Consul: Service Mesh for Microservices

Consul: Service Mesh for Microservices

Modern application architectures are embracing public clouds, microservices, and container schedulers like Kubernetes and Nomad. These bring complex service-to-service communication patterns, increased scale, dynamic IP addresses, ephemeral infrastructure, and higher failure rates. These changes require a new approach for service discovery, configuration, and segmentation. Service discovery enables services to find and communicate with each other. Service configuration allows us to dynamically configure applications at runtime. Service segmentations lets us secure our microservices architectures by limiting access. In this talk, we cover these challenges and how to solve them with Consul providing as a service mesh.

11ba9630c9136eef9a70d26473d355d5?s=128

Armon Dadgar

October 03, 2018
Tweet

Transcript

  1. Service Mesh for Microservices

  2. Armon Dadgar Founder and CTO @armon

  3. PROVISION, SECURE AND RUN ANY INFRASTRUCTURE Nomad Consul Vault Vagrant

    Packer Terraform Consul Enterprise Terraform Enterprise Vault Enterprise PRODUCT SUITE OSS TOOL SUITE RUN Applications SECURE Application Infrastructure PROVISION Infrastructure FOR INDIVIDUALS FOR TEAMS Nomad Enterprise
  4. Service Mesh for Microservices

  5. A B C D Monolith

  6. Monolith A B C D

  7. Monolith A B C D Static IP

  8. Monolith LB A B C D Static IP

  9. Zone Firewall DMZ Firewall Monolith A B C D Static

    IP LB
  10. What Changed?

  11. A B C D Monolith

  12. Microservices A B C D

  13. Microservices A B C D ?

  14. B B Microservices A B C D ?

  15. Microservices B B A B C D LB

  16. Operating in the Cloud + Containers Dynamic IP Addresses Higher

    Failure Rate Ephemeral Infrastructure Complex Network Topology
  17. Service Discovery

  18. Service Registry Register B B A B

  19. Service Registry Discover B B A B

  20. Service Registry Connect B B A B

  21. Service Registry Connect B B Attacker B

  22. Service Segmentation

  23. Defining Segmentation Splitting network into sub-networks Restricting communication between sub-networks

    Virtual LAN, Firewalls, Software Defined Networks Coarse Grained, Many Services Segment A Segment B Network
  24. Zone Firewall DMZ Firewall Monolith A B C D Static

    IP LB
  25. Microservices A B C D

  26. None
  27. A -> B C -> D D -> C A

    B C D
  28. B -> D A -> C A B C D

  29. None
  30. Service Mesh for Microservices Service Discovery. Connect services with a

    dynamic registry Service Configuration. Configure services with runtime configs Service Segmentation. Secure services based on identity
  31. Consul Usage Launched in 2014 12K+ GitHub Stars 1M+ Downloads

    monthly Customers running 50,000+ agents
  32. Public Users

  33. Service Discovery Registry of Nodes, Services, Checks DNS API HTTP

    API Web UI
  34. T E R M I N A L $ dig

    redis.service.consul ; <<>> DiG 9.8.3-P1 <<>> redis.service.consul ; (3 servers found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9046 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;redis.service.consul.IN A ;; ANSWER SECTION: redis.service.consul. 0 IN A 10.1.10.38
  35. T E R M I N A L $ curl

    http://localhost:8500/v1/catalog/service/redis [ { "ID": "52f73400-a352-80d2-9624-e70cc9996762", "Node": "consul-client-2", "Address": "10.0.1.83", "Datacenter": "dc1", "ServiceName": "redis", "ServiceTags": [ "global", "cache" ], "ServiceAddress": "10.0.1.83", "ServicePort": 24815, "ModifyIndex": 31, …
  36. None
  37. Service Configuration Hierarchical Key/Value Store HTTP API Long-polling / Edge

    trigger Locking
  38. T E R M I N A L $ consul

    kv put service/web/enable_foo true Put successfully! $ consul kv get service/web/enable_foo true
  39. None
  40. Consul Connect

