Save 37% off PRO during our Black Friday Sale! »

Service Mesh - Beyond the Hype (Distributed Systems Meetup)

Service Mesh - Beyond the Hype (Distributed Systems Meetup)

Service mesh technologies have gained significant interest in the past year. We often hear or read the words “Service Mesh” in blog posts or videos nowadays. But most of these don’t explain what the “Service Mesh” really is. In this talk, Anubhav Mishra helps us understand the components that make up a “Service Mesh” and how “Service Mesh” can help developers and operators adopt smart networking techniques to empower their organizations.

We will examine:
1. The history of the term “Service Mesh”.
2. What it takes to create a service mesh control plane and a data plane.
3. Responsibilities of each of those components and why they are critical to the overall functioning of a service mesh.
4. Real-world example of a service mesh in action that connects services running in VMs and containers securely.

26896287bc831a13e768cea7efe29632?s=128

Anubhav Mishra

December 05, 2020
Tweet

Transcript

  1. @build1point0  Service Mesh Beyond the Hype

  2. @build1point0  @build1point0 | anubhavmishra $ whoami Anubhav Mishra Technical

    Advisor to the CTO, HashiCorp
  3. @build1point0 

  4. @build1point0 

  5. @build1point0  Atlantis Open Source

  6. @build1point0  GETTING STARTED WITH HASHICORP VAULT THEVAULTBOOK.COM

  7. @build1point0  Gopher Artwork by Ashley McNamara

  8. @build1point0 

  9. @build1point0  Leading Cloud Infrastructure Automation Our software stack enables

    the provisioning, securing, connecting and running of apps and the infrastructure to support them. We unlock the cloud operating model for every business Founded 2012 Employees 1000 Funding 349M About HashiCorp Run Development Connect Networking Secure 
 Security Provision Operations
  10. @build1point0  Service Mesh Beyond the Hype

  11. @build1point0  Service Mesh Beyond the Hype

  12. @build1point0 

  13. @build1point0  https://buoyant.io/2017/04/25/whats-a-service-mesh-and-why-do-i-need-one/

  14. @build1point0 

  15. @build1point0 

  16. @build1point0 

  17. @build1point0  Smart Networking Basics

  18. @build1point0  Service A Service B

  19. @build1point0  Service A Service B Service B Service B

    ? Multiple Instances
  20. @build1point0  Service A Service B Service B Service B

    ? Multiple Instances Service Discovery
  21. @build1point0  Service A Service B

  22. @build1point0  Service A Service B Request Failed

  23. @build1point0  Service A Service B Request Failed Retries

  24. @build1point0  Service A Service B Assigning Identity Cert: serviceA.foo.com

    Cert: serviceB.foo.com
  25. @build1point0  Service A Service B Cert: serviceA.foo.com Cert: serviceB.foo.com

    Mutual TLS Assigning Identity
  26. @build1point0  Service A Service B Cert: serviceA.foo.com Cert: serviceB.foo.com

    Mutual TLS Authorizing traffic Allow?
  27. @build1point0  Challenges Service Discovery & Routing Service Retries, Circuit

    Breaking….. Service Identity & Authorization Observability
  28. @build1point0  Smart Networking - First Principles Dumb Pipe or

    Smart Network/Mesh Protocol Awareness
  29. @build1point0  Smart Networking - First Principles Dumb Pipe or

    Smart Network/Mesh Protocol Awareness
  30. @build1point0  Smart Networking - First Principles Dumb Pipe or

    Smart Network/Mesh Protocol Awareness Service A Service B
  31. @build1point0  Dumb Pipe Pros: Simplicity for Networks Smart Applications

    (“What you see is what you get”) Easily Customizable Cons: Redundant Code Every Application has to Implement the Code (Polyglot?)
  32. @build1point0  Smart Networking - First Principles Dumb Pipe or

