$30 off During Our Annual Pro Sale. View Details »

Consul: Service Mesh for Microservices

Consul: Service Mesh for Microservices

Modern application architectures are embracing public clouds, microservices, and container schedulers like Kubernetes and Nomad. These bring complex service-to-service communication patterns, increased scale, dynamic IP addresses, ephemeral infrastructure, and higher failure rates. These changes require a new approach for service discovery, configuration, and segmentation. Service discovery enables services to find and communicate with each other. Service configuration allows us to dynamically configure applications at runtime. Service segmentations lets us secure our microservices architectures by limiting access. In this talk, we cover these challenges and how to solve them with Consul providing as a service mesh.

Armon Dadgar

October 03, 2018
Tweet

More Decks by Armon Dadgar

Other Decks in Technology

Transcript

  1. Service Mesh for Microservices

    View Slide

  2. Armon Dadgar
    Founder and CTO
    @armon

    View Slide

  3. PROVISION, SECURE AND RUN ANY INFRASTRUCTURE
    Nomad Consul
    Vault
    Vagrant Packer Terraform
    Consul Enterprise
    Terraform Enterprise
    Vault Enterprise
    PRODUCT SUITE
    OSS TOOL SUITE
    RUN
    Applications
    SECURE
    Application Infrastructure
    PROVISION
    Infrastructure
    FOR INDIVIDUALS FOR TEAMS
    Nomad Enterprise

    View Slide

  4. Service Mesh for Microservices

    View Slide

  5. A B
    C D
    Monolith

    View Slide

  6. Monolith
    A B
    C D

    View Slide

  7. Monolith
    A B
    C D
    Static IP

    View Slide

  8. Monolith
    LB
    A B
    C D
    Static IP

    View Slide

  9. Zone Firewall
    DMZ Firewall
    Monolith
    A B
    C D
    Static IP
    LB

    View Slide

  10. What Changed?

    View Slide

  11. A B
    C D
    Monolith

    View Slide

  12. Microservices
    A B
    C D

    View Slide

  13. Microservices
    A B
    C D
    ?

    View Slide

  14. B
    B
    Microservices
    A B
    C D
    ?

    View Slide

  15. Microservices
    B
    B
    A B
    C D
    LB

    View Slide

  16. Operating in the Cloud + Containers
    Dynamic IP Addresses
    Higher Failure Rate
    Ephemeral Infrastructure
    Complex Network Topology

    View Slide

  17. Service Discovery

    View Slide

  18. Service Registry
    Register
    B
    B
    A B

    View Slide

  19. Service Registry
    Discover
    B
    B
    A B

    View Slide

  20. Service Registry
    Connect
    B
    B
    A B

    View Slide

  21. Service Registry
    Connect
    B
    B
    Attacker B

    View Slide

  22. Service Segmentation

    View Slide

  23. Defining Segmentation
    Splitting network into sub-networks
    Restricting communication between sub-networks
    Virtual LAN, Firewalls, Software Defined Networks
    Coarse Grained, Many Services
    Segment
    A
    Segment
    B
    Network

    View Slide

  24. Zone Firewall
    DMZ Firewall
    Monolith
    A B
    C D
    Static IP
    LB

    View Slide

  25. Microservices
    A B
    C D

    View Slide

  26. View Slide

  27. A -> B
    C -> D
    D -> C
    A B
    C D

    View Slide

  28. B -> D
    A -> C
    A B
    C D

    View Slide

  29. View Slide

  30. Service Mesh for Microservices
    Service Discovery. Connect services with a dynamic registry
    Service Configuration. Configure services with runtime configs
    Service Segmentation. Secure services based on identity

    View Slide

  31. Consul Usage
    Launched in 2014
    12K+ GitHub Stars
    1M+ Downloads monthly
    Customers running 50,000+ agents

    View Slide

  32. Public Users

    View Slide

  33. Service Discovery
    Registry of Nodes, Services, Checks
    DNS API
    HTTP API
    Web UI

    View Slide

  34. T E R M I N A L
    $ dig redis.service.consul
    ; <<>> DiG 9.8.3-P1 <<>> redis.service.consul
    ; (3 servers found)
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:
    9046
    ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY:
    0, ADDITIONAL: 0
    ;; WARNING: recursion requested but not available
    ;; QUESTION SECTION:
    ;redis.service.consul.IN A
    ;; ANSWER SECTION:
    redis.service.consul. 0 IN A 10.1.10.38

    View Slide

  35. T E R M I N A L
    $ curl http://localhost:8500/v1/catalog/service/redis
    [
    {
    "ID": "52f73400-a352-80d2-9624-e70cc9996762",
    "Node": "consul-client-2",
    "Address": "10.0.1.83",
    "Datacenter": "dc1",
    "ServiceName": "redis",
    "ServiceTags": [
    "global",
    "cache"
    ],
    "ServiceAddress": "10.0.1.83",
    "ServicePort": 24815,
    "ModifyIndex": 31,

    View Slide

  36. View Slide

  37. Service Configuration
    Hierarchical Key/Value Store
    HTTP API
    Long-polling / Edge trigger
    Locking

    View Slide

  38. T E R M I N A L
    $ consul kv put service/web/enable_foo true
    Put successfully!
    $ consul kv get service/web/enable_foo
    true

    View Slide

  39. View Slide

  40. Consul Connect

    View Slide

  41. Consul Connect
    Service Access Graph
    Certificate Distribution
    Application Integration

    View Slide

  42. Service Access Graph
    Intentions to Allow/Deny Communication
    Source and Destination Service
    Scale Independent
    Managed with CLI, API, UI, Terraform