  41. Consul Connect Service Access Graph Certificate Distribution Application Integration

  42. Service Access Graph Intentions to Allow/Deny Communication Source and Destination

    Service Scale Independent Managed with CLI, API, UI, Terraform
  43. T E R M I N A L $ consul

    intention create -deny web '*' Created: web => * (deny) $ consul intention create -allow web db Created: web => db (allow)
  44. None
  45. Certificate Distribution Transport Layer Security (TLS) Service Identity Encryption of

    all traffic
  46. Certificate Generation Automatic Generation & Rotation Server Client Certificate Signing

    Request Generate Key Pair Sign Certificate
  47. Certificate Format X.509 Certificate SPIFFE Compatible

  48. Certificate Authority Rotation Root Intermediary Leaf

  49. Certificate Authority Rotation Root Intermediary Leaf Root Intermediary Leaf

  50. Certificate Authority Rotation Root Intermediary Leaf Root Intermediary Intermediary Leaf

    Leaf
  51. Application Integration Consul Client for Service Graph and Certificates Sidecar

    Proxies Native Integrations
  52. Sidecar Proxy Integration No Code Modification Minimal Performance Overhead Operational

    Flexibility
  53. Sidecar Proxies Client Proxy App Configure Connect Proxy Client App

    Configure Connect
  54. Pluggable Proxies Client App Configure Connect Client App Configure Connect

  55. { "service": "web", "connect": { "proxy": { "config": { "upstreams":

    [{ "destination_name": "redis", "local_bind_port": 1234 }] } } } } C O D E E D I T O R
  56. Proxy Client App Configure Connect localhost:1234 Connect to upstream redis

  57. T E R M I N A L $ consul

    connect proxy \ -service web \ -upstream postgresql:8181 $ psql -h 127.0.0.1 -p 8181 -U mitchellh mydb >
  58. Native Integration Standard TLS Negligible Performance Overhead Requires Code Modification

  59. // Create a Consul API client client, _ := api.NewClient(api.DefaultConfig())

    // Create an instance representing this service. svc, _ := connect.NewService("my-service", client) defer svc.Close() // Creating an HTTP server that serves via Connect server := &http.Server{ Addr: ":8080", TLSConfig: svc.ServerTLSConfig(), // ... other standard fields } // Serve! server.ListenAndServeTLS("", "") C O D E E D I T O R
  60. Consul Connect Service Access Graph. Intentions allow or deny communication

    of logical services. Certificate Distribution. Standard TLS certificates with SPIFFE compatibility. Application Integration. Native integrations or side car proxies.
  61. Consul Architecture

  62. Deployment Single Binary Server and Client Agents 3-5 Servers per

    Datacenter Multi-Datacenter Support
  63. Consul Servers Replicated State, Automatic Failover Service Registry Service Access

    Graph Key/Value Store Multi-DC Forwarding Leader Follower Follower Replication
  64. Consul Clients Expose HTTP and DNS API Transparently Forward Register

    and Monitor Services Cache Service Graph Server(s) Client
  65. Cluster Awareness Lightweight Gossip (Serf) Cluster Membership Failure Detection Gossip

    Server Client Client
  66. Cluster Membership Join Requires Any Peer Server Discovery Protocol Versioning

    New Server Server Client Client Server
  67. Failure Detection Leaving vs Failing Automatic Reaping No Heart beating

    Failed Client Server Client Client
  68. Leader Client Follower Replication RPC RPC Gossip Datacenter

  69. Leader Client Follower Replication RPC RPC Gossip Datacenter Leader Client

    Follower Replication RPC RPC Gossip Datacenter RPC Gossip
  70. Control Plane vs. Data Plane Consul as Control Plane Pluggable

    Proxies as Data Plane Configure Communicate Control Data Data
  71. Data Path Client Proxy App Configure Connect Proxy Client App

    Configure Connect
  72. Consul with Containers Consul Agent per Host DaemonSet with Kubernetes

    Proxy per Container / Pod
  73. Consul Architecture Batteries Included Highly Available & Scalable Pluggable Data

    Plane
  74. Conclusion

  75. Common Challenges Infrastructure is means to an ends Microservices Architecture

    Operational Challenges
  76. Patchwork Solutions Re-invent the wheel Long Term Maintenance Minimum Viable

    vs Maximum Utility
  77. Service Mesh for Microservices Service Discovery. Connect services with a

    dynamic registry Service Configuration. Configure services with runtime configs Service Segmentation. Secure services based on identity
  78. None