Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Consul Connect: the Service Mesh by HashiCorp

Consul Connect: the Service Mesh by HashiCorp

Let's look at Consul Connect, the solution by HashiCorp to solve the communication mess in a microservices world, with security in mind.

Ba2198386e326d6e3ca57b2271d861e9?s=128

Yves Brissaud

June 04, 2019
Tweet

Transcript

  1. Consul Connect Service Mesh by HashiCorp Yves Brissaud  @_crev_

    1/39
  2. Yves Brissaud  @_crev_  eunomie Tech Lead Build Infrastructures

    and Deploy Cloud Native Applications Seamlessly | Automatically | Instantly  @sqscale  squarescale.com 2/39
  3. Service Mesh? 3/39

  4. (Where is my service?) How to handle instance changes? failures

    updates scale up&down ... How to secure my communications? Authentication Authorization How to monitore communications? 4/39
  5. Without Service Mesh inside services internal load balancers rewalls 5/39

  6. https://www.consul.io/ 6/39

  7. Service Con guration Service Discovery Service Segmentation 7/39

  8. Easy to Use Single Binary Linux / Windows / Mac

    Containers... and more autopilot 8/39
  9. Distributed KV Store Watches Distributed Locks Service Con guration 9/39

  10. Location Status: Health Checks Discovery Service Discovery 10/39

  11. API DNS (SRV records) Service Discovery 11/39

  12. # dig srv web.service.consul ;; ANSWER SECTION: web.service.consul. 0 IN

    SRV 1 1 3000 2310.addr.dc1.consul. web.service.consul. 0 IN SRV 1 1 3000 2600.addr.dc1.consul. web.service.consul. 0 IN SRV 1 1 3000 2010.addr.dc1.consul. ;; ADDITIONAL SECTION: 2310.addr.dc1.consul. 0 IN A 10.2.49.9 ip-10-0-6-93.node.dc1.consul. 0 IN TXT "cluster=app" ip-10-0-6-93.node.dc1.consul. 0 IN TXT "group=worker" 2600.addr.dc1.consul. 0 IN A 10.2.96.3 ip-10-0-22-143.node.dc1.consul. 0 IN TXT "group=worker" ip-10-0-22-143.node.dc1.consul. 0 IN TXT "consul-network-seg 12/39
  13. web.service.consul. 0 IN SRV 1 1 3000 2310.addr.dc1.consul. web.service.consul. 0

    IN SRV 1 1 3000 2600.addr.dc1.consul. web.service.consul. 0 IN SRV 1 1 3000 2010.addr.dc1.consul. # dig srv web.service.consul ;; ANSWER SECTION: ;; ADDITIONAL SECTION: 2310.addr.dc1.consul. 0 IN A 10.2.49.9 ip-10-0-6-93.node.dc1.consul. 0 IN TXT "cluster=app" ip-10-0-6-93.node.dc1.consul. 0 IN TXT "group=worker" 2600.addr.dc1.consul. 0 IN A 10.2.96.3 ip-10-0-22-143.node.dc1.consul. 0 IN TXT "group=worker" ip-10-0-22-143.node.dc1.consul. 0 IN TXT "consul-network-seg 12/39
  14. 2310.addr.dc1.consul. 0 IN A 10.2.49.9 ip-10-0-6-93.node.dc1.consul. 0 IN TXT "cluster=app"

    ip-10-0-6-93.node.dc1.consul. 0 IN TXT "group=worker" ;; ANSWER SECTION: web.service.consul. 0 IN SRV 1 1 3000 2310.addr.dc1.consul. web.service.consul. 0 IN SRV 1 1 3000 2600.addr.dc1.consul. web.service.consul. 0 IN SRV 1 1 3000 2010.addr.dc1.consul. ;; ADDITIONAL SECTION: 2600.addr.dc1.consul. 0 IN A 10.2.96.3 ip-10-0-22-143.node.dc1.consul. 0 IN TXT "group=worker" ip-10-0-22-143.node.dc1.consul. 0 IN TXT "consul-network-seg 2010.addr.dc1.consul. 0 IN A 10.2.1.2 ip-10-0-33-233.node.dc1.consul. 0 IN TXT "group=worker" ip-10-0-33-233 node dc1 consul 0 IN TXT "cluster=app" 12/39
  15. Trae k Fabio Envoy Load Balancers 13/39

  16. Services already registered Health checks Consul as a Service Mesh

    14/39
  17. Consul Connect 15/39

  18. 16/39

  19. Native Integration 17/39

  20. Native Integration Or Proxy (incl. built-in) 18/39

  21. 19/39

  22. No modi cation needed Service only need to talk to

    the proxy 20/39
  23. Network Namespaces Nomad 21/39

  24.  Work is currently underway to support shared network namespaces

    between tasks. This is the foundation to support deeper Consul Connect integration coming in 0.10! - github.com/hashicorp/nomad/issues/4451 22/39
  25. Security 23/39

  26. AutoTLS Mutual TLS Built-in CA inside Consul Certi cate Rotation

    Vault 24/39
  27. Intentions Secure Access Graph ACLs between services 25/39

  28. 26/39

  29. Observability Monitoring of Proxies 27/39

  30. StatsD DogStatsD Prometheus 28/39

  31. L4 Observability downstream (incoming) upstream (outgoing) http, tcp metrics (throughput,

    connections, etc) request time ... 29/39
  32. 30/39

  33. L7 Observability Consul 1.5+ (May 15, 2019) Envoy as sidecar

    31/39
  34. Protocol: HTTP, gRPC Methods used HTTP Status Code by family

    2xx 3xx 4xx 5xx 32/39
  35. 33/39

  36. 34/39

  37. What's next? 35/39

  38. HTTP Path-Based Routing 36/39

  39. Tra c Shifting 37/39

  40. consul.io learn.hashicorp.com/consul instruqt.com/hashicorp 38/39

  41. Consul Connect Service Mesh by HashiCorp Yves Brissaud  @_crev_

    39/39