    View Slide

  43. T E R M I N A L
    $ consul intention create -deny web '*'
    Created: web => * (deny)
    $ consul intention create -allow web db
    Created: web => db (allow)

    View Slide

  44. View Slide

  45. Certificate Distribution
    Transport Layer Security (TLS)
    Service Identity
    Encryption of all traffic

    View Slide

  46. Certificate Generation
    Automatic Generation & Rotation
    Server
    Client
    Certificate
    Signing Request
    Generate
    Key Pair
    Sign Certificate

    View Slide

  47. Certificate Format
    X.509 Certificate
    SPIFFE Compatible

    View Slide

  48. Certificate Authority Rotation
    Root
    Intermediary
    Leaf

    View Slide

  49. Certificate Authority Rotation
    Root
    Intermediary
    Leaf
    Root
    Intermediary
    Leaf

    View Slide

  50. Certificate Authority Rotation
    Root
    Intermediary
    Leaf
    Root
    Intermediary Intermediary
    Leaf Leaf

    View Slide

  51. Application Integration
    Consul Client for Service Graph and Certificates
    Sidecar Proxies
    Native Integrations

    View Slide

  52. Sidecar Proxy Integration
    No Code Modification
    Minimal Performance Overhead
    Operational Flexibility

    View Slide

  53. Sidecar Proxies
    Client
    Proxy
    App
    Configure
    Connect
    Proxy
    Client
    App
    Configure
    Connect

    View Slide

  54. Pluggable Proxies
    Client
    App
    Configure
    Connect
    Client
    App
    Configure
    Connect

    View Slide

  55. {
    "service": "web",
    "connect": {
    "proxy": {
    "config": {
    "upstreams": [{
    "destination_name": "redis",
    "local_bind_port": 1234
    }]
    }
    }
    }
    }
    C O D E E D I T O R

    View Slide

  56. Proxy
    Client
    App
    Configure
    Connect localhost:1234
    Connect to
    upstream redis

    View Slide

  57. T E R M I N A L
    $ consul connect proxy \
    -service web \
    -upstream postgresql:8181
    $ psql -h 127.0.0.1 -p 8181 -U mitchellh mydb
    >

    View Slide

  58. Native Integration
    Standard TLS
    Negligible Performance Overhead
    Requires Code Modification

    View Slide

  59. // Create a Consul API client
    client, _ := api.NewClient(api.DefaultConfig())
    // Create an instance representing this service.
    svc, _ := connect.NewService("my-service", client)
    defer svc.Close()
    // Creating an HTTP server that serves via Connect
    server := &http.Server{
    Addr: ":8080",
    TLSConfig: svc.ServerTLSConfig(),
    // ... other standard fields
    }
    // Serve!
    server.ListenAndServeTLS("", "")
    C O D E E D I T O R

    View Slide

  60. Consul Connect
    Service Access Graph. Intentions allow or deny communication of
    logical services.
    Certificate Distribution. Standard TLS certificates with SPIFFE
    compatibility.
    Application Integration. Native integrations or side car proxies.

    View Slide

  61. Consul Architecture

    View Slide

  62. Deployment
    Single Binary
    Server and Client Agents
    3-5 Servers per Datacenter
    Multi-Datacenter Support

    View Slide

  63. Consul Servers
    Replicated State, Automatic Failover
    Service Registry
    Service Access Graph
    Key/Value Store
    Multi-DC Forwarding
    Leader
    Follower
    Follower
    Replication

    View Slide

  64. Consul Clients
    Expose HTTP and DNS API
    Transparently Forward
    Register and Monitor Services
    Cache Service Graph
    Server(s)
    Client

    View Slide

  65. Cluster Awareness
    Lightweight Gossip (Serf)
    Cluster Membership
    Failure Detection Gossip
    Server
    Client Client

    View Slide

  66. Cluster Membership
    Join Requires Any Peer
    Server Discovery
    Protocol Versioning New Server
    Server
    Client Client
    Server

    View Slide

  67. Failure Detection
    Leaving vs Failing
    Automatic Reaping
    No Heart beating Failed Client
    Server
    Client Client

    View Slide

  68. Leader
    Client
    Follower
    Replication
    RPC
    RPC
    Gossip
    Datacenter

    View Slide

  69. Leader
    Client
    Follower
    Replication
    RPC
    RPC
    Gossip
    Datacenter
    Leader
    Client
    Follower
    Replication
    RPC
    RPC
    Gossip
    Datacenter
    RPC
    Gossip

    View Slide

  70. Control Plane vs. Data Plane
    Consul as Control Plane
    Pluggable Proxies as Data Plane
    Configure
    Communicate
    Control
    Data Data

    View Slide

  71. Data Path
    Client
    Proxy
    App
    Configure
    Connect
    Proxy
    Client
    App
    Configure
    Connect

    View Slide

  72. Consul with Containers
    Consul Agent per Host
    DaemonSet with Kubernetes
    Proxy per Container / Pod

    View Slide

  73. Consul Architecture
    Batteries Included
    Highly Available & Scalable
    Pluggable Data Plane

    View Slide

  74. Conclusion

    View Slide

  75. Common Challenges
    Infrastructure is means to an ends
    Microservices Architecture
    Operational Challenges

    View Slide

  76. Patchwork Solutions
    Re-invent the wheel
    Long Term Maintenance
    Minimum Viable vs Maximum Utility

    View Slide

  77. Service Mesh for Microservices
    Service Discovery. Connect services with a dynamic registry
    Service Configuration. Configure services with runtime configs
    Service Segmentation. Secure services based on identity

    View Slide

  78. View Slide