Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Service Mesh - Beyond the Hype (Distributed Systems Meetup)

Service Mesh - Beyond the Hype (Distributed Systems Meetup)

Service mesh technologies have gained significant interest in the past year. We often hear or read the words “Service Mesh” in blog posts or videos nowadays. But most of these don’t explain what the “Service Mesh” really is. In this talk, Anubhav Mishra helps us understand the components that make up a “Service Mesh” and how “Service Mesh” can help developers and operators adopt smart networking techniques to empower their organizations.

We will examine:
1. The history of the term “Service Mesh”.
2. What it takes to create a service mesh control plane and a data plane.
3. Responsibilities of each of those components and why they are critical to the overall functioning of a service mesh.
4. Real-world example of a service mesh in action that connects services running in VMs and containers securely.

Anubhav Mishra

December 05, 2020
Tweet

More Decks by Anubhav Mishra

Other Decks in Technology

Transcript

  1. @build1point0

    Service Mesh
    Beyond the Hype

    View full-size slide

  2. @build1point0

    @build1point0 | anubhavmishra
    $ whoami
    Anubhav Mishra
    Technical Advisor to the CTO, HashiCorp

    View full-size slide

  3. @build1point0

    View full-size slide

  4. @build1point0

    View full-size slide

  5. @build1point0

    Atlantis
    Open Source

    View full-size slide

  6. @build1point0

    GETTING STARTED WITH HASHICORP VAULT
    THEVAULTBOOK.COM

    View full-size slide

  7. @build1point0

    Gopher Artwork by Ashley McNamara

    View full-size slide

  8. @build1point0

    View full-size slide

  9. @build1point0

    Leading Cloud Infrastructure Automation
    Our software stack enables the provisioning, securing,
    connecting and running of apps and the infrastructure to
    support them.
    We unlock the cloud operating model for every business
    Founded
    2012
    Employees
    1000
    Funding
    349M
    About HashiCorp
    Run
    Development
    Connect
    Networking
    Secure 

    Security
    Provision
    Operations

    View full-size slide

  10. @build1point0

    Service Mesh
    Beyond the Hype

    View full-size slide

  11. @build1point0

    Service Mesh
    Beyond the Hype

    View full-size slide

  12. @build1point0

    View full-size slide

  13. @build1point0

    https://buoyant.io/2017/04/25/whats-a-service-mesh-and-why-do-i-need-one/

    View full-size slide

  14. @build1point0

    View full-size slide

  15. @build1point0

    View full-size slide

  16. @build1point0

    View full-size slide

  17. @build1point0

    Smart Networking
    Basics

    View full-size slide

  18. @build1point0

    Service A Service B

    View full-size slide

  19. @build1point0

    Service A Service B
    Service B
    Service B
    ?
    Multiple Instances

    View full-size slide

  20. @build1point0

    Service A Service B
    Service B
    Service B
    ?
    Multiple Instances
    Service Discovery

    View full-size slide

  21. @build1point0

    Service A Service B

    View full-size slide

  22. @build1point0

    Service A Service B Request Failed

    View full-size slide

  23. @build1point0

    Service A Service B Request Failed
    Retries

    View full-size slide

  24. @build1point0

    Service A Service B Assigning Identity
    Cert: serviceA.foo.com Cert: serviceB.foo.com

    View full-size slide

  25. @build1point0

    Service A Service B
    Cert: serviceA.foo.com Cert: serviceB.foo.com
    Mutual TLS
    Assigning Identity

    View full-size slide

  26. @build1point0

    Service A Service B
    Cert: serviceA.foo.com Cert: serviceB.foo.com
    Mutual TLS
    Authorizing traffic
    Allow?

    View full-size slide

  27. @build1point0

    Challenges
    Service Discovery & Routing
    Service Retries, Circuit Breaking…..
    Service Identity & Authorization
    Observability

    View full-size slide

  28. @build1point0

    Smart Networking - First Principles
    Dumb Pipe or Smart Network/Mesh
    Protocol Awareness

    View full-size slide

  29. @build1point0

    Smart Networking - First Principles
    Dumb Pipe or Smart Network/Mesh
    Protocol Awareness

    View full-size slide

  30. @build1point0

    Smart Networking - First Principles
    Dumb Pipe or Smart Network/Mesh
    Protocol Awareness
    Service A Service B

    View full-size slide

  31. @build1point0

    Dumb Pipe
    Pros:
    Simplicity for Networks
    Smart Applications (“What you see is what you get”)
    Easily Customizable
    Cons:
    Redundant Code
    Every Application has to Implement the Code (Polyglot?)

