Consul: Service Mesh for Microservices

Transcript

1. Service Mesh for Microservices

2. Armon Dadgar Founder and CTO @armon

3. PROVISION, SECURE AND RUN ANY INFRASTRUCTURE Nomad Consul Vault Vagrant

   Packer Terraform Consul Enterprise Terraform Enterprise Vault Enterprise PRODUCT SUITE OSS TOOL SUITE RUN Applications SECURE Application Infrastructure PROVISION Infrastructure FOR INDIVIDUALS FOR TEAMS Nomad Enterprise

4. Service Mesh for Microservices

5. A B C D Monolith

6. Monolith A B C D

7. Monolith A B C D Static IP

8. Monolith LB A B C D Static IP

9. Zone Firewall DMZ Firewall Monolith A B C D Static

   IP LB

10. What Changed?

11. A B C D Monolith

12. Microservices A B C D

13. Microservices A B C D ?

14. B B Microservices A B C D ?

15. Microservices B B A B C D LB

16. Operating in the Cloud + Containers Dynamic IP Addresses Higher

    Failure Rate Ephemeral Infrastructure Complex Network Topology

17. Service Discovery

18. Service Registry Register B B A B

19. Service Registry Discover B B A B

20. Service Registry Connect B B A B

21. Service Registry Connect B B Attacker B

22. Service Segmentation

23. Defining Segmentation Splitting network into sub-networks Restricting communication between sub-networks

    Virtual LAN, Firewalls, Software Defined Networks Coarse Grained, Many Services Segment A Segment B Network

24. Zone Firewall DMZ Firewall Monolith A B C D Static

    IP LB

25. Microservices A B C D

26. None

27. A -> B C -> D D -> C A

    B C D

28. B -> D A -> C A B C D

29. None

30. Service Mesh for Microservices Service Discovery. Connect services with a

    dynamic registry Service Configuration. Configure services with runtime configs Service Segmentation. Secure services based on identity

31. Consul Usage Launched in 2014 12K+ GitHub Stars 1M+ Downloads

    monthly Customers running 50,000+ agents

32. Public Users

33. Service Discovery Registry of Nodes, Services, Checks DNS API HTTP

    API Web UI

34. T E R M I N A L $ dig

    redis.service.consul ; <<>> DiG 9.8.3-P1 <<>> redis.service.consul ; (3 servers found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9046 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;redis.service.consul.IN A ;; ANSWER SECTION: redis.service.consul. 0 IN A 10.1.10.38

35. T E R M I N A L $ curl

    http://localhost:8500/v1/catalog/service/redis [ { "ID": "52f73400-a352-80d2-9624-e70cc9996762", "Node": "consul-client-2", "Address": "10.0.1.83", "Datacenter": "dc1", "ServiceName": "redis", "ServiceTags": [ "global", "cache" ], "ServiceAddress": "10.0.1.83", "ServicePort": 24815, "ModifyIndex": 31, …
36. None

37. Service Configuration Hierarchical Key/Value Store HTTP API Long-polling / Edge

    trigger Locking

38. T E R M I N A L $ consul

    kv put service/web/enable_foo true Put successfully! $ consul kv get service/web/enable_foo true
39. None

40. Consul Connect

41. Consul Connect Service Access Graph Certificate Distribution Application Integration

42. Service Access Graph Intentions to Allow/Deny Communication Source and Destination

    Service Scale Independent Managed with CLI, API, UI, Terraform

43. T E R M I N A L $ consul

    intention create -deny web '*' Created: web => * (deny) $ consul intention create -allow web db Created: web => db (allow)
44. None

45. Certificate Distribution Transport Layer Security (TLS) Service Identity Encryption of

    all traffic

46. Certificate Generation Automatic Generation & Rotation Server Client Certificate Signing

    Request Generate Key Pair Sign Certificate

47. Certificate Format X.509 Certificate SPIFFE Compatible

48. Certificate Authority Rotation Root Intermediary Leaf

49. Certificate Authority Rotation Root Intermediary Leaf Root Intermediary Leaf

50. Certificate Authority Rotation Root Intermediary Leaf Root Intermediary Intermediary Leaf

    Leaf

51. Application Integration Consul Client for Service Graph and Certificates Sidecar

    Proxies Native Integrations

52. Sidecar Proxy Integration No Code Modification Minimal Performance Overhead Operational

    Flexibility

53. Sidecar Proxies Client Proxy App Configure Connect Proxy Client App

    Configure Connect

54. Pluggable Proxies Client App Configure Connect Client App Configure Connect

55. { "service": "web", "connect": { "proxy": { "config": { "upstreams":

    [{ "destination_name": "redis", "local_bind_port": 1234 }] } } } } C O D E E D I T O R

56. Proxy Client App Configure Connect localhost:1234 Connect to upstream redis

57. T E R M I N A L $ consul

    connect proxy \ -service web \ -upstream postgresql:8181 $ psql -h 127.0.0.1 -p 8181 -U mitchellh mydb >

58. Native Integration Standard TLS Negligible Performance Overhead Requires Code Modification

59. // Create a Consul API client client, _ := api.NewClient(api.DefaultConfig())

    // Create an instance representing this service. svc, _ := connect.NewService("my-service", client) defer svc.Close() // Creating an HTTP server that serves via Connect server := &http.Server{ Addr: ":8080", TLSConfig: svc.ServerTLSConfig(), // ... other standard fields } // Serve! server.ListenAndServeTLS("", "") C O D E E D I T O R

60. Consul Connect Service Access Graph. Intentions allow or deny communication

    of logical services. Certificate Distribution. Standard TLS certificates with SPIFFE compatibility. Application Integration. Native integrations or side car proxies.

61. Consul Architecture

62. Deployment Single Binary Server and Client Agents 3-5 Servers per

    Datacenter Multi-Datacenter Support

63. Consul Servers Replicated State, Automatic Failover Service Registry Service Access

    Graph Key/Value Store Multi-DC Forwarding Leader Follower Follower Replication

64. Consul Clients Expose HTTP and DNS API Transparently Forward Register

    and Monitor Services Cache Service Graph Server(s) Client

65. Cluster Awareness Lightweight Gossip (Serf) Cluster Membership Failure Detection Gossip

    Server Client Client

66. Cluster Membership Join Requires Any Peer Server Discovery Protocol Versioning

    New Server Server Client Client Server

67. Failure Detection Leaving vs Failing Automatic Reaping No Heart beating

    Failed Client Server Client Client

68. Leader Client Follower Replication RPC RPC Gossip Datacenter

69. Leader Client Follower Replication RPC RPC Gossip Datacenter Leader Client

    Follower Replication RPC RPC Gossip Datacenter RPC Gossip

70. Control Plane vs. Data Plane Consul as Control Plane Pluggable

    Proxies as Data Plane Configure Communicate Control Data Data

71. Data Path Client Proxy App Configure Connect Proxy Client App

    Configure Connect

72. Consul with Containers Consul Agent per Host DaemonSet with Kubernetes

    Proxy per Container / Pod

73. Consul Architecture Batteries Included Highly Available & Scalable Pluggable Data

    Plane

74. Conclusion

75. Common Challenges Infrastructure is means to an ends Microservices Architecture

    Operational Challenges

76. Patchwork Solutions Re-invent the wheel Long Term Maintenance Minimum Viable

    vs Maximum Utility

77. Service Mesh for Microservices Service Discovery. Connect services with a

    dynamic registry Service Configuration. Configure services with runtime configs Service Segmentation. Secure services based on identity
78. None