Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Consul Connect: the Service Mesh by HashiCorp

Consul Connect: the Service Mesh by HashiCorp

Let's look at Consul Connect, the solution by HashiCorp to solve the communication mess in a microservices world, with security in mind.

Yves Brissaud

June 04, 2019
Tweet

More Decks by Yves Brissaud

Other Decks in Programming

Transcript

  1. Consul Connect
    Service Mesh by HashiCorp
    Yves Brissaud
     @_crev_
    1/39

    View Slide

  2. Yves Brissaud
     @_crev_
     eunomie
    Tech Lead
    Build Infrastructures and
    Deploy Cloud Native Applications
    Seamlessly | Automatically | Instantly
     @sqscale
     squarescale.com
    2/39

    View Slide

  3. Service Mesh?
    3/39

    View Slide

  4. (Where is my service?)
    How to handle instance changes?
    failures
    updates
    scale up&down
    ...
    How to secure my
    communications?
    Authentication
    Authorization
    How to monitore communications?
    4/39

    View Slide

  5. Without Service Mesh
    inside services
    internal load
    balancers
    rewalls
    5/39

    View Slide

  6. https://www.consul.io/
    6/39

    View Slide

  7. Service
    Con guration
    Service Discovery
    Service
    Segmentation
    7/39

    View Slide

  8. Easy to
    Use
    Single Binary
    Linux / Windows /
    Mac
    Containers... and more
    autopilot
    8/39

    View Slide

  9. Distributed KV
    Store
    Watches
    Distributed Locks
    Service
    Con guration
    9/39

    View Slide

  10. Location
    Status: Health
    Checks
    Discovery
    Service
    Discovery
    10/39

    View Slide

  11. API
    DNS (SRV
    records)
    Service
    Discovery
    11/39

    View Slide

  12. # dig srv web.service.consul
    ;; ANSWER SECTION:
    web.service.consul. 0 IN SRV 1 1 3000 2310.addr.dc1.consul.
    web.service.consul. 0 IN SRV 1 1 3000 2600.addr.dc1.consul.
    web.service.consul. 0 IN SRV 1 1 3000 2010.addr.dc1.consul.
    ;; ADDITIONAL SECTION:
    2310.addr.dc1.consul. 0 IN A 10.2.49.9
    ip-10-0-6-93.node.dc1.consul. 0 IN TXT "cluster=app"
    ip-10-0-6-93.node.dc1.consul. 0 IN TXT "group=worker"
    2600.addr.dc1.consul. 0 IN A 10.2.96.3
    ip-10-0-22-143.node.dc1.consul. 0 IN TXT "group=worker"
    ip-10-0-22-143.node.dc1.consul. 0 IN TXT "consul-network-seg
    12/39

    View Slide

  13. web.service.consul. 0 IN SRV 1 1 3000 2310.addr.dc1.consul.
    web.service.consul. 0 IN SRV 1 1 3000 2600.addr.dc1.consul.
    web.service.consul. 0 IN SRV 1 1 3000 2010.addr.dc1.consul.
    # dig srv web.service.consul
    ;; ANSWER SECTION:
    ;; ADDITIONAL SECTION:
    2310.addr.dc1.consul. 0 IN A 10.2.49.9
    ip-10-0-6-93.node.dc1.consul. 0 IN TXT "cluster=app"
    ip-10-0-6-93.node.dc1.consul. 0 IN TXT "group=worker"
    2600.addr.dc1.consul. 0 IN A 10.2.96.3
    ip-10-0-22-143.node.dc1.consul. 0 IN TXT "group=worker"
    ip-10-0-22-143.node.dc1.consul. 0 IN TXT "consul-network-seg
    12/39

    View Slide

  14. 2310.addr.dc1.consul. 0 IN A 10.2.49.9
    ip-10-0-6-93.node.dc1.consul. 0 IN TXT "cluster=app"
    ip-10-0-6-93.node.dc1.consul. 0 IN TXT "group=worker"
    ;; ANSWER SECTION:
    web.service.consul. 0 IN SRV 1 1 3000 2310.addr.dc1.consul.
    web.service.consul. 0 IN SRV 1 1 3000 2600.addr.dc1.consul.
    web.service.consul. 0 IN SRV 1 1 3000 2010.addr.dc1.consul.
    ;; ADDITIONAL SECTION:
    2600.addr.dc1.consul. 0 IN A 10.2.96.3
    ip-10-0-22-143.node.dc1.consul. 0 IN TXT "group=worker"
    ip-10-0-22-143.node.dc1.consul. 0 IN TXT "consul-network-seg
    2010.addr.dc1.consul. 0 IN A 10.2.1.2
    ip-10-0-33-233.node.dc1.consul. 0 IN TXT "group=worker"
    ip-10-0-33-233 node dc1 consul 0 IN TXT "cluster=app"
    12/39

    View Slide

  15. Trae k
    Fabio
    Envoy
    Load
    Balancers
    13/39

    View Slide

  16. Services already
    registered
    Health checks
    Consul
    as a
    Service
    Mesh
    14/39

    View Slide

  17. Consul Connect
    15/39

    View Slide

  18. 16/39

    View Slide

  19. Native Integration
    17/39

    View Slide

  20. Native Integration
    Or
    Proxy (incl. built-in)
    18/39

    View Slide

  21. 19/39

    View Slide

  22. No modi cation needed
    Service only need to talk to the proxy
    20/39

    View Slide

  23. Network Namespaces
    Nomad
    21/39

    View Slide

  24.  Work is currently underway to support shared network
    namespaces between tasks. This is the foundation to
    support deeper Consul Connect integration coming in
    0.10!
    - github.com/hashicorp/nomad/issues/4451
    22/39

    View Slide

  25. Security
    23/39

    View Slide

  26. AutoTLS
    Mutual TLS
    Built-in CA inside
    Consul
    Certi cate Rotation
    Vault
    24/39

    View Slide

  27. Intentions
    Secure Access Graph
    ACLs between
    services
    25/39

    View Slide

  28. 26/39

    View Slide

  29. Observability
    Monitoring of Proxies
    27/39

    View Slide

  30. StatsD
    DogStatsD
    Prometheus
    28/39

    View Slide

  31. L4 Observability
    downstream (incoming)
    upstream (outgoing)
    http, tcp metrics (throughput, connections,
    etc)
    request time
    ...
    29/39

    View Slide

  32. 30/39

    View Slide

  33. L7 Observability
    Consul 1.5+ (May 15,
    2019)
    Envoy as sidecar
    31/39

    View Slide

  34. Protocol: HTTP, gRPC
    Methods used
    HTTP Status Code by
    family
    2xx
    3xx
    4xx
    5xx
    32/39

    View Slide

  35. 33/39

    View Slide

  36. 34/39

    View Slide

  37. What's next?
    35/39

    View Slide

  38. HTTP Path-Based Routing
    36/39

    View Slide

  39. Tra c Shifting
    37/39

    View Slide

  40. consul.io
    learn.hashicorp.com/consul
    instruqt.com/hashicorp
    38/39

    View Slide

  41. Consul Connect
    Service Mesh by HashiCorp
    Yves Brissaud
     @_crev_
    39/39

    View Slide