    Smart Network/Mesh Protocol Awareness Proxy Proxy Service A Service B
  33. @build1point0  Smart Network/Mesh Pros: Little to no Application Code

    changes are required Features like Traffic Shaping, Service Discovery and Network Policy Control come out of the Box Cons: Smart Network becomes an Implicit Dependency of the Application Harder to Reason about the Whole System
  34. @build1point0  Service Mesh

  35. @build1point0  Service Mesh aka Smart Network Proxy Proxy Service

    A Service B
  36. @build1point0  Service Mesh aka Smart Network Proxy Proxy Service

    A Service B Configure
  37. @build1point0  Service Mesh aka Smart Network Proxy Proxy Service

    A Service B Configure Two parts
  38. @build1point0  Separation of Control and Data Plane Control Plane

    Data Plane
  39. @build1point0  Separation of Control and Data Plane Control Plane

    Data Plane • Traffic Routing / Shaping • Configuring the Data Plane • Policy Enforcement • Provide Service Discovery Data to Data Plane
  40. @build1point0  Separation of Control and Data Plane Control Plane

    Data Plane
  41. @build1point0  Separation of Control and Data Plane Control Plane

    Data Plane • Forward Request from the Applications • Health Checking • Load Balancing • Circuit Breaking • Timeouts
  42. @build1point0  Separation of Control and Data Plane Control Plane

    Data Plane • Forward Request from the Applications • Health Checking • Load Balancing • Circuit Breaking • Timeouts …..
  43. @build1point0  Smart Networking - First Principles Dumb Pipe or

    Smart Network/Mesh Protocol Awareness Layer 4 vs Layer 7
  44. @build1point0  Protocol Awareness Layer 4 vs Layer 7 TCP,

    UDP vs HTTP “Universally” Compatible High Performance Difficult to provide Sophisticated request aware features Layer 4
  45. @build1point0  Protocol Awareness Layer 4 vs Layer 7 TCP,

    UDP vs HTTP Perform complex routing decisions Header and Path based routing Can yield lower performance Layer 7
  46. @build1point0  Service Mesh In Action

  47. @build1point0  Consul Usage Launched in 2014 20K+ GitHub Stars

    1M+ Downloads monthly Customers running 50,000+ agents "Most widely deployed service discovery tool on AWS"
  48. @build1point0  Public Users

  49. ∕ Consul Connect

  50. ∕ Secure service-to-service communication with automatic TLS encryption and identity-based

    authorization that works everywhere. Consul Connect
  51. IP1 IP2 PLAIN TCP

  52. IP2 IP1 IP1 IP2 MUTUAL TLS PLAIN TCP WEB DB

    API
  53. IP2 IP1 IP1 IP2 MUTUAL TLS PLAIN TCP PROXY DB

    API PROXY
  54. IP2 IP1 IP1 IP2 MUTUAL TLS PLAIN TCP PROXY DB

    API PROXY
  55. IP2 IP1 IP1 IP2 MUTUAL TLS PLAIN TCP PROXY DB

    API PROXY
  56. IP2 IP1 IP1 IP2 MUTUAL TLS PLAIN TCP PROXY DB

    API PROXY
  57. ∕ Connect Layer 7 Features

  58. ∕ "web.service.consul"

  59. ∕ HTTP Routing Traffic Splitting Custom Resolution "web.service.consul"

  60. ∕ HTTP Routing Traffic Splitting Custom Resolution "web.service.consul"

  61. ∕ ▪ Path (exact, prefix, regex) ▪ Header ▪ Query

    Params ▪ HTTP Methods HTTP Routing
  62. Kind = "service-router" Name = "web" Routes = [ {

    Match { HTTP { PathPrefix = "/admin" PrefixRewrite = "/" } } Destination { Service = "admin" }, } ... ] C O D E E D I T O R
  63. Kind = "service-router" Name = "web" Routes = [ {

    Match { HTTP { PathPrefix = "/admin" PrefixRewrite = "/" } } Destination { Service = "admin" }, } ... ] C O D E E D I T O R
  64. Kind = "service-router" Name = "web" Routes = [ {

