Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Service Mesh - Beyond the Hype (Distributed Systems Meetup)

Service Mesh - Beyond the Hype (Distributed Systems Meetup)

Service mesh technologies have gained significant interest in the past year. We often hear or read the words “Service Mesh” in blog posts or videos nowadays. But most of these don’t explain what the “Service Mesh” really is. In this talk, Anubhav Mishra helps us understand the components that make up a “Service Mesh” and how “Service Mesh” can help developers and operators adopt smart networking techniques to empower their organizations.

We will examine:
1. The history of the term “Service Mesh”.
2. What it takes to create a service mesh control plane and a data plane.
3. Responsibilities of each of those components and why they are critical to the overall functioning of a service mesh.
4. Real-world example of a service mesh in action that connects services running in VMs and containers securely.

Anubhav Mishra

December 05, 2020
Tweet

More Decks by Anubhav Mishra

Other Decks in Technology

Transcript

  1. @build1point0  Leading Cloud Infrastructure Automation Our software stack enables

    the provisioning, securing, connecting and running of apps and the infrastructure to support them. We unlock the cloud operating model for every business Founded 2012 Employees 1000 Funding 349M About HashiCorp Run Development Connect Networking Secure 
 Security Provision Operations
  2. @build1point0  Service A Service B Service B Service B

    ? Multiple Instances Service Discovery
  3. @build1point0  Challenges Service Discovery & Routing Service Retries, Circuit

    Breaking….. Service Identity & Authorization Observability
  4. @build1point0  Smart Networking - First Principles Dumb Pipe or

    Smart Network/Mesh Protocol Awareness Service A Service B
  5. @build1point0  Dumb Pipe Pros: Simplicity for Networks Smart Applications

    (“What you see is what you get”) Easily Customizable Cons: Redundant Code Every Application has to Implement the Code (Polyglot?)
  6. @build1point0  Smart Networking - First Principles Dumb Pipe or

    Smart Network/Mesh Protocol Awareness Proxy Proxy Service A Service B
  7. @build1point0  Smart Network/Mesh Pros: Little to no Application Code

    changes are required Features like Traffic Shaping, Service Discovery and Network Policy Control come out of the Box Cons: Smart Network becomes an Implicit Dependency of the Application Harder to Reason about the Whole System
  8. @build1point0  Separation of Control and Data Plane Control Plane

    Data Plane • Traffic Routing / Shaping • Configuring the Data Plane • Policy Enforcement • Provide Service Discovery Data to Data Plane
  9. @build1point0  Separation of Control and Data Plane Control Plane

    Data Plane • Forward Request from the Applications • Health Checking • Load Balancing • Circuit Breaking • Timeouts
  10. @build1point0  Separation of Control and Data Plane Control Plane

    Data Plane • Forward Request from the Applications • Health Checking • Load Balancing • Circuit Breaking • Timeouts …..
  11. @build1point0  Smart Networking - First Principles Dumb Pipe or

    Smart Network/Mesh Protocol Awareness Layer 4 vs Layer 7
  12. @build1point0  Protocol Awareness Layer 4 vs Layer 7 TCP,

    UDP vs HTTP “Universally” Compatible High Performance Difficult to provide Sophisticated request aware features Layer 4
  13. @build1point0  Protocol Awareness Layer 4 vs Layer 7 TCP,

    UDP vs HTTP Perform complex routing decisions Header and Path based routing Can yield lower performance Layer 7
  14. @build1point0  Consul Usage Launched in 2014 20K+ GitHub Stars

    1M+ Downloads monthly Customers running 50,000+ agents "Most widely deployed service discovery tool on AWS"
  15. ∕ ▪ Path (exact, prefix, regex) ▪ Header ▪ Query

    Params ▪ HTTP Methods HTTP Routing
  16. Kind = "service-router" Name = "web" Routes = [ {

    Match { HTTP { PathPrefix = "/admin" PrefixRewrite = "/" } } Destination { Service = "admin" }, } ... ] C O D E E D I T O R
  17. Kind = "service-router" Name = "web" Routes = [ {

    Match { HTTP { PathPrefix = "/admin" PrefixRewrite = "/" } } Destination { Service = "admin" }, } ... ] C O D E E D I T O R
  18. Kind = "service-router" Name = "web" Routes = [ {

    Match { HTTP { PathPrefix = "/admin" PrefixRewrite = "/" } } Destination { Service = "admin" }, } ... ] C O D E E D I T O R
  19. Kind = "service-splitter" Name = "admin" Splits = [ {

    Weight = 10 ServiceSubset = "v2" }, { Weight = 90 ServiceSubset = "v1" }, ] C O D E E D I T O R
  20. Kind = "service-splitter" Name = "admin" Splits = [ {

    Weight = 10 ServiceSubset = "v2" }, { Weight = 90 ServiceSubset = "v1" }, ] C O D E E D I T O R
  21. Kind = "service-splitter" Name = "admin" Splits = [ {

    Weight = 10 ServiceSubset = "v2" }, { Weight = 90 ServiceSubset = "v1" }, ] C O D E E D I T O R
  22. Kind = "service-resolver" Name = "admin" DefaultSubset = "v1" Subsets

    = { "v1" = { Filter = "Service.Meta.version == 1" }, "v2" = { Filter = "Service.Meta.version == 2" }, } C O D E E D I T O R
  23. Kind = "service-resolver" Name = "admin" DefaultSubset = "v1" Subsets

    = { "v1" = { Filter = "Service.Meta.version == 1" }, "v2" = { Filter = "Service.Meta.version == 2" }, } C O D E E D I T O R
  24. Kind = "service-resolver" Name = "admin" DefaultSubset = "v1" Subsets

    = { "v1" = { Filter = "Service.Meta.version == 1" }, "v2" = { Filter = "Service.Meta.version == 2" }, } C O D E E D I T O R
  25. Kind = "service-resolver" Name = "admin" DefaultSubset = "v1" Subsets

    = { "v1" = { Filter = "Service.Meta.version == 1" }, "v2" = { Filter = "Service.Meta.version == 2" }, } C O D E E D I T O R
  26. ∕ HTTP Routing Traffic Splitting Custom Resolution "web.service.consul" V2 v1

    V2 /admin => service: "admin" path: "/" Subset: "v2" Meta.Version == 2
  27. ∕ 10.0.2.1/24 10.0.1.1/24 IP2 IP1 WEB DB API X Requires

    complex, manual network configuration to make work.
  28. ∕ ▪ Gateways cannot decrypt payloads – Do not have

    keys, only end service has the private key – Works by inspecting SNI headers ▪ Intentions enforced across datacenters Security
  29. ∕ 10.0.2.1/24 10.0.1.1/24 IP2 IP1 WEB DB API CONNECT MESH

    GATEWAY CONNECT MESH GATEWAY Allow "API" to "DB" Deny "Web" to "DB"