Upgrade to Pro — share decks privately, control downloads, hide ads and more …

J-Fall 2019: What's a service mesh and why do i...

J-Fall 2019: What's a service mesh and why do i need one?

You’ve been creating this cloud-native microservice based architecture. Continuous delivery pipelines, cloud-based deployments, and Kubernetes managed Docker containers. You are ready to scale beyond your wildest dreams. Now, while taking a step back, you notice that your services contain more than just the business logic you intended to write. Proper communication is key in a distributed system, but do you really need these extra libraries that increase the size of your microservice? Should the responsibility for reliable communication live within your application or can this be abstracted to a higher level? In this session, we will look at the concept of a Services Mesh and how it helps you put the responsibilities at the right layer. After this presentation you might have an answer to the question if you really need a service mesh.

Jeroen Reijn

October 31, 2019
Tweet

More Decks by Jeroen Reijn

Other Decks in Programming

Transcript

  1. About me: • (Java) Programmer and architect • Big fan

    of the DevOps culture • Enjoys building cloud native solutions • Community member and emeritus committer at Apache Jeroen Reijn @jreijn /jeroenreijn
  2. The evolution of networking Computer B Computer A Service A

    Service B Networking Stack Networking Stack Business Logic Business Logic
  3. The evolution of networking Computer B Computer A Service A

    Service B Networking Stack Networking Stack Business Logic Flow control Business Logic Flow control
  4. The evolution of networking Computer B Computer A Networking Stack

    Service A Service B Networking Stack Business Logic Flow control Business Logic Flow control
  5. The 8 Fallacies of Distributed Computing 1. The network is

    reliable 2. Latency is zero 3. Bandwidth is infinite 4. The network is secure 5. Topology doesn’t change 6. There is one administrator 7. Transport cost is zero 8. The network is homogeneous Composed by Peter Deutsch and his fellow engineers at Sun Microsystems
  6. Critical functions for microservices Fast, reliable & safe microservices microservice

    microservice microservice Routing Dynamic discovery Load balancing Resiliency Circuit breaking Retries Rate limiting Observability Metrics Logging Tracing Security Policy Enforcement
  7. Routing - Service discovery Registry client Registry client Registry client

    Registry client Registry client Registry client Registry client Registry client Registry client Registry Registry client Registry client Service A Service B Service C Service D Service D Service A Service A Service C Service C Service B Service B Service D Registry-aware HTTP client Service Registry
  8. The Circuit Breaker pattern “A service client should invoke a

    remote service via a ‘proxy’ that functions in a similar fashion to an electrical circuit breaker” https://microservices.io/patterns/reliability/circuit-breaker.html
  9. Circuit breaker Half Open Failure threshold exceeded Set breaker Failure

    threshold exceeded Set breaker Try reset after timeout Success Reset breaker Open Closed Success Fail (under threshold)
  10. Computer B The evolution of networking Computer A Service A

    Service B Networking Stack Networking Stack Business Logic Flow control Flow control Circuit Breaker Service Discovery Business Logic Circuit Breaker Service Discovery Logs, metrics, traces Security Logs, metrics, traces Security
  11. Computer B The evolution of networking Computer A Service A

    Service B Networking Stack Networking Stack Business Logic Flow control Flow control ??? ??? Circuit Breaker Service Discovery Business Logic Circuit Breaker Service Discovery Logs, metrics, traces Security Logs, metrics, traces Security
  12. Computer B The evolution of networking Computer A Service A

    Service B Networking Stack Networking Stack Business Logic Flow control Flow control Library Library Circuit Breaker Service Discovery Business Logic Circuit Breaker Service Discovery Logs, metrics, traces Security Logs, metrics, traces Security
  13. Drawbacks of libraries • Glue linking the libraries: expensive •

    Limiting tools, runtimes, languages • Versioning hell • Teams should not forget to add them
  14. Computer B The evolution of networking Computer A Service A

    Service B Networking Stack Networking Stack Business Logic Flow control Flow control Library Library Circuit Breaker Service Discovery Business Logic Circuit Breaker Service Discovery Logs, metrics, traces Security Logs, metrics, traces Security
  15. Computer B Service B The evolution of networking Computer A