    Match { HTTP { PathPrefix = "/admin" PrefixRewrite = "/" } } Destination { Service = "admin" }, } ... ] C O D E E D I T O R
  65. ∕ HTTP Routing Traffic Splitting Custom Resolution "web.service.consul" /admin =>

    service: "admin" path: "/"
  66. Kind = "service-splitter" Name = "admin" Splits = [ {

    Weight = 10 ServiceSubset = "v2" }, { Weight = 90 ServiceSubset = "v1" }, ] C O D E E D I T O R
  67. Kind = "service-splitter" Name = "admin" Splits = [ {

    Weight = 10 ServiceSubset = "v2" }, { Weight = 90 ServiceSubset = "v1" }, ] C O D E E D I T O R
  68. Kind = "service-splitter" Name = "admin" Splits = [ {

    Weight = 10 ServiceSubset = "v2" }, { Weight = 90 ServiceSubset = "v1" }, ] C O D E E D I T O R
  69. ∕ HTTP Routing Traffic Splitting Custom Resolution "web.service.consul" /admin =>

    service: "admin" path: "/" Subset: "v2"
  70. Kind = "service-resolver" Name = "admin" DefaultSubset = "v1" Subsets

    = { "v1" = { Filter = "Service.Meta.version == 1" }, "v2" = { Filter = "Service.Meta.version == 2" }, } C O D E E D I T O R
  71. Kind = "service-resolver" Name = "admin" DefaultSubset = "v1" Subsets

    = { "v1" = { Filter = "Service.Meta.version == 1" }, "v2" = { Filter = "Service.Meta.version == 2" }, } C O D E E D I T O R
  72. Kind = "service-resolver" Name = "admin" DefaultSubset = "v1" Subsets

    = { "v1" = { Filter = "Service.Meta.version == 1" }, "v2" = { Filter = "Service.Meta.version == 2" }, } C O D E E D I T O R
  73. Kind = "service-resolver" Name = "admin" DefaultSubset = "v1" Subsets

    = { "v1" = { Filter = "Service.Meta.version == 1" }, "v2" = { Filter = "Service.Meta.version == 2" }, } C O D E E D I T O R
  74. ∕ HTTP Routing Traffic Splitting Custom Resolution "web.service.consul" V2 v1

    V2 /admin => service: "admin" path: "/" Subset: "v2" Meta.Version == 2
  75. ∕ 10.0.1.1/24 IP2 IP1 WEB DB API

  76. ∕ 10.0.2.1/24 10.0.1.1/24 IP2 IP1 WEB DB API X

  77. ∕ 10.0.2.1/24 10.0.1.1/24 IP2 IP1 WEB DB API X Requires

    complex, manual network configuration to make work.
  78. ∕ Mesh Gateways

  79. ∕ Secure service-to-service communication across networks with full end-to-end encryption

    that works everywhere. Mesh Gateway
  80. ∕ 10.0.2.1/24 10.0.1.1/24 IP2 IP1 WEB DB API X

  81. ∕ 10.0.2.1/24 10.0.1.1/24 IP2 IP1 WEB DB API CONNECT MESH

    GATEWAY CONNECT MESH GATEWAY
  82. ∕ GW GW GW

  83. @build1point0  Demo

  84. ∕ ▪ Gateways cannot decrypt payloads – Do not have

    keys, only end service has the private key – Works by inspecting SNI headers ▪ Intentions enforced across datacenters Security
  85. ∕ 10.0.2.1/24 10.0.1.1/24 IP2 IP1 WEB DB API CONNECT MESH

    GATEWAY CONNECT MESH GATEWAY Allow "API" to "DB" Deny "Web" to "DB"
  86. ∕ Visualization

  87. ∕ Visualization

  88. ∕ Consul is a full-featured service mesh that supports multi-cloud,

    multi-region scale. Consul
  89. Thank You Anubhav Mishra @build1point0 https://mishra.dev/service-mesh-distributed-systems-meetup