitting Custom Resolution "web.service.consul"

69. ∕ HTTP Routing Traffic Splitting Custom Resolution "web.service.consul"

70. ∕ ▪ Path (exact, prefix, regex) ▪ Header ▪ Query

    Params ▪ HTTP Methods HTTP Routing

71. Kind = "service-router" Name = "web" Routes = [ {

    Match { HTTP { PathPrefix = "/admin" PrefixRewrite = "/" } } Destination { Service = "admin" }, } ... ] C O D E E D I T O R

72. Kind = "service-router" Name = "web" Routes = [ {

    Match { HTTP { PathPrefix = "/admin" PrefixRewrite = "/" } } Destination { Service = "admin" }, } ... ] C O D E E D I T O R

73. Kind = "service-router" Name = "web" Routes = [ {

    Match { HTTP { PathPrefix = "/admin" PrefixRewrite = "/" } } Destination { Service = "admin" }, } ... ] C O D E E D I T O R

74. ∕ HTTP Routing Traffic Splitting Custom Resolution "web.service.consul" /admin =>

    service: "admin"
 path: "/"

75. Kind = "service-splitter" Name = "admin" Splits = [ {

    Weight = 10 ServiceSubset = "v2" }, { Weight = 90 ServiceSubset = "v1" }, ] C O D E E D I T O R

76. Kind = "service-splitter" Name = "admin" Splits = [ {

    Weight = 10 ServiceSubset = "v2" }, { Weight = 90 ServiceSubset = "v1" }, ] C O D E E D I T O R

77. Kind = "service-splitter" Name = "admin" Splits = [ {

    Weight = 10 ServiceSubset = "v2" }, { Weight = 90 ServiceSubset = "v1" }, ] C O D E E D I T O R

78. ∕ HTTP Routing Traffic Splitting Custom Resolution "web.service.consul" /admin =>

    service: "admin"
 path: "/" Subset: "v2"

79. Kind = "service-resolver" Name = "admin" DefaultSubset = "v1" Subsets

    = { "v1" = { Filter = "Service.Meta.version == 1" }, "v2" = { Filter = "Service.Meta.version == 2" }, } C O D E E D I T O R

80. Kind = "service-resolver" Name = "admin" DefaultSubset = "v1" Subsets

    = { "v1" = { Filter = "Service.Meta.version == 1" }, "v2" = { Filter = "Service.Meta.version == 2" }, } C O D E E D I T O R

81. Kind = "service-resolver" Name = "admin" DefaultSubset = "v1" Subsets

    = { "v1" = { Filter = "Service.Meta.version == 1" }, "v2" = { Filter = "Service.Meta.version == 2" }, } C O D E E D I T O R

82. Kind = "service-resolver" Name = "admin" DefaultSubset = "v1" Subsets

    = { "v1" = { Filter = "Service.Meta.version == 1" }, "v2" = { Filter = "Service.Meta.version == 2" }, } C O D E E D I T O R

83. ∕ HTTP Routing Traffic Splitting Custom Resolution "web.service.consul" V2 v1

    V2 /admin => service: "admin"
 path: "/" Subset: "v2" Meta.Version == 2

84. @build1point0  Demo

85. ∕ 10.0.1.1/24 IP2 IP1 WEB DB API

86. ∕ 10.0.2.1/24 10.0.1.1/24 IP2 IP1 WEB DB API X

87. ∕ 10.0.2.1/24 10.0.1.1/24 IP2 IP1 WEB DB API X Requires

    complex, manual network configuration to make work.

88. ∕

89. ∕ Mesh Gateways

90. ∕ Secure service-to-service communication across networks with full end-to-end encryption

    that works everywhere. Mesh Gateway

91. ∕ 10.0.2.1/24 10.0.1.1/24 IP2 IP1 WEB DB API X

92. ∕ 10.0.2.1/24 10.0.1.1/24 IP2 IP1 WEB DB API CONNECT 


    MESH 
 GATEWAY CONNECT 
 MESH 
 GATEWAY

93. ∕ GW GW GW

94. @build1point0  Demo

95. ∕ ▪ Gateways cannot decrypt payloads – Do not have

    keys, only end service has the private key – Works by inspecting SNI headers ▪ Intentions enforced across datacenters Security

96. ∕ 10.0.2.1/24 10.0.1.1/24 IP2 IP1 WEB DB API CONNECT 


    MESH 
 GATEWAY CONNECT 
 MESH 
 GATEWAY Allow "API" to "DB" Deny "Web" to "DB"

97. ∕ Consul is a full-featured service mesh that supports multi-cloud,

    multi-region scale. Consul

98. Thank You Anubhav Mishra @build1point0