    View full-size slide

  32. @build1point0

    Smart Networking - First Principles
    Dumb Pipe or Smart Network/Mesh
    Protocol Awareness
    Proxy Proxy
    Service A Service B

    View full-size slide

  33. @build1point0

    Smart Network/Mesh
    Pros:
    Little to no Application Code changes are required
    Features like Traffic Shaping, Service Discovery and Network Policy Control come
    out of the Box
    Cons:
    Smart Network becomes an Implicit Dependency of the Application
    Harder to Reason about the Whole System

    View full-size slide

  34. @build1point0

    Service Mesh

    View full-size slide

  35. @build1point0

    Service Mesh aka Smart Network
    Proxy Proxy
    Service A Service B

    View full-size slide

  36. @build1point0

    Service Mesh aka Smart Network
    Proxy Proxy
    Service A Service B
    Configure

    View full-size slide

  37. @build1point0

    Service Mesh aka Smart Network
    Proxy Proxy
    Service A Service B
    Configure
    Two parts

    View full-size slide

  38. @build1point0

    Separation of Control and Data Plane
    Control Plane
    Data Plane

    View full-size slide

  39. @build1point0

    Separation of Control and Data Plane
    Control Plane
    Data Plane
    • Traffic Routing / Shaping
    • Configuring the Data Plane
    • Policy Enforcement
    • Provide Service Discovery Data to Data Plane

    View full-size slide

  40. @build1point0

    Separation of Control and Data Plane
    Control Plane
    Data Plane

    View full-size slide

  41. @build1point0

    Separation of Control and Data Plane
    Control Plane
    Data Plane
    • Forward Request from the Applications
    • Health Checking
    • Load Balancing
    • Circuit Breaking
    • Timeouts

    View full-size slide

  42. @build1point0

    Separation of Control and Data Plane
    Control Plane
    Data Plane
    • Forward Request from the Applications
    • Health Checking
    • Load Balancing
    • Circuit Breaking
    • Timeouts
    …..

    View full-size slide

  43. @build1point0

    Smart Networking - First Principles
    Dumb Pipe or Smart Network/Mesh
    Protocol Awareness
    Layer 4 vs Layer 7

    View full-size slide

  44. @build1point0

    Protocol Awareness
    Layer 4 vs Layer 7
    TCP, UDP vs HTTP “Universally” Compatible
    High Performance
    Difficult to provide Sophisticated
    request aware features
    Layer 4

    View full-size slide

  45. @build1point0

    Protocol Awareness
    Layer 4 vs Layer 7
    TCP, UDP vs HTTP Perform complex routing decisions
    Header and Path based routing
    Can yield lower performance
    Layer 7

    View full-size slide

  46. @build1point0

    Service Mesh
    In Action

    View full-size slide

  47. @build1point0

    Consul Usage
    Launched in 2014
    20K+ GitHub Stars
    1M+ Downloads monthly
    Customers running 50,000+ agents
    "Most widely deployed service discovery tool on AWS"

    View full-size slide

  48. @build1point0

    Public Users

    View full-size slide


  49. Consul Connect

    View full-size slide


  50. Secure service-to-service communication
    with automatic TLS encryption and
    identity-based authorization that works
    everywhere.
    Consul Connect

    View full-size slide

  51. IP1 IP2
    PLAIN TCP

    View full-size slide

  52. IP2
    IP1
    IP1 IP2
    MUTUAL TLS
    PLAIN TCP
    WEB
    DB
    API

    View full-size slide

  53. IP2
    IP1
    IP1 IP2
    MUTUAL TLS
    PLAIN TCP
    PROXY
    DB
    API
    PROXY

    View full-size slide

  54. IP2
    IP1
    IP1 IP2
    MUTUAL TLS
    PLAIN TCP
    PROXY
    DB
    API
    PROXY

    View full-size slide

  55. IP2
    IP1
    IP1 IP2
    MUTUAL TLS
    PLAIN TCP
    PROXY
    DB
    API
    PROXY

    View full-size slide

  56. IP2
    IP1
    IP1 IP2
    MUTUAL TLS
    PLAIN TCP
    PROXY
    DB
    API
    PROXY

    View full-size slide


  57. Connect Layer 7 Features

    View full-size slide


  58. "web.service.consul"

    View full-size slide


  59. HTTP
    Routing
    Traffic
    Splitting
    Custom
    Resolution
    "web.service.consul"

    View full-size slide


  60. HTTP
    Routing
    Traffic
    Splitting
    Custom
    Resolution
    "web.service.consul"

    View full-size slide


  61. ▪ Path (exact, prefix, regex)
    ▪ Header
    ▪ Query Params
    ▪ HTTP Methods
    HTTP Routing

    View full-size slide

  62. Kind = "service-router"
    Name = "web"
    Routes = [
    {
    Match {
    HTTP {
    PathPrefix = "/admin"
    PrefixRewrite = "/"
    }
    }
    Destination {
    Service = "admin"
    },
    }
    ...
    ]
    C O D E E D I T O R

    View full-size slide

  63. Kind = "service-router"
    Name = "web"
    Routes = [
    {
    Match {
    HTTP {
    PathPrefix = "/admin"
    PrefixRewrite = "/"
    }
    }
    Destination {
    Service = "admin"
    },
    }
    ...
    ]
    C O D E E D I T O R