    Service A Service B Networking Stack Service A Networking Stack Business Logic Flow control Library ??? Flow control Library ??? Circuit Breaker Service Discovery Business Logic Circuit Breaker Service Discovery Logs, metrics, traces Security Logs, metrics, traces Security
  16. Computer B Service B The evolution of networking Computer A

    Networking Stack Service A Networking Stack Business Logic Flow control ??? Circuit Breaker Service Discovery Logs, metrics, traces Security Proxy Flow control ??? Circuit Breaker Service Discovery Logs, metrics, traces Security Proxy Business Logic
  17. OSI Model Level 7 Application: Spring, Vertx, WFSwarm Level 6

    Presentation: Json, XML Level 5 Session: Http 1/2, GRPC Level 4 Transport: TCP Level 1-3 Network (IP) / Data link / Physical From here To here
  18. Computer B Service B The evolution of networking Computer A

    Networking Stack Service A Networking Stack Business Logic Flow control Proxy Proxy Circuit Breaker Service Discovery Logs, metrics, traces Security Flow control Proxy Proxy Circuit Breaker Service Discovery Logs, metrics, traces Security Business Logic
  19. Computer B Service D First generation service mesh Computer A

    Service A Proxy Proxy Service B Service C
  20. Second generation service mesh - Pods and sidecars • Container

    platforms • Kubernetes • Mesos Node Pod Pod Container Proxy Container Proxy
  21. Computer B Service B The evolution of networking Computer A

    Networking Stack Service A Networking Stack Business Logic Flow control Proxy Sidecar Proxy Circuit Breaker Service Discovery Logs, metrics, traces Security Flow control Proxy Sidecar Proxy Circuit Breaker Service Discovery Logs, metrics, traces Security Business Logic
  22. Controlling the service mesh Computer A Service A Networking Stack

    Business Logic Flow control Sidecar proxy Computer B Service B Networking Stack Business Logic Flow control Sidecar proxy Control plane
  23. Istio • An open platform to connect, monitor, and secure

    microservices • Introduced by Google, Lyft, IBM and others • Manages authentication, authorization, and encryption of communication between microservices • Logging, monitoring, and keeping services operational • Traffic management and policy control
  24. Envoy Proxy • Dynamic service discovery • Load balancing •

    TLS termination • HTTP/2 and gRPC proxies • Circuit breakers • Health checks • Staged rollouts with %-based traffic split • Fault injection • Rich metrics
  25. Istio - Tracing • Automatic tracing of request • Asynchronous

    span reporting • Multiple backends • Zipkin • Jaeger
  26. Istio Security - RBAC • Role based access control •

    Based on rules and for instance HTTP methods • ServiceRole (rule) • ServiceRoleBinding (assign role to set of nodes)
  27. Istio gives you: • Telemetry • Security • Mutual TLS

    • Role based access control • Resilience • Circuit-breaker • Retry • Advanced routing
  28. Overhead • Definitely not ‘free’, more parts in the system

    • Proxies are used for both inbound and outbound requests • A lot of effort going on to reduce overhead
  29. Debugging • Debugging Envoy and Pilot (configuration) • Networking Issues

    • TLS issues • Envoy bouncing requests • …
  30. Security • Many new parts of the system • Control

    plane components • Proxies • Envoys are everywhere • Role based access control
  31. Istio • Telemetry • Security • Circuit-breaker • Retry •

    Advanced routing What you (want to) get What you (don’t want to) get • Overhead • Debugging • Security complexity
  32. Do you want to configure, install and renew (mutual) TLS

    certificates across an entire set of applications?
  33. Do you want to intercept and re-route network flows for:

    A/B testing, traffic shedding or failure tolerance (circuit breaking)?
  34. Key take-aways from this talk • A service mesh is

    a dedicated infra layer for service communication • Understand the why of using a service mesh • Understand the operational complexity, but also the benefits e.g. transparently adds cross-cutting concerns to a microservices architecture • Think about where you want to solve specific problems