    View full-size slide

  64. Kind = "service-router"
    Name = "web"
    Routes = [
    {
    Match {
    HTTP {
    PathPrefix = "/admin"
    PrefixRewrite = "/"
    }
    }
    Destination {
    Service = "admin"
    },
    }
    ...
    ]
    C O D E E D I T O R

    View full-size slide


  65. HTTP
    Routing
    Traffic
    Splitting
    Custom
    Resolution
    "web.service.consul"
    /admin =>
    service: "admin"
    path: "/"

    View full-size slide

  66. Kind = "service-splitter"
    Name = "admin"
    Splits = [
    {
    Weight = 10
    ServiceSubset = "v2"
    },
    {
    Weight = 90
    ServiceSubset = "v1"
    },
    ]
    C O D E E D I T O R

    View full-size slide

  67. Kind = "service-splitter"
    Name = "admin"
    Splits = [
    {
    Weight = 10
    ServiceSubset = "v2"
    },
    {
    Weight = 90
    ServiceSubset = "v1"
    },
    ]
    C O D E E D I T O R

    View full-size slide

  68. Kind = "service-splitter"
    Name = "admin"
    Splits = [
    {
    Weight = 10
    ServiceSubset = "v2"
    },
    {
    Weight = 90
    ServiceSubset = "v1"
    },
    ]
    C O D E E D I T O R

    View full-size slide


  69. HTTP
    Routing
    Traffic
    Splitting
    Custom
    Resolution
    "web.service.consul"
    /admin =>
    service: "admin"
    path: "/"
    Subset: "v2"

    View full-size slide

  70. Kind = "service-resolver"
    Name = "admin"
    DefaultSubset = "v1"
    Subsets = {
    "v1" = {
    Filter = "Service.Meta.version == 1"
    },
    "v2" = {
    Filter = "Service.Meta.version == 2"
    },
    }
    C O D E E D I T O R

    View full-size slide

  71. Kind = "service-resolver"
    Name = "admin"
    DefaultSubset = "v1"
    Subsets = {
    "v1" = {
    Filter = "Service.Meta.version == 1"
    },
    "v2" = {
    Filter = "Service.Meta.version == 2"
    },
    }
    C O D E E D I T O R

    View full-size slide

  72. Kind = "service-resolver"
    Name = "admin"
    DefaultSubset = "v1"
    Subsets = {
    "v1" = {
    Filter = "Service.Meta.version == 1"
    },
    "v2" = {
    Filter = "Service.Meta.version == 2"
    },
    }
    C O D E E D I T O R

    View full-size slide

  73. Kind = "service-resolver"
    Name = "admin"
    DefaultSubset = "v1"
    Subsets = {
    "v1" = {
    Filter = "Service.Meta.version == 1"
    },
    "v2" = {
    Filter = "Service.Meta.version == 2"
    },
    }
    C O D E E D I T O R

    View full-size slide


  74. HTTP
    Routing
    Traffic
    Splitting
    Custom
    Resolution
    "web.service.consul"
    V2
    v1
    V2
    /admin =>
    service: "admin"
    path: "/"
    Subset: "v2" Meta.Version == 2

    View full-size slide


  75. 10.0.1.1/24
    IP2
    IP1
    WEB
    DB
    API

    View full-size slide


  76. 10.0.2.1/24
    10.0.1.1/24
    IP2
    IP1
    WEB
    DB
    API
    X

    View full-size slide


  77. 10.0.2.1/24
    10.0.1.1/24
    IP2
    IP1
    WEB
    DB
    API
    X
    Requires complex, manual network configuration to make work.

    View full-size slide


  78. Mesh Gateways

    View full-size slide


  79. Secure service-to-service communication
    across networks with full end-to-end
    encryption that works everywhere.
    Mesh Gateway

    View full-size slide


  80. 10.0.2.1/24
    10.0.1.1/24
    IP2
    IP1
    WEB
    DB
    API
    X

    View full-size slide


  81. 10.0.2.1/24
    10.0.1.1/24
    IP2
    IP1
    WEB
    DB
    API
    CONNECT
    MESH
    GATEWAY
    CONNECT
    MESH
    GATEWAY

    View full-size slide

  82. @build1point0

    Demo

    View full-size slide


  83. ▪ Gateways cannot decrypt payloads
    – Do not have keys, only end service has the private key
    – Works by inspecting SNI headers
    ▪ Intentions enforced across datacenters
    Security

    View full-size slide


  84. 10.0.2.1/24
    10.0.1.1/24
    IP2
    IP1
    WEB
    DB
    API
    CONNECT
    MESH
    GATEWAY
    CONNECT
    MESH
    GATEWAY
    Allow "API" to "DB"
    Deny "Web" to "DB"

    View full-size slide


  85. Visualization

    View full-size slide


  86. Visualization

    View full-size slide


  87. Consul is a full-featured service mesh that
    supports multi-cloud, multi-region scale.
    Consul

    View full-size slide

  88. Thank You
    Anubhav Mishra
    @build1point0
    https://mishra.dev/service-mesh-distributed-systems-meetup

    View full